Security Modes
6 minute read
In an increasingly interconnected world, secure and reliable Wi-Fi communication is a must-have. Across home offices to industrial environments to enterprise networks, Wi-Fi has become a crucial part ofmobile connectivity. As the reliance on Wi-Fi networks has grown, so has the security to protect and ensure privacy for sensitive data.
Enhanced Open and Wi-Fi Protected Access version 3 (WPA3) are the current advancements in Wi-Fi security standards from the Wi-Fi Alliance (WFA), designed to address weaknesses of their predecessors WPA2 and Open networks. The security modes sections aim to provide insights into Enhanced Open and WPA3 networks with HPE Aruba Networking deployments, exploring key components, practical implications, and best practices. Deployment considerations and compatibility aspects will be discussed.
Authentication and Key Management (AKM)
The security solutions used in Wi-Fi networks are defined by the IEEE 802.11 standards and Wi-Fi Alliance. Each security protocol has a specific authentication and key management (AKM) suite type (number).
The standard defines AKM suite selectors with a format of OUI:N where N represents the suite type. The standards based AKMs are denoted by an OUI of 00-0F-AC
. For example, the suite selector for WPA3-Personal (wpa3-sae-aes
) is 00-0F-AC:8
. The corresponding pages refer to 00-0F-AC:N
as AKM:N
.
The Wi-Fi Alliance (WFA) defines security certifications by AKM, cipher suites, and Protected Management Frame (PMF) combinations. The following is used to indicate the different authentication types defined in the standard and their corresponding Wi-Fi Alliance certification program label:
WFA Mode | IEEE AKM | Description |
---|---|---|
WPA2-Enterprise | AKM:1 | IEEE 802.1X with SHA-1 |
WPA2-Personal | AKM:2 | Pre-Shared Key (PSK) |
WPA3-Enterprise | AKM:5 | IEEE 802.1X with SHA-256 |
WPA3-Personal | AKM:8 | Simultaneous Authentication of Equals (SAE) |
WPA3-Enterprise 192-bit | AKM:12 | IEEE 802.1X with SHA-384 using CNSA Suite compliant ciphers and EAP method |
Enhanced Open | AKM:18 | Opportunistic Wireless Encryption (OWE) |
WPA3-Personal | AKM:24 | Simultaneous Authentication of Equals (SAE) with a variable hash algorithm depending on Diffie-Hellman (DH) group (SHA-256, SHA-384, or SHA-512) |
Wi-Fi Alliance Programs
This section details the specifications defined by the Wi-Fi Alliance security certifications. A following section will map them to the security modes implemented by HPE Aruba Networking in AOS.
Enhanced Open
The Wi-Fi Alliance Enhanced Open specification defines the following:
- Enhanced Open based on Opportunistic Wireless Encryption (OWE) defined in RFC 8110 (AKM:18)
WPA3
The Wi-Fi Alliance WPA3 specification defines the following:
- WPA3-Personal (AKM:8, Wi-Fi 7 uses AKM:24)
- WPA3-Personal Transition (AKM:2 + AKM:8)
- WPA3-Enterprise Only (AKM:5)
- WPA3-Enterprise Transition Mode (AKM:1 + AKM:5)
- WPA3-Enterprise 192-bit mode (AKM:12)
Corresponding AOS Security Modes
Wi-Fi Alliance Mode | AOS Key Management | AOS Security Mode (opmode ) |
---|---|---|
Enhanced Open | Enhanced Open | enhanced-open |
WPA3-Personal | WPA3-Personal | wpa3-sae-aes |
WPA3-Enterprise | WPA3-Enterprise (CCM 128) | wpa3-aes-ccm-128 |
Not defined by WFA | WPA3-Enterprise (GCM 256) | wpa3-aes-gcm-256 |
WPA3-Enterprise 192-bit | WPA3-Enterprise (CNSA) | wpa3-cnsa |
6 GHz Operation
Wi-Fi 6E is Wi-Fi 6 ‘extended’ to include the 6 GHz band. Extending operation into the 6 GHz band was an opportunity to leave behind some of the legacy requirements which exist for operation in the 2.4 GHz and 5 GHz bands.
The Wi-Fi Alliance (WFA) made the decision to require WPA3 or Enhanced Open as the minimum security modes allowed in the 6 GHz band.
The following legacy security modes not allowed in 6 GHz operation include:
- WPA2-Enterprise or the corresponding transition mode*
- WPA2-Personal or the corresponding transition mode*
- Open, WPA version 1, TKIP, or WEP
wpa3-sae-aes
) or WPA3-Enterprise CCM 128 (wpa3-aes-ccm-128
), transition mode is effective only for 2.4 GHz or 5 GHz operation. Transition mode configuration is automatically overriden and disabled for 6 GHz operation.
Terminology
The following terminology is used throughout the various security mode sections. For additional information, refer to sources mentioned below.
- AKM – Authentication and Key Management
- BSS – Basic Service Set
- CNSA – Commercial National Security Algorithm
- DH – Diffie-Hellman
- Enhanced Open – Wi-Fi Alliance certification based on OWE protocol
- FT - Fast (BSS) Transition for improving handoff between APs
- IEEE – Institute of Electrical and Electronics Engineers
- OWE – Opportunistic Wireless Encryption
- MFP – Management Frame Protection (see PMF)
- MFPC – Management Frame Protection Capable
- MFPR – Management Frame Protection Required
- PMF – Protected Management Frame (see MFP)
- PMK – Pairwise Master Key
- RSNE – Robust Security Network Element
- SAE – Simultaneous Authentication of Equals protocol used by WPA3-Personal
- WFA – Wi-Fi Alliance
- Wi-Fi 6 – Based on IEEE 802.11ax (HE)
- Wi-Fi 6E – Wi-Fi 6 extended to include the 6 GHz band
- Wi-Fi 7 – Based on IEEE 802.11be (EHT)
- WPA2 – Wi-Fi Protected Access version 2
- WPA3 – Wi-Fi Protected Access version 3
Sources and References
- IEEE 802.11-2016
- IEEE 802.11-2020
- RFC 5759 – Suite B Certificate and Certificate Revocation List (CRL) Profile
- RFC 6460 – Suite B Profile for Transport Layer Security (TLS)
- RFC 6379 – Suite B Cryptographic Suites for IPsec
- RFC 7268 – RADIUS Attributes for IEEE 802 Networks
- RFC 8110 – Opportunistic Wireless Encryption
- WPA3 Specification version 3.0
- WPA3 Specification version 3.1
- WPA3 Specification version 3.2
Decoder Ring
Security Mode ( opmode ) |
AKM | Hash Algorithm | FT AKM | Cipher Suite | Group Management | PMF |
---|---|---|---|---|---|---|
WPA3 Personal(1) Transition Mode Enabled ( wpa3-sae-aes ) |
2.4 / 5 GHz: AKM:2 AKM:8 6 GHz: AKM:8 |
2.4 / 5 GHz: SHA-1 SHA-256 6 GHz: SHA-256 |
2.4 / 5 GHz: AKM:4 AKM:9 6 GHz: AKM:9 |
CCM-128 | BIP-CMAC-128 | 2.4 / 5 GHz: MFPR=0 MFPC=1 6 GHz: MFPR=1 MFPC=1 |
WPA3 Personal(1) Transition Mode Disabled ( wpa3-sae-aes ) |
2.4 / 5 / 6 GHz: AKM:8 |
2.4 / 5 / 6 GHz: SHA-256 |
2.4 / 5 / 6 GHz: AKM:9 |
CCM-128 | BIP-CMAC-128 | 2.4 / 5 / 6 GHz: MFPR=1 MFPC=1 |
WPA2 Enterprise(2) ( wpa2-aes ) |
2.4 / 5 GHz: AKM:1 |
2.4 / 5 GHz: SHA-1 |
2.4 / 5 GHz: AKM:3 |
CCM-128 | N/A | 2.4 / 5 GHz: MFPR=0 MFPC=0 |
WPA3 Enterprise(3) ( wpa2-aes + MFP-R) |
2.4 / 5 GHz: AKM:5 |
2.4 / 5 GHz: SHA-5 |
2.4 / 5 GHz: AKM:3 |
CCM-128 | BIP-CMAC-128 | 2.4 / 5 GHz: MFPR=1 MFPC=1 |
WPA3 Enterprise CCM 128 Transition Mode Enabled(4) ( wpa3-aes-ccm-128 ) |
2.4 / 5 GHz: AKM:1 AKM:5(5) 6 GHz: AKM:5 |
2.4 / 5 GHz: SHA-1 SHA-256(5) 6 GHz: SHA-256 |
2.4 / 5 / 6 GHz: AKM:3 |
CCM-128 | BIP-CMAC-128 | 2.4 / 5 GHz: MFPR=0 MFPC=1 6 GHz: MFPR=1 MFPC=1 |
WPA3 Enterprise CCM 128 Transition Mode Disabled(4) ( wpa3-aes-ccm-128 ) |
2.4 / 5 / 6 GHz: AKM:5 |
2.4 / 5 / 6 GHz: SHA-256 |
2.4 / 5 / 6 GHz: AKM:3 |
CCM-128 | BIP-CMAC-128 | 2.4 / 5 / 6 GHz: MFPR=1 MFPC=1 |
WPA3 Enterprise GCM 256 ( wpa3-aes-gcm-256 ) |
2.4 / 5 / 6 GHz: AKM:5 |
2.4 / 5 / 6 GHz: SHA-256 |
2.4 / 5 / 6 GHz: AKM:3 |
GCMP-256 | BIP-GMAC-256 | 2.4 / 5 / 6 GHz: MFPR=1 MFPC=1 |
WPA3-Enterprise CNSA (192-bit) ( wpa3-cnsa ) |
2.4 / 5 / 6 GHz: AKM:12 |
2.4 / 5 / 6 GHz: SHA-384 |
(6) | GCMP-256 | BIP-GMAC-256 | 2.4 / 5 / 6 GHz: MFPR=1 MFPC=1 |
wpa3-sae-aes
with AKM:24 is not yet supported in AOS.wpa2-aes
is not typically deployed with PMF due to lack of support by WPA2 clients.wpa2-aes
with PMF configuration set as required removes AKM:1 (802.1X with SHA-1) and adds AKM:5 (802.1X with SHA-256) which is effectively WPA3 only. Please review caveats on the WPA3-Enterprise page.- Transition mode for WPA3-Enterprise CCM 128 is supported starting in AOS 8.11 and 10.5. Transition mode has no effect on operation in AOS 8.10 and 10.4.
- WPA3-Enterprise CCM 128 with transition mode enabled adds AKM:5 (802.1X with SHA-256) in the 2.4 GHz and 5 GHz bands starting in AOS 8.11 and 10.5. When transition mode is disabled, AKM:1 (802.1X with SHA-1) is not advertised.
- There is no compatible FT AKM for CNSA.
See the following subpages to learn more:
Feedback
Was this page helpful?
Glad to hear it!
Sorry to hear that.