Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Configuring WPA3 Encryption
HPE Aruba Networking Central supports WPA3 encryption for security profiles in SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. creation for networks that include access points (APs) running Aruba InstantOS 8.4.0.0 firmware version and above. The WPA3 security provides robust protection with unique encryption per user session thereby ensuring a highly secured connection even on a public Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. hotspot Hotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet.. WPA3 Enterprise is built upon WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. and utilizes 192-bit security while still using the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. standard to provide a secure wireless network for enterprise use. This provides a superior encryption method to better protect any kind of data. The security suite is aligned with the recommendations from the Commercial National Security Algorithm (CNSA) suite and is commonly placed in high-security Wi-Fi networks.
The following are the WPA3 encryptions based on the
, , or network types:- when the security level is .
- when the security level is .
- when the security level is .
WPA3 Encryption Supported AP Modes and Clients
The following table provide information on the supported WPA3 encryption modes and the supported clients.
WPA3 Protocol | Android | iOS | iPadOS | macOS | Intel | Windows | |
---|---|---|---|---|---|---|---|
WPA3-Personal
|
Supported |
Supported |
Supported |
Supported |
Supported |
Supported |
|
WPA3-Enterprise |
WPA3-Enterprise(CCM 128) |
Supported |
Supported |
Supported |
Supported |
Supported |
Supported |
WPA3-Enterprise(GCM 256) |
Supported |
Not Supported |
Not Supported |
Not Supported |
Not Supported |
Not Supported |
|
WPA3-Enterprise(CNSA) |
Supported |
Supported |
Supported |
Supported for 802.11ax devices |
Supported |
Supported |
|
Enhanced Open
|
Supported |
Supported |
Supported |
Supported |
Supported |
Supported |
WPA3 Enterprise
WPA3 Enterprise enforces top secret security standards for an enterprise Wi-Fi in comparison to secret security standards. Top secret security standards includes:
- Deriving at least 384-bit PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. /MSK using Suite B compatible EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216..
- Securing pairwise data between STA and authenticator using AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM-256.
- Securing group addressed data between STA and authenticator using AES-GCM-256.
- Securing group addressed management frames using BIP-GMAC-256.
Aruba Instant supports WPA3 Enterprise only in non-termination 802.1X and tunnel-forward modes. WPA3 Enterprise compatible 802.1x authentication occurs between STA and CPPM.
WPA3 Enterprise advertises or negotiates the following capabilities in beacons, probes response, or 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association:
- AKM Suite Selector as 00-0F-AC Access Category. As per the IEEE 802.11e standards, AC refers to various levels of traffic prioritization in Enhanced Distributed Channel Access (EDCA) operation mode. The WLAN applications prioritize traffic based on the Background, Best Effort, Video, and Voice access categories. AC can also refer to Alternating Current, a form of electric energy that flows when the appliances are plugged to a wall socket.:12
- Pairwise Cipher Suite Selector as 00-0F-AC:9
- Group data cipher suite selector as 00-0F-AC:9
- Group management cipher suite (MFP) selector as 00-0F-AC:12
If WPA3 Enterprise is enabled, STA is successfully associated only if it uses one of the four suite selectors for AKM selection, pairwise data protection, group data protection, and group management protection. If a STA mismatches any one of the four suite selectors, the STA association fails.
WPA3 Enterprise Operating Modes
HPE Aruba Networking Central supports three WPA3 Enterprise operating modes, namely WPA3-Enterprise(CCM 128), WPA3-Enterprise(CNSA), and WPA3-Enterprise(GCM 256). By default, the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID operates in the WPA3 Enterprise(CCM 128) mode with transition mode enabled.
The WPA3 Enterprise operating modes are dependent on the driver version of the client chipset. It is recommended to implement one of the following WPA3 Enterprise operating modes based on the client chipset:
- WPA3-Enterprise(CCM 128)—This mode utilizes an AKM Suite Selector of 00-0F-AC:12 and CCM-128 ciphers for unicast and group communications. Starting form AOS 8.11.00, WPA3-Enterprise(CCM 128) supports transition mode. When you disable the transition mode, the AKM Suite Selector changes from 00-0F-AC:1 to 00-0F-AC:5 that prevents WPA2-Enterprise clients from connecting to the WLAN SSID. It is recommended to implement WPA3-Enterprise(CCM 128) mode with transition mode disabled for deployments running AOS 8.11.0.0 version and WPA3-Enterprise(CCM 128) mode with transition mode enabled for the widest range of client support.
- WPA3-Enterprise(GCM 256)—This mode utilizes an AKM Suite Selector of 00-0F-AC:5 and GCM-256 ciphers for unicast and group communications. The WPA3-Enterprise(GCM 256) mode does not support transition mode. It is recommended to implement WPA3-Enterprise(GCM 256) mode if the client chipset supports GCM-256 ciphers or the client authentication will fail.
- WPA3-Enterprise(CNSA)—This mode utilizes an AKM Suite Selector of 00-0F-AC:5 and GCM-256 ciphers with additional security functions of a 192-bit security mode that limits EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. methods to only strong SuiteB EAP-TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. methods. It is recommended to implement WPA3-Enterprise(CNSA) mode if the client or radius server supports SuiteB EAP-TLS certificates.
With transition mode enabled, the WPA3-Enterprise(CCM 128) option allows clients using either WPA3 with PMF or WPA2 without PMF to connect to Virtual APs. This option can be used in the 2.4 GHz Gigahertz., 5 GHz or 6 GHz radio bands Band refers to a specified range of frequencies of electromagnetic radiation.. When used in the 6 GHz radio band, PMF is mandatory and the transition mode will be automatically overruled and disabled. With transition mode disabled, only WPA3 certified clients using PMF can connect to Virtual APs.
Configuring WPA3 for Wireless Network
To configure WPA3 for enterprise security, complete the following steps:
- In the WebUI, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
- Under
A list of APs is displayed in the
view.
, click > . - Click the
The tabs to configure the APs are displayed.
icon. - Click
The WLANs detail page is displayed.
tab. - Click to create a new SSID. To modify an existing SSID, select a wireless SSID from the table, and then click the edit icon.
- Click the tab.
- Select
The authentication options applicable to the enterprise network are displayed.
from the . - Select one of the following from the
- —Select this option to use WPA3 security employing CNSA encryption operation mode.
- —Select this option to use WPA3 security employing CCM encryption operation mode limited to encrypting 128 bits of plain text.
- —Select this option to use WPA3 security employing GCM encryption operation mode limited to encrypting 256 bits of plain text.
drop-down list: - Click .
Configuring WPA3 for Personal Security
To configure WPA3 for personal security, complete the following steps:
- In the WebUI, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
- Under
A list of APs is displayed in the
view.
, click > . - Click the
The tabs to configure the APs are displayed.
icon. - Click
The WLANs detail page is displayed.
tab. - Click to create a new SSID. To modify an existing SSID, select a wireless SSID from the table and then click the edit icon.
- Click the tab.
- Select
The authentication options applicable to the Personal network are displayed.
from the . - Select from the drop-down list.
- Click .