WPA3-Enterprise
9 minute read
HPE Aruba Networking offers three different modes of operation for WPA3-Enterprise: CCM 128, GCM 256, and CNSA.
- CCM 128 offers the widest compatibility, including WPA2-certified clients when deployed in transition mode.
- GCM 256 restricts to WPA3-certified clients that support GCMP-256 ciphers.
- CNSA (192-bit) constrains the available options used with WPA3-Enterprise with the intent to raise the bar of attack sophistication making CNSA suitable for some of the highest levels of data protection.
WPA3-Enterprise CCM 128
WPA3-Enterprise CCM 128 meets the requirements for two modes of operation for WPA3-Enterprise as specified by the Wi-Fi Alliance.
- “WPA3-Enterprise transition mode” which advertises key management for both WPA2-Enterprise and WPA3-Enterprise clients and sets PMF to optional (when operating in the 2.4 GHz and 5 GHz bands).
- “WPA3-Enterprise only mode” which advertises key management for only WPA3-Enterprise configured clients and requires PMF (across all bands of operation). This is the behavior when transition mode configuration is explicitly disabled.
WPA3-Enterprise CCM 128 in transition mode (default behavior) advertises or negotiates the following capabilities in beacons, probe response, or association in the 2.4 GHz and 5 GHz bands of operation:
- AKM suite selectors include
00-0F-AC:1
(802.1X with SHA-1) and00-0F-AC:5
(802.1X with SHA-256). - Protected Management Frames are capable and automatically set as optional (MFPR=0 and MFPC=1).
- This mode supports both WPA2-Enterprise only clients to connect with WPA2 (AKM:1) and WPA3-Enterprise capable clients to connect with WPA3 (AKM:5).
WPA3-Enterprise CCM 128 with transition mode disabled (WPA3-Enterprise only mode) advertises or negotiates the following capabilities in beacons, probe response, or association in the 2.4 GHz and 5 GHz bands of operation:
- AKM suite selector as
00-0F-AC:5
(802.1X with SHA-256). - Protected Management Frames are required and automatically set as mandatory (MFPR=1 and MFPC=1).
- This mode only supports WPA3-Enterprise capable client connection with WPA3 (AKM:5).
When operating in the 6 GHz band, WPA3-Enterprise CCM 128 is automatically set as “WPA3-Enterprise only mode”, and advertises or negotiates the following capabilities in beacons, probe response, or association:
- AKM suite selector as
00-0F-AC:5
(802.1X with SHA-256). - Protected Management Frames are required and automatically set as mandatory (MFPR=1 and MFPC=1).
- This mode only supports WPA3-Enterprise capable client connection with WPA3 (AKM:5).
WPA3-Enterprise CCM 128 advertises or negotiates the following ciphers in all modes of operation in beacons, probe response, or association:
- Pairwise cipher suite selector as
00-0F-AC:4
(CCMP-128). - Group data cipher suite selector as
00-0F-AC:4
(CCMP-128). - Group management cipher suite selector as
00-0F-AC:6
(BIP-CMAC-128).
Key management and Protected Management Frames configuration for WPA3-Enterprise CCM 128 varies depending on band of operation and AOS version deployed.
Transition mode is supported starting in AOS 8.11 and 10.5 enabling the client to choose between 802.1X with SHA-1 or 802.1X with SHA-256.
Note that AOS 8.10 and 10.4 behavior is different where WPA3-Enterprise clients will always negotiate connectivity using WPA2 in 2.4 and 5 GHz operation.
AOS 8.11+ and 10.5+
The behavior for WPA3 Enterprise CCM 128 in AOS 8.11 and 10.5 or later is as follows:
- Support for transition mode is introduced for WPA3-Enterprise CCM 128.
- When transition mode is enabled (default), the behavior is as follows:
- 2.4 GHz and 5 GHz operation:
- Both
00-0F-AC:1
(802.1X with SHA-1) and00-0F-AC:5
(802.1X with SHA-256) are advertised in the RSNE. - Capable clients can negotiate using WPA2 or WPA3. Client picks which.
- PMF is optional (MFPR=0 and MFPC=1).
- Both
- 6 GHz operation:
00-0F-AC:5
(802.1X with SHA-256) is advertised in the RSNE.- PMF is required (MFPR=1 and MFPC=1).
- 2.4 GHz and 5 GHz operation:
- When transition mode is disabled, the behavior for WPA3-Enterprise CCM
128 is as follows:
- 2.4 GHz and 5 GHz operation:
00-0F-AC:5
(802.1X with SHA-256) is advertised in the RSNE.- WPA2-Enterprise only clients will not connect. Transition mode disabled forces WPA3 connections.
- PMF is required (MFPR=1 and MFPC=1).
- 6 GHz operation:
00-0F-AC:5
(802.1X with SHA-256) is advertised in the RSNE.- PMF is required (MFPR=1 and MFPC=1).
- 2.4 GHz and 5 GHz operation:
AOS 8.10 and 10.4
The behavior for WPA3 Enterprise CCM 128 in AOS 8.10 and 10.4 is as follows:
- Transition mode configuration has no effect on operation.
- 2.4 GHz and 5 GHz operation:
00-0F-AC:1
(802.1X with SHA-1) is advertised in the RSNE.- PMF is optional (MFPR=0 and MFPC=1).
00-0F-AC:5
(802.1X with SHA-256) is not advertised with CCM 128 in AOS 8.10 or 10.4. This means WPA3 capable clients will negotiate connectivity as WPA2 because only AKM:1 is advertised by the AP.
- 6 GHz operation:
00-0F-AC:5
(802.1X with SHA-256) is advertised in the RSNE.- PMF is required (MFPR=1 and MFPC=1).
Workaround
If there is a requirement to restrict connectivity to “WPA3-Enterprise Only Mode” while using CCMP-128 ciphers on AOS 8.10 or 10.4 deployments, consider the following workaround and caveats:
- The WPA2-Enterpise security mode (
wpa2-aes
) with PMF configured as mandatory (MFPR=1 and MFPC=1) effectively uses WPA3-Enterprise (AKM:5) for key management instead of WPA2-Enterprise (AKM:1). - Use cases for this workaround:
- “WPA3-Enterprise Only Mode” with no support for legacy WPA2-Enterprise clients.
- AOS 8.10 or 10.4 deployments.
- 2.4 GHz or 5 GHz operation.
- To deploy this workaround two configurations are required.
-
- Security mode set as WPA2-Enterprise (
wpa2-aes
)
- Security mode set as WPA2-Enterprise (
-
- PMF set as mandatory (MFPR=1 and MFPC=1)
- Instant 8 configuration for MFP via CLI (
mfp-capable
andmfp-required
parameters), Central template group, or Central REST API. - AOS 8 configuration for MFP via WebUI, CLI, or local REST API.
- AOS 10 configuration for MFP via Central REST API.
-
- Caveats:
- This workaround does not support 6 GHz operation.
- AOS 8 forwarding mode caveats:
- PMF operation for Wi-Fi 5 APs requires use of decrypt-tunnel forwarding mode.
- PMF operation in tunnel forwarding mode is supported starting with Wi-Fi 6 APs.
- When this workaround is deployed and a capable deployment is being upgraded to an 8.11 release, upgrade to at least 8.11.2.1 or later due to a multicast encryption mismatch bug (AOS-243060) present in earlier 8.11 releases.
Example AOS 8.10 configuration for WPA3 only key management in 2.4 GHz or 5 GHz bands using wpa2-aes
+ mfp-capable
+ mfp-required
:
wlan ssid-profile "ACME_1X_WPA3"
essid "ACME_1X_WPA3"
opmode wpa2-aes
mfp-capable
mfp-required
!
Example AOS 8.10 verification:
(MCR) [mynode] #show wlan ssid-profile ACME_WPA3_Enterprise
SSID Profile "ACME_1X_WPA3"
---------------------------
Parameter Value
--------- -----
SSID enable Enabled
ESSID ACME_1X_WPA3
Encryption wpa2-aes
Enable Management Frame Protection (for WPA2 opmodes) Enabled
Require Management Frame Protection (for WPA2 opmodes) Enabled
When this workaround is configured and supported, the following capabilities are advertised or negotiated in beacons, probe response, or association in the 2.4 GHz or 5 GHz bands:
- AKM suite selector as
00-0F-AC:5
(802.1X with SHA-256). - Pairwise cipher suite selector as
00-0F-AC:4
(CCMP-128). - Group data cipher suite selector as
00-0F-AC:4
(CCMP-128). - Group management cipher suite selector as
00-0F-AC:6
(BIP-CMAC-128). - Protected Management Frames are mandatory (MFPR=1 and MFPC=1).
When this workaround is configured and not supported, such as by Wi-Fi 5 APs in tunnel mode on AOS 8, the following capabilities are advertised or negotiated in beacons, probe response, or association in the 2.4 GHz or 5 GHz bands:
- AKM suite selector as
00-0F-AC:1
(802.1X with SHA-1). - Pairwise cipher suite selector as
00-0F-AC:4
(CCMP-128). - Group data cipher suite selector as
00-0F-AC:4
(CCMP-128). - Protected Management Frames are disabled (MFPR=0 and MFPC=0).
After some period of workaround implementation and a new deployment requirement arises for 6 GHz operation, for example when 6 GHz capable hardware is added, consider the following software upgrade and configuration migration order to maintain consistency in advertised key management:
- First
- AOS 8: Upgrade to 8.11.2.1 or later.
- AOS 10: Upgrade to 10.5 or later.
- Second
- Change the security mode from WPA2-Enterprise (
wpa2-aes
) to WPA3-Enterprise CCM 128 (wpa3-aes-ccm-128
). - Disable transition mode to disable support for WPA2 clients using AKM:1. This is neccessay because transition mode configuration for WPA3-Enterprise CCM 128 is supported starting in 8.11 and 10.5 and is enabled by default advertising both AKM:1 and AKM:5.
- Change the security mode from WPA2-Enterprise (
- Third
- AOS 8: Configure “Allow 6GHz band” on respective VAP.
- AOS 10: Enable 6 GHz band in respective WLAN configuration.
Best Practices
WPA3-Enterprise is suitable for use cases where WPA2-Enterprise was used prior because of Protected Management Frames and when AKM:5 (SHA-256) is negotiated the key length is increased. It is encouraged to disable weak EAP methods such as PEAP-MSCHAPv2, CHAPv1, PAP, etc., and consider using a stronger EAP method such as EAP-TLS.
Consider disabling transition mode to limit attack vectors. When PMF is disabled or not used by a client, attackers can spoof management frames from an AP to attack an associated client through Denial of Service (DoS) or attacker-in-the-middle techniques.
Consider deploying WPA3-Enterprise and WPA2-Enterprise on different individual VAPs.
WPA3-Enterprise GCM 256
Introduced in AOS 8.5, WPA3-Enterprise with 256 bits enables GCMP-256 cipher suites without requiring CNSA compatible EAP. This mode is also referred to as WPA3-Enterprise Non-CNSA.
The following is advertised and negotiated in beacons, probe response, and association:
- AKM suite selector as
00-0F-AC:5
(802.1X with SHA-256). - Pairwise cipher suite selector as
00-0F-AC:9
(GCMP-256). - Group data cipher suite selector as
00-0F-AC:9
(GCMP-256). - Group management cipher suite selector as
00-0F-AC:12
(BIP-GMAC-256). - Protected Management Frames are mandatory (MFPR=1 and MFPC=1).
Best Practices
This security mode is suitable for use-cases where WPA2-Enterprise was used prior because of Protected Management Frames and stronger ciphers than CCM 128.
Use this security mode if the client population is under administrative control and knowledge of client support for GCMP-256 with AKM:5 is known.
Weak EAP methods such as PEAP-MSCHAPv2, CHAPv1, PAP, etc., should be disabled and client connections moved to using a stronger EAP method such as EAP-TLS.
The client population must support the defined security parameters as transition mode is not allowed for WPA3-Enterprise GCM 256.
WPA3-Enterprise CNSA (192-bit)
WPA3-Enterprise CNSA (192-bit) enforces CNSA Suite security standards for enterprise Wi-Fi networks.
The following is advertised and negotiated in beacons, probe response, and association:
- AKM suite selector as
00-0F-AC:12
(802.1X with SHA-384). - Pairwise cipher suite selector as
00-0F-AC:9
(GCMP-256). - Group data cipher suite selector as
00-0F-AC:9
(GCMP-256). - Group management cipher suite selector as
00-0F-AC:12
(BIP-GMAC-256). - Protected Management Frames are mandatory (MFPR=1 and MFPC=1).
Other notes of importance:
- Requires a CNSA Suite compatible EAP-TLS cipher suite (RFC 6460):
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 using p384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 using p384 and RSA > 3k bits
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 using RSA > 3k bits
- TLS v1.2 or later is required.
- Key length must be greater than 3072 bits. The signing keys have the same key length requirements.
- Certificate chain validation is mandatory.
- EAP termination is not supported. EAP termination is when EAP tunnel termination is moved upstream from the RADIUS server to the controller or AP. WPA3-Enterprise 192-bit (CNSA) expects that a RADIUS server is used, and policy is enforced by the RADIUS server. This means CNSA Suite compatible 802.1X happens between client and RADIUS server based on the authenticator indicating which AKM is negotiated between client and AP.
WPA3-Enterprise CNSA (192-bit) is supported by HPE Aruba Networking ClearPass (CPPM) starting in version 6.8 and supports the following RADIUS attributes from RFC 7268:
- WLAN-Reason-Code (185)
- WLAN-Pairwise-Cipher (186)
- WLAN-Group-Cipher (187)
- WLAN-AKM-Suite (188)
- WLAN-Group-Mgmt-Cipher (189)
Best Practices
This security mode is suitable for use-cases where WPA2-Enterprise was used prior because of Protected Management Frames, increased key length, stronger ciphers, and requirement of CNSA Suite compatible EAP-TLS methods.
This is primarily focused on customers such as government, finance, and other industries who require a high level of security.
The client population must support the defined security parameters as transition mode is not allowed for WPA3-Enterprise CNSA (192-bit).
Feedback
Was this page helpful?
Glad to hear it!
Sorry to hear that.