Security Modes

Discover details around WPA3 and Enhanced Open security modes, details of the ciphers, key management, and features behind them, and best practices for implementation.

In an increasingly interconnected world, secure and reliable Wi-Fi communication is a must-have. Across home offices to industrial environments to enterprise networks, Wi-Fi has become a crucial part ofmobile connectivity. As the reliance on Wi-Fi networks has grown, so has the security to protect and ensure privacy for sensitive data.

Enhanced Open and Wi-Fi Protected Access version 3 (WPA3) are the current advancements in Wi-Fi security standards from the Wi-Fi Alliance (WFA), designed to address weaknesses of their predecessors WPA2 and Open networks. The security modes sections aim to provide insights into Enhanced Open and WPA3 networks with HPE Aruba Networking deployments, exploring key components, practical implications, and best practices. Deployment considerations and compatibility aspects will be discussed.

Authentication and Key Management (AKM)

The security solutions used in Wi-Fi networks are defined by the IEEE 802.11 standards and Wi-Fi Alliance. Each security protocol has a specific authentication and key management (AKM) suite type (number).

The standard defines AKM suite selectors with a format of OUI:N where N represents the suite type. The standards based AKMs are denoted by an OUI of 00-0F-AC. For example, the suite selector for WPA3-Personal (wpa3-sae-aes) is 00-0F-AC:8. The corresponding pages refer to 00-0F-AC:N as AKM:N.

The Wi-Fi Alliance (WFA) defines security certifications by AKM, cipher suites, and Protected Management Frame (PMF) combinations. The following is used to indicate the different authentication types defined in the standard and their corresponding Wi-Fi Alliance certification program label:

WFA Mode IEEE AKM Description
WPA2-Enterprise AKM:1 IEEE 802.1X with SHA-1
WPA2-Personal AKM:2 Pre-Shared Key (PSK)
WPA3-Enterprise AKM:5 IEEE 802.1X with SHA-256
WPA3-Personal AKM:8 Simultaneous Authentication of Equals (SAE)
WPA3-Enterprise 192-bit AKM:12 IEEE 802.1X with SHA-384 using CNSA Suite compliant ciphers and EAP method
Enhanced Open AKM:18 Opportunistic Wireless Encryption (OWE)
WPA3-Personal AKM:24 Simultaneous Authentication of Equals (SAE) with a variable hash algorithm depending on Diffie-Hellman (DH) group (SHA-256, SHA-384, or SHA-512)

Wi-Fi Alliance Programs

This section details the specifications defined by the Wi-Fi Alliance security certifications. A following section will map them to the security modes implemented by HPE Aruba Networking in AOS.

Enhanced Open

The Wi-Fi Alliance Enhanced Open specification defines the following:

  • Enhanced Open based on Opportunistic Wireless Encryption (OWE) defined in RFC 8110 (AKM:18)

WPA3

The Wi-Fi Alliance WPA3 specification defines the following:

  • WPA3-Personal (AKM:8, Wi-Fi 7 uses AKM:24)
  • WPA3-Personal Transition (AKM:2 + AKM:8)
  • WPA3-Enterprise Only (AKM:5)
  • WPA3-Enterprise Transition Mode (AKM:1 + AKM:5)
  • WPA3-Enterprise 192-bit mode (AKM:12)

Corresponding AOS Security Modes

Wi-Fi Alliance Mode AOS Key Management AOS Security Mode (opmode)
Enhanced Open Enhanced Open enhanced-open
WPA3-Personal WPA3-Personal wpa3-sae-aes
WPA3-Enterprise WPA3-Enterprise (CCM 128) wpa3-aes-ccm-128
Not defined by WFA WPA3-Enterprise (GCM 256) wpa3-aes-gcm-256
WPA3-Enterprise 192-bit WPA3-Enterprise (CNSA) wpa3-cnsa

6 GHz Operation

Wi-Fi 6E is Wi-Fi 6 ‘extended’ to include the 6 GHz band. Extending operation into the 6 GHz band was an opportunity to leave behind some of the legacy requirements which exist for operation in the 2.4 GHz and 5 GHz bands.

The Wi-Fi Alliance (WFA) made the decision to require WPA3 or Enhanced Open as the minimum security modes allowed in the 6 GHz band.

The following legacy security modes not allowed in 6 GHz operation include:

  • WPA2-Enterprise or the corresponding transition mode*
  • WPA2-Personal or the corresponding transition mode*
  • Open, WPA version 1, TKIP, or WEP

Terminology

The following terminology is used throughout the various security mode sections. For additional information, refer to sources mentioned below.

  • AKM – Authentication and Key Management
  • BSS – Basic Service Set
  • CNSA – Commercial National Security Algorithm
  • DH – Diffie-Hellman
  • Enhanced Open – Wi-Fi Alliance certification based on OWE protocol
  • FT - Fast (BSS) Transition for improving handoff between APs
  • IEEE – Institute of Electrical and Electronics Engineers
  • OWE – Opportunistic Wireless Encryption
  • MFP – Management Frame Protection (see PMF)
  • MFPC – Management Frame Protection Capable
  • MFPR – Management Frame Protection Required
  • PMF – Protected Management Frame (see MFP)
  • PMK – Pairwise Master Key
  • RSNE – Robust Security Network Element
  • SAE – Simultaneous Authentication of Equals protocol used by WPA3-Personal
  • WFA – Wi-Fi Alliance
  • Wi-Fi 6 – Based on IEEE 802.11ax (HE)
  • Wi-Fi 6E – Wi-Fi 6 extended to include the 6 GHz band
  • Wi-Fi 7 – Based on IEEE 802.11be (EHT)
  • WPA2 – Wi-Fi Protected Access version 2
  • WPA3 – Wi-Fi Protected Access version 3

Sources and References

  • IEEE 802.11-2016
  • IEEE 802.11-2020
  • RFC 5759 – Suite B Certificate and Certificate Revocation List (CRL) Profile
  • RFC 6460 – Suite B Profile for Transport Layer Security (TLS)
  • RFC 6379 – Suite B Cryptographic Suites for IPsec
  • RFC 7268 – RADIUS Attributes for IEEE 802 Networks
  • RFC 8110 – Opportunistic Wireless Encryption
  • WPA3 Specification version 3.0
  • WPA3 Specification version 3.1
  • WPA3 Specification version 3.2

Decoder Ring

Security Mode
(opmode)
AKM Hash Algorithm FT AKM Cipher Suite Group Management PMF
WPA3 Personal(1)
Transition Mode Enabled
(wpa3-sae-aes)
2.4 / 5 GHz:
AKM:2
AKM:8
6 GHz:
AKM:8
2.4 / 5 GHz:
SHA-1
SHA-256
6 GHz:
SHA-256
2.4 / 5 GHz:
AKM:4
AKM:9
6 GHz:
AKM:9
CCM-128 BIP-CMAC-128 2.4 / 5 GHz:
MFPR=0 MFPC=1
6 GHz:
MFPR=1 MFPC=1
WPA3 Personal(1)
Transition Mode Disabled
(wpa3-sae-aes)
2.4 / 5 / 6 GHz:
AKM:8
2.4 / 5 / 6 GHz:
SHA-256
2.4 / 5 / 6 GHz:
AKM:9
CCM-128 BIP-CMAC-128 2.4 / 5 / 6 GHz:
MFPR=1 MFPC=1
WPA2 Enterprise(2)
(wpa2-aes)
2.4 / 5 GHz:
AKM:1
2.4 / 5 GHz:
SHA-1
2.4 / 5 GHz:
AKM:3
CCM-128 N/A 2.4 / 5 GHz:
MFPR=0 MFPC=0
WPA3 Enterprise(3)
(wpa2-aes + MFP-R)
2.4 / 5 GHz:
AKM:5
2.4 / 5 GHz:
SHA-5
2.4 / 5 GHz:
AKM:3
CCM-128 BIP-CMAC-128 2.4 / 5 GHz:
MFPR=1 MFPC=1
WPA3 Enterprise CCM 128
Transition Mode Enabled(4)
(wpa3-aes-ccm-128)
2.4 / 5 GHz:
AKM:1
AKM:5(5)
6 GHz:
AKM:5
2.4 / 5 GHz:
SHA-1
SHA-256(5)
6 GHz:
SHA-256
2.4 / 5 / 6 GHz:
AKM:3
CCM-128 BIP-CMAC-128 2.4 / 5 GHz:
MFPR=0 MFPC=1
6 GHz:
MFPR=1 MFPC=1
WPA3 Enterprise CCM 128
Transition Mode Disabled(4)
(wpa3-aes-ccm-128)
2.4 / 5 / 6 GHz:
AKM:5
2.4 / 5 / 6 GHz:
SHA-256
2.4 / 5 / 6 GHz:
AKM:3
CCM-128 BIP-CMAC-128 2.4 / 5 / 6 GHz:
MFPR=1 MFPC=1
WPA3 Enterprise GCM 256
(wpa3-aes-gcm-256)
2.4 / 5 / 6 GHz:
AKM:5
2.4 / 5 / 6 GHz:
SHA-256
2.4 / 5 / 6 GHz:
AKM:3
GCMP-256 BIP-GMAC-256 2.4 / 5 / 6 GHz:
MFPR=1 MFPC=1
WPA3-Enterprise CNSA (192-bit)
(wpa3-cnsa)
2.4 / 5 / 6 GHz:
AKM:12
2.4 / 5 / 6 GHz:
SHA-384
(6) GCMP-256 BIP-GMAC-256 2.4 / 5 / 6 GHz:
MFPR=1 MFPC=1
  1. wpa3-sae-aes with AKM:24 is not yet supported in AOS.
  2. wpa2-aes is not typically deployed with PMF due to lack of support by WPA2 clients.
  3. wpa2-aes with PMF configuration set as required removes AKM:1 (802.1X with SHA-1) and adds AKM:5 (802.1X with SHA-256) which is effectively WPA3 only. Please review caveats on the WPA3-Enterprise page.
  4. Transition mode for WPA3-Enterprise CCM 128 is supported starting in AOS 8.11 and 10.5. Transition mode has no effect on operation in AOS 8.10 and 10.4.
  5. WPA3-Enterprise CCM 128 with transition mode enabled adds AKM:5 (802.1X with SHA-256) in the 2.4 GHz and 5 GHz bands starting in AOS 8.11 and 10.5. When transition mode is disabled, AKM:1 (802.1X with SHA-1) is not advertised.
  6. There is no compatible FT AKM for CNSA.

See the following subpages to learn more:


Last modified: July 17, 2024 (69ac269)