Configuring WPA3 Encryption

HPE Aruba Networking Central supports WPA3 encryption for security profiles in SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. creation for networks that include access points (APs) running Aruba InstantOS 8.4.0.0 firmware version and above. The WPA3 security provides robust protection with unique encryption per user session thereby ensuring a highly secured connection even on a public Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. hotspot Hotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet.. WPA3 Enterprise is built upon WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. and utilizes 192-bit security while still using the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. standard to provide a secure wireless network for enterprise use. This provides a superior encryption method to better protect any kind of data. The security suite is aligned with the recommendations from the Commercial National Security Algorithm (CNSA) suite and is commonly placed in high-security Wi-Fi networks.

The following are the WPA3 encryptions based on the Enterprise, Personal, or Open network types:

  • WPA3-Enterprise when the security level is Enterprise.
  • WPA3-Personal when the security level is Personal.
  • Enhanced Open when the security level is Open.

WPA3 Encryption Supported AP Modes and Clients

The following table provide information on the supported WPA3 encryption modes and the supported clients.

Table 1: WPA3 Encryption Supported AP Modes and Clients

WPA3 Protocol Android iOS iPadOS macOS Intel Windows

WPA3-Personal

 

Supported

Supported

Supported

Supported

Supported

Supported

WPA3-Enterprise

WPA3-Enterprise(CCM 128)

Supported

Supported

Supported

Supported

Supported

Supported

WPA3-Enterprise(GCM 256)

Supported

Not Supported

Not Supported

Not Supported

Not Supported

Not Supported

WPA3-Enterprise(CNSA)

Supported

Supported

Supported

Supported for 802.11ax devices

Supported

Supported

Enhanced Open

 

Supported

Supported

Supported

Supported

Supported

Supported

WPA3 Enterprise

WPA3 Enterprise enforces top secret security standards for an enterprise Wi-Fi in comparison to secret security standards. Top secret security standards includes:

Aruba Instant supports WPA3 Enterprise only in non-termination 802.1X and tunnel-forward modes. WPA3 Enterprise compatible 802.1x authentication occurs between STA and CPPM.

WPA3 Enterprise advertises or negotiates the following capabilities in beacons, probes response, or 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association:

If WPA3 Enterprise is enabled, STA is successfully associated only if it uses one of the four suite selectors for AKM selection, pairwise data protection, group data protection, and group management protection. If a STA mismatches any one of the four suite selectors, the STA association fails.

WPA3 Enterprise Operating Modes

HPE Aruba Networking Central supports three WPA3 Enterprise operating modes, namely WPA3-Enterprise(CCM 128), WPA3-Enterprise(CNSA), and WPA3-Enterprise(GCM 256). By default, the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID operates in the WPA3 Enterprise(CCM 128) mode with transition mode enabled.

The WPA3 Enterprise operating modes are dependent on the driver version of the client chipset. It is recommended to implement one of the following WPA3 Enterprise operating modes based on the client chipset:

With transition mode enabled, the WPA3-Enterprise(CCM 128) option allows clients using either WPA3 with PMF or WPA2 without PMF to connect to Virtual APs. This option can be used in the 2.4 GHz Gigahertz., 5 GHz or 6 GHz radio bands Band refers to a specified range of frequencies of electromagnetic radiation.. When used in the 6 GHz radio band, PMF is mandatory and the transition mode will be automatically overruled and disabled. With transition mode disabled, only WPA3 certified clients using PMF can connect to Virtual APs.

Configuring WPA3 for Wireless Network

To configure WPA3 for enterprise security, complete the following steps:

  1. In the WebUI, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click WLANs tab.

    The WLANs detail page is displayed.

  5. Click + Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table, and then click the edit icon.
  6. Click the Security tab.
  7. Select Enterprise from the Security Level.

    The authentication options applicable to the enterprise network are displayed.

  8. Select one of the following from the Key Management drop-down list:
    • WPA3-Enterprise(CNSA)—Select this option to use WPA3 security employing CNSA encryption operation mode.
    • WPA3-Enterprise(CCM 128)—Select this option to use WPA3 security employing CCM encryption operation mode limited to encrypting 128 bits of plain text.
    • WPA3-Enterprise(GCM 256)—Select this option to use WPA3 security employing GCM encryption operation mode limited to encrypting 256 bits of plain text.
  9. Click Save Settings.

Configuring WPA3 for Personal Security

To configure WPA3 for personal security, complete the following steps:

  1. In the WebUI, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click WLANs tab.

    The WLANs detail page is displayed.

  5. Click + Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon.
  6. Click the Security tab.
  7. Select Personal from the Security Level.

    The authentication options applicable to the Personal network are displayed.

  8. Select WPA3-Personal from the Key Management drop-down list.
  9. Click Save Settings.