Configuring WPA-3 Encryption

Aruba Central supports WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-3 encryption for security profiles in SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. creation for networks that include access points (APs) running Aruba InstantOS 8.4.0.0 firmware version and above. The WPA-3 security provides robust protection with unique encryption per user session thereby ensuring a highly secured connection even on a public Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. hotspot Hotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet.. WPA-3 Enterprise is built upon WPA-2 and utilizes 192-bit security while still using the 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. standard to provide a secure wireless network for enterprise use. This provides a superior encryption method to better protect any kind of data. The security suite is aligned with the recommendations from the Commercial National Security Algorithm (CNSA) suite and is commonly placed in high-security Wi-Fi networks.

The following are the WPA-3 encryptions based on the Enterprise, Personal, or Open network types:

• WPA-3 Enterprise when the security level is Enterprise.
• WPA-3 Personal when the security level is Personal.
• Enhanced Open when the security level is Open.

WPA-3 Encryption Supported AP Modes and Clients

The following table provide information on the supported WPA-3 encryption modes and the supported clients.

Table 1: WPA-3 Encryption Supported AP Modes and Clients

WPA-3 Protocol		Android	iOS	iPadOS	macOS	Intel	Windows
WPA-3 Personal		Supported	Supported	Supported	Supported	Supported	Supported
WPA-3 Enterprise	WPA-3 Enterprise(CCM 128)	Supported	Supported	Supported	Supported	Supported	Supported
	WPA-3 Enterprise(GCM 256)	Not Supported	Not Supported	Not Supported	Not Supported	Not Supported	Not Supported
	WPA-3 Enterprise(CNSA)	Not Supported	Supported	Supported	Supported for 802.11ax devices	Supported	Supported
Enhanced Open		Supported	Supported	Supported	Supported	Supported	Supported

WPA-3 Enterprise

WPA-3 Enterprise enforces top secret security standards for an enterprise Wi-Fi in comparison to secret security standards. Top secret security standards includes:

• Deriving at least 384-bit PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. /MSK using Suite B compatible EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216..
• Securing pairwise data between STA and authenticator using AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM-256.
• Securing group addressed data between STA and authenticator using AES-GCM-256.
• Securing group addressed management frames using BIP-GMAC-256.

WPA-3 Enterprise advertises or negotiates the following capabilities in beacons, probes response, or 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association:

• AKM Suite Selector as 00-0F-AC Access Category. As per the IEEE 802.11e standards, AC refers to various levels of traffic prioritization in Enhanced Distributed Channel Access (EDCA) operation mode. The WLAN applications prioritize traffic based on the Background, Best Effort, Video, and Voice access categories. AC can also refer to Alternating Current, a form of electric energy that flows when the appliances are plugged to a wall socket.:12
• Pairwise Cipher Suite Selector as 00-0F-AC:9
• Group data cipher suite selector as 00-0F-AC:9
• Group management cipher suite (MFP) selector as 00-0F-AC:12

If WPA-3 Enterprise is enabled, STA is successfully associated only if it uses one of the four suite selectors for AKM selection, pairwise data protection, group data protection, and group management protection. If a STA mismatches any one of the four suite selectors, the STA association fails.

WPA-3 Enterprise Operating Modes

Aruba Central supports three WPA-3 Enterprise operating modes, namely WPA-3 Enterprise(CCM 128), WPA-3 Enterprise(CNSA), and WPA-3 Enterprise(GCM 256). By default, the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID operates in the WPA-3 Enterprise(CCM 128) mode with transition mode enabled.

The WPA-3 Enterprise operating modes are dependent on the driver version of the client chipset. It is recommended to implement one of the following WPA-3 Enterprise operating modes based on the client chipset:

• WPA-3 Enterprise(CCM 128)—This mode utilizes an AKM Suite Selector of 00-0F-AC:12 and CCM-128 ciphers for unicast and group communications. Starting form ArubaOS 8.11.00, WPA-3 Enterprise(CCM 128) supports transition mode. When you disable the transition mode, the AKM Suite Selector changes from 00-0F-AC:1 to 00-0F-AC:5 that prevents WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-Enterprise clients from connecting to the WLAN SSID. It is recommended to implement WPA-3 Enterprise(CCM 128) mode with transition mode disabled for deployments running ArubaOS 8.11.0.0 version and WPA-3 Enterprise(CCM 128) mode with transition mode enabled for the widest range of client support.
• WPA-3 Enterprise(GCM 256)—This mode utilizes an AKM Suite Selector of 00-0F-AC:5 and GCM-256 ciphers for unicast and group communications. The WPA-3 Enterprise(GCM 256) mode does not support transition mode. It is recommended to implement WPA-3 Enterprise(GCM 256) mode if the client chipset supports GCM-256 ciphers or the client authentication will fail.
• WPA-3 Enterprise(CNSA)—This mode utilizes an AKM Suite Selector of 00-0F-AC:5 and GCM-256 ciphers with additional security functions of a 192-bit security mode that limits EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  methods to only strong SuiteB EAP-TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. methods. It is recommended to implement WPA-3 Enterprise(CNSA) mode if the client or radius server supports SuiteB EAP-TLS certificates.

Configuring WPA-3 for Wireless Network

To configure WPA-3 for enterprise security, complete the following steps:

1. In the Aruba Central app, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click WLANs tab.

   The WLANs detail page is displayed.

5. Click + Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table, and then click the edit icon.
6. Click the Security tab.
7. Select Enterprise from the Security Level.

   The authentication options applicable to the enterprise network are displayed.

8. Select one of the following from the Key Management drop-down list:
   • WPA-3 Enterprise(CNSA)—Select this option to use WPA-3 security employing CNSA encryption operation mode.
   • WPA-3 Enterprise(CCM 128)—Select this option to use WPA-3 security employing CCM encryption operation mode limited to encrypting 128 bits of plain text.
   • WPA-3 Enterprise(GCM 256)—Select this option to use WPA-3 security employing GCM encryption operation mode limited to encrypting 256 bits of plain text.
9. Click Save Settings.

Configuring WPA-3 for Personal Security

To configure WPA-3 for personal security, complete the following steps:

1. In the Aruba Central app, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click WLANs tab.

   The WLANs detail page is displayed.

5. Click + Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon.
6. Click the Security tab.
7. Select Personal from the Security Level.

   The authentication options applicable to the Personal network are displayed.

8. Select WPA-3 Personal from the Key Management drop-down list.
9. Click Save Settings.