Discover details around WPA3 and Enhanced Open security modes, details of the ciphers, key management, and features behind them, and best practices for implementation.
In an increasingly interconnected world, secure and reliable Wi-Fi communication is a must-have. Across home offices to industrial environments to enterprise networks, Wi-Fi has become a crucial part ofmobile connectivity. As the reliance on Wi-Fi networks has grown, so has the security to protect and ensure privacy for sensitive data.
Enhanced Open and Wi-Fi Protected Access version 3 (WPA3) are the current advancements in Wi-Fi security standards from the Wi-Fi Alliance (WFA), designed to address weaknesses of their predecessors WPA2 and Open networks. The security modes sections aim to provide insights into Enhanced Open and WPA3 networks with HPE Aruba Networking deployments, exploring key components, practical implications, and best practices. Deployment considerations and compatibility aspects will be discussed.
Authentication and Key Management (AKM)
The security solutions used in Wi-Fi networks are defined by the IEEE
802.11 standards and Wi-Fi Alliance. Each security protocol has a specific authentication and key management (AKM) suite type (number).
The standard defines AKM suite selectors with a format of OUI:N where N represents the suite type. The standards based AKMs are denoted by an OUI of 00-0F-AC. For example, the suite selector for WPA3-Personal (wpa3-sae-aes) is 00-0F-AC:8. The corresponding pages refer to 00-0F-AC:N as AKM:N.
The Wi-Fi Alliance (WFA) defines security certifications by AKM, cipher suites, and Protected Management Frame (PMF) combinations. The following is used to indicate the different authentication types defined in the standard and their corresponding Wi-Fi Alliance certification program label:
WFA Mode
IEEE AKM
Description
WPA2-Enterprise
AKM:1
IEEE 802.1X with SHA-1
WPA2-Personal
AKM:2
Pre-Shared Key (PSK)
WPA3-Enterprise
AKM:5
IEEE 802.1X with SHA-256
WPA3-Personal
AKM:8
Simultaneous Authentication of Equals (SAE)
WPA3-Enterprise 192-bit
AKM:12
IEEE 802.1X with SHA-384 using CNSA Suite compliant ciphers and EAP method
Enhanced Open
AKM:18
Opportunistic Wireless Encryption (OWE)
WPA3-Personal
AKM:24
Simultaneous Authentication of Equals (SAE) with a variable hash algorithm depending on Diffie-Hellman (DH) group (SHA-256, SHA-384, or SHA-512)
Wi-Fi Alliance Programs
This section details the specifications defined by the Wi-Fi Alliance security certifications. A following section will map them to the security modes implemented by HPE Aruba Networking in AOS.
Enhanced Open
The Wi-Fi Alliance Enhanced Open specification defines the following:
Enhanced Open based on Opportunistic Wireless Encryption (OWE) defined
in RFC 8110 (AKM:18)
WPA3
The Wi-Fi Alliance WPA3 specification defines the following:
WPA3-Personal (AKM:8, Wi-Fi 7 uses AKM:24)
WPA3-Personal Transition (AKM:2 + AKM:8)
WPA3-Enterprise Only (AKM:5)
WPA3-Enterprise Transition Mode (AKM:1 + AKM:5)
WPA3-Enterprise 192-bit mode (AKM:12)
Corresponding AOS Security Modes
Wi-Fi Alliance Mode
AOS Key Management
AOS Security Mode (opmode)
Enhanced Open
Enhanced Open
enhanced-open
WPA3-Personal
WPA3-Personal
wpa3-sae-aes
WPA3-Enterprise
WPA3-Enterprise (CCM 128)
wpa3-aes-ccm-128
Not defined by WFA
WPA3-Enterprise (GCM 256)
wpa3-aes-gcm-256
WPA3-Enterprise 192-bit
WPA3-Enterprise (CNSA)
wpa3-cnsa
6 GHz Operation
Wi-Fi 6E is Wi-Fi 6 ‘extended’ to include the 6 GHz band. Extending operation into the 6 GHz band was an opportunity to leave behind some of the legacy requirements which exist for operation in the 2.4 GHz and 5 GHz bands.
The Wi-Fi Alliance (WFA) made the decision to require WPA3 or Enhanced Open as the minimum security modes allowed in the 6 GHz band.
The following legacy security modes not allowed in 6 GHz operation include:
WPA2-Enterprise or the corresponding transition mode*
WPA2-Personal or the corresponding transition mode*
Open, WPA version 1, TKIP, or WEP
Note
When transition mode configuration is enabled on WPA3-Personal (wpa3-sae-aes) or WPA3-Enterprise CCM 128 (wpa3-aes-ccm-128), transition mode is effective only for 2.4 GHz or 5 GHz operation. Transition mode configuration is automatically overriden and disabled for 6 GHz operation.
Terminology
The following terminology is used throughout the various security mode sections. For additional information, refer to sources mentioned below.
AKM – Authentication and Key Management
BSS – Basic Service Set
CNSA – Commercial National Security Algorithm
DH – Diffie-Hellman
Enhanced Open – Wi-Fi Alliance certification based on OWE protocol
FT - Fast (BSS) Transition for improving handoff between APs
IEEE – Institute of Electrical and Electronics Engineers
OWE – Opportunistic Wireless Encryption
MFP – Management Frame Protection (see PMF)
MFPC – Management Frame Protection Capable
MFPR – Management Frame Protection Required
PMF – Protected Management Frame (see MFP)
PMK – Pairwise Master Key
RSNE – Robust Security Network Element
SAE – Simultaneous Authentication of Equals protocol used by WPA3-Personal
WFA – Wi-Fi Alliance
Wi-Fi 6 – Based on IEEE 802.11ax (HE)
Wi-Fi 6E – Wi-Fi 6 extended to include the 6 GHz band
Wi-Fi 7 – Based on IEEE 802.11be (EHT)
WPA2 – Wi-Fi Protected Access version 2
WPA3 – Wi-Fi Protected Access version 3
Sources and References
IEEE 802.11-2016
IEEE 802.11-2020
RFC 5759 – Suite B Certificate and Certificate Revocation List (CRL) Profile
RFC 6460 – Suite B Profile
for Transport Layer Security (TLS)
wpa3-sae-aes with AKM:24 is not yet supported in AOS.
wpa2-aes is not typically deployed with PMF due to lack of support by WPA2 clients.
wpa2-aes with PMF configuration set as required removes AKM:1 (802.1X with SHA-1) and adds AKM:5 (802.1X with SHA-256) which is effectively WPA3 only. Please review caveats on the WPA3-Enterprise page.
Transition mode for WPA3-Enterprise CCM 128 is supported starting in AOS 8.11 and 10.5. Transition mode has no effect on operation in AOS 8.10 and 10.4.
WPA3-Enterprise CCM 128 with transition mode enabled adds AKM:5 (802.1X with SHA-256) in the 2.4 GHz and 5 GHz bands starting in AOS 8.11 and 10.5. When transition mode is disabled, AKM:1 (802.1X with SHA-1) is not advertised.
There is no compatible FT AKM for CNSA.
See the following subpages to learn more:
1 - WPA3-Enterprise
802.1X with CCM 128, GCM 256, and CNSA security levels.
HPE Aruba Networking offers three different modes of operation for WPA3-Enterprise: CCM 128, GCM 256, and CNSA.
CCM 128 offers the widest compatibility, including WPA2-certified clients when deployed in transition mode.
GCM 256 restricts to WPA3-certified clients that support GCMP-256 ciphers.
CNSA (192-bit) constrains the available options used with WPA3-Enterprise with the intent to raise the bar of attack sophistication making CNSA suitable for some of the highest levels of data protection.
WPA3-Enterprise CCM 128
WPA3-Enterprise CCM 128 meets the requirements for two modes of operation for WPA3-Enterprise as specified by the Wi-Fi Alliance.
“WPA3-Enterprise transition mode” which advertises key management for both WPA2-Enterprise and WPA3-Enterprise clients and sets PMF to optional (when operating in the 2.4 GHz and 5 GHz bands).
“WPA3-Enterprise only mode” which advertises key management for only WPA3-Enterprise configured clients and requires PMF (across all bands of operation). This is the behavior when transition mode configuration is explicitly disabled.
WPA3-Enterprise CCM 128 in transition mode (default behavior) advertises or negotiates the following capabilities in beacons, probe response, or association in the 2.4 GHz and 5 GHz bands of operation:
AKM suite selectors include 00-0F-AC:1 (802.1X with SHA-1) and 00-0F-AC:5 (802.1X with SHA-256).
Protected Management Frames are capable and automatically set as optional (MFPR=0 and MFPC=1).
This mode supports both WPA2-Enterprise only clients to connect with WPA2 (AKM:1) and WPA3-Enterprise capable clients to connect with WPA3 (AKM:5).
WPA3-Enterprise CCM 128 with transition mode disabled (WPA3-Enterprise only mode) advertises or negotiates the following capabilities in beacons, probe response, or association in the 2.4 GHz and 5 GHz bands of operation:
AKM suite selector as 00-0F-AC:5 (802.1X with SHA-256).
Protected Management Frames are required and automatically set as mandatory (MFPR=1 and MFPC=1).
This mode only supports WPA3-Enterprise capable client connection with WPA3 (AKM:5).
When operating in the 6 GHz band, WPA3-Enterprise CCM 128 is automatically set as “WPA3-Enterprise only mode”, and advertises or negotiates the following capabilities in beacons, probe response, or association:
AKM suite selector as 00-0F-AC:5 (802.1X with SHA-256).
Protected Management Frames are required and automatically set as mandatory (MFPR=1 and MFPC=1).
This mode only supports WPA3-Enterprise capable client connection with WPA3 (AKM:5).
WPA3-Enterprise CCM 128 advertises or negotiates the following ciphers in all modes of operation in beacons, probe response, or association:
Pairwise cipher suite selector as 00-0F-AC:4 (CCMP-128).
Group data cipher suite selector as 00-0F-AC:4 (CCMP-128).
Group management cipher suite selector as 00-0F-AC:6 (BIP-CMAC-128).
Note
Key management and Protected Management Frames configuration for WPA3-Enterprise CCM 128 varies depending on band of operation and AOS version deployed.
Transition mode is supported starting in AOS 8.11 and 10.5 enabling the client to choose between 802.1X with SHA-1 or 802.1X with SHA-256.
Note that AOS 8.10 and 10.4 behavior is different where WPA3-Enterprise clients will always negotiate connectivity using WPA2 in 2.4 and 5 GHz operation.
AOS 8.11+ and 10.5+
The behavior for WPA3 Enterprise CCM 128 in AOS 8.11 and 10.5 or later is as follows:
Support for transition mode is introduced for WPA3-Enterprise CCM 128.
When transition mode is enabled (default), the behavior is as follows:
2.4 GHz and 5 GHz operation:
Both 00-0F-AC:1 (802.1X with SHA-1) and 00-0F-AC:5 (802.1X with SHA-256) are advertised in the RSNE.
Capable clients can negotiate using WPA2 or WPA3. Client picks which.
PMF is optional (MFPR=0 and MFPC=1).
6 GHz operation:
00-0F-AC:5 (802.1X with SHA-256) is advertised in the RSNE.
PMF is required (MFPR=1 and MFPC=1).
WPA3-Enterprise Transition Mode (CCM 128) RSNE example
When transition mode is disabled, the behavior for WPA3-Enterprise CCM
128 is as follows:
2.4 GHz and 5 GHz operation:
00-0F-AC:5 (802.1X with SHA-256) is advertised in the RSNE.
WPA2-Enterprise only clients will not connect. Transition mode disabled forces WPA3 connections.
PMF is required (MFPR=1 and MFPC=1).
6 GHz operation:
00-0F-AC:5 (802.1X with SHA-256) is advertised in the RSNE.
PMF is required (MFPR=1 and MFPC=1).
WPA3-Enterprise Only (CCM 128) RSNE example
AOS 8.10 and 10.4
The behavior for WPA3 Enterprise CCM 128 in AOS 8.10 and 10.4 is as follows:
Transition mode configuration has no effect on operation.
2.4 GHz and 5 GHz operation:
00-0F-AC:1 (802.1X with SHA-1) is advertised in the RSNE.
PMF is optional (MFPR=0 and MFPC=1).
Note
00-0F-AC:5 (802.1X with SHA-256) is not advertised with CCM 128 in AOS 8.10 or 10.4. This means WPA3 capable clients will negotiate connectivity as WPA2 because only AKM:1 is advertised by the AP.
6 GHz operation:
00-0F-AC:5 (802.1X with SHA-256) is advertised in the RSNE.
PMF is required (MFPR=1 and MFPC=1).
Workaround
If there is a requirement to restrict connectivity to “WPA3-Enterprise Only Mode” while using CCMP-128 ciphers on AOS 8.10 or 10.4 deployments, consider the following workaround and caveats:
The WPA2-Enterpise security mode (wpa2-aes) with PMF configured as mandatory (MFPR=1 and MFPC=1) effectively uses WPA3-Enterprise (AKM:5) for key management instead of WPA2-Enterprise (AKM:1).
Use cases for this workaround:
“WPA3-Enterprise Only Mode” with no support for legacy WPA2-Enterprise clients.
AOS 8.10 or 10.4 deployments.
2.4 GHz or 5 GHz operation.
To deploy this workaround two configurations are required.
Security mode set as WPA2-Enterprise (wpa2-aes)
PMF set as mandatory (MFPR=1 and MFPC=1)
Instant 8 configuration for MFP via CLI (mfp-capable and mfp-required parameters), Central template group, or Central REST
API.
AOS 8 configuration for MFP via WebUI, CLI, or local REST API.
AOS 10 configuration for MFP via Central REST API.
Caveats:
This workaround does not support 6 GHz operation.
AOS 8 forwarding mode caveats:
PMF operation for Wi-Fi 5 APs requires use of decrypt-tunnel forwarding mode.
PMF operation in tunnel forwarding mode is supported starting with Wi-Fi 6 APs.
When this workaround is deployed and a capable deployment is being upgraded to an 8.11 release, upgrade to at least 8.11.2.1 or later due to a multicast encryption mismatch bug (AOS-243060) present in earlier 8.11 releases.
Example AOS 8.10 configuration for WPA3 only key management in 2.4 GHz or 5 GHz bands using wpa2-aes + mfp-capable + mfp-required:
WPA3 only CCM 128 workaround example beacon frame.
When this workaround is configured and supported, the following capabilities are advertised or negotiated in beacons, probe response, or association in the 2.4 GHz or 5 GHz bands:
AKM suite selector as 00-0F-AC:5 (802.1X with SHA-256).
Pairwise cipher suite selector as 00-0F-AC:4 (CCMP-128).
Group data cipher suite selector as 00-0F-AC:4 (CCMP-128).
Group management cipher suite selector as 00-0F-AC:6 (BIP-CMAC-128).
Protected Management Frames are mandatory (MFPR=1 and MFPC=1).
When this workaround is configured and not supported, such as by Wi-Fi 5 APs in tunnel mode on AOS 8, the following capabilities are advertised or negotiated in beacons, probe response, or association in the 2.4 GHz or 5 GHz bands:
AKM suite selector as 00-0F-AC:1 (802.1X with SHA-1).
Pairwise cipher suite selector as 00-0F-AC:4 (CCMP-128).
Group data cipher suite selector as 00-0F-AC:4 (CCMP-128).
Protected Management Frames are disabled (MFPR=0 and MFPC=0).
After some period of workaround implementation and a new deployment requirement arises for 6 GHz operation, for example when 6 GHz capable hardware is added, consider the following software upgrade and configuration migration order to maintain consistency in advertised key management:
First
AOS 8: Upgrade to 8.11.2.1 or later.
AOS 10: Upgrade to 10.5 or later.
Second
Change the security mode from WPA2-Enterprise (wpa2-aes) to
WPA3-Enterprise CCM 128 (wpa3-aes-ccm-128).
Disable transition mode to disable support for WPA2 clients using
AKM:1. This is neccessay because transition mode configuration for WPA3-Enterprise CCM 128 is supported starting in 8.11 and 10.5 and is enabled by default advertising both AKM:1 and AKM:5.
Third
AOS 8: Configure “Allow 6GHz band” on respective VAP.
AOS 10: Enable 6 GHz band in respective WLAN configuration.
Best Practices
WPA3-Enterprise is suitable for use cases where WPA2-Enterprise was used prior because of Protected Management Frames and when AKM:5 (SHA-256) is negotiated the key length is increased. It is encouraged to disable weak EAP methods such as PEAP-MSCHAPv2, CHAPv1, PAP, etc., and consider using a stronger EAP method such as EAP-TLS.
Consider disabling transition mode to limit attack vectors. When PMF is disabled or not used by a client, attackers can spoof management frames from an AP to attack an associated client through Denial of Service (DoS) or attacker-in-the-middle techniques.
Consider deploying WPA3-Enterprise and WPA2-Enterprise on different
individual VAPs.
WPA3-Enterprise GCM 256
Introduced in AOS 8.5, WPA3-Enterprise with 256 bits enables
GCMP-256 cipher suites without requiring CNSA compatible EAP. This mode
is also referred to as WPA3-Enterprise Non-CNSA.
The following is advertised and negotiated in beacons, probe response,
and association:
AKM suite selector as 00-0F-AC:5 (802.1X with SHA-256).
Pairwise cipher suite selector as 00-0F-AC:9 (GCMP-256).
Group data cipher suite selector as 00-0F-AC:9 (GCMP-256).
Group management cipher suite selector as 00-0F-AC:12 (BIP-GMAC-256).
Protected Management Frames are mandatory (MFPR=1 and MFPC=1).
WPA3-Enterprise GCM 256 RSNE example
Note
Client support for GCMP-256 is not widespread and will likely remain fragmented until widespread adoption of Wi-Fi 7 by client devices. Wi-Fi 7 requires use of GCMP-256.
Best Practices
This security mode is suitable for use-cases where WPA2-Enterprise was
used prior because of Protected Management Frames and stronger ciphers
than CCM 128.
Use this security mode if the client population is under
administrative control and knowledge of client support for GCMP-256 with AKM:5 is known.
Weak EAP methods such as PEAP-MSCHAPv2, CHAPv1, PAP, etc., should be
disabled and client connections moved to using a stronger EAP method
such as EAP-TLS.
The client population must support the defined security parameters as transition mode is not allowed for WPA3-Enterprise GCM
256.
WPA3-Enterprise CNSA (192-bit)
WPA3-Enterprise CNSA (192-bit) enforces CNSA Suite security standards
for enterprise Wi-Fi networks.
The following is advertised and negotiated in beacons, probe response,
and association:
AKM suite selector as 00-0F-AC:12 (802.1X with SHA-384).
Pairwise cipher suite selector as 00-0F-AC:9 (GCMP-256).
Group data cipher suite selector as 00-0F-AC:9 (GCMP-256).
Group management cipher suite selector as 00-0F-AC:12 (BIP-GMAC-256).
Protected Management Frames are mandatory (MFPR=1 and MFPC=1).
WPA3-Enterprise CNSA (192-bit) RSNE example
Other notes of importance:
Requires a CNSA Suite compatible EAP-TLS cipher suite (RFC 6460):
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 using p384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 using p384 and RSA > 3k bits
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 using RSA > 3k bits
TLS v1.2 or later is required.
Key length must be greater than 3072 bits. The signing keys have the same key length requirements.
Certificate chain validation is mandatory.
EAP termination is not supported. EAP termination is when EAP tunnel
termination is moved upstream from the RADIUS server to the controller
or AP. WPA3-Enterprise 192-bit (CNSA) expects that a RADIUS server is
used, and policy is enforced by the RADIUS server. This means CNSA
Suite compatible 802.1X happens between client and RADIUS server based
on the authenticator indicating which AKM is negotiated between client
and AP.
WPA3-Enterprise CNSA (192-bit) is supported by HPE Aruba Networking ClearPass (CPPM)
starting in version 6.8 and supports the following RADIUS attributes
from RFC 7268:
WLAN-Reason-Code (185)
WLAN-Pairwise-Cipher (186)
WLAN-Group-Cipher (187)
WLAN-AKM-Suite (188)
WLAN-Group-Mgmt-Cipher (189)
Best Practices
This security mode is suitable for use-cases where WPA2-Enterprise was
used prior because of Protected Management Frames, increased key length,
stronger ciphers, and requirement of CNSA Suite compatible EAP-TLS
methods.
This is primarily focused on customers such as government, finance, and other industries who require a high level of security.
The client population must support the defined security parameters as transition mode is not allowed for WPA3-Enterprise CNSA (192-bit).
2 - WPA3-Personal
Improving the security of password secured Wi-Fi networks.
Offline dictionary attacks against WPA2-Personal have been widely known for well over two decades. They were discovered shortly after the inception of WPA2-Personal. Certain venues offer free Wi-Fi networks using a shared and public password. Some incorrectly believe Wi-Fi traffic is secure when WPA2-Personal is used. With PSK, the password directly derives a master key and knowledge of the password enables decryption, replay, and forgery of data frames.
sequenceDiagram
Note over Client,AP: Discovery
Note over Client,AP: Open System Authentication
Note over AP,Client: Association
Note right of Client:PMK generation:<br>PMK=PBKDF2(HMAC-SHA-1,<br>Password,SSID,4096,256)
Note over AP,Client: 4-way handshake
Protocol
Originally introduced for mesh security in IEEE 802.11-2016, the Simultaneous Authentication of Equals (SAE) protocol replaces the Pre-Shared Key (PSK) implementation found in WPA2-Personal with a password-based authentication method resistant to dictionary attacks.
Users will find a similar experience with SAE and PSK as they are both password provisioned. However, there are major implementation differences in the security protocol.
For those venues who intend to offer better data protection for their users, SAE offers a more secure password-based option than a shared and public PSK. This is because the master key (PMK) resulting from SAE is not solely based on the password.
With SAE, the password is used in a zero-knowledge proof cryptographic function to derive a unique pairwise master key (PMK) per client. The password is used to index a secret point on an elliptic curve. The point on the curve becomes the generator for use in a cryptographic exchange.
sequenceDiagram
Note over Client,AP: Discovery
Client->>+AP:PWE = f(password)<br>m,n ← random<br>N = -n * PWE<br>SAE Authentication Commit
AP->>+Client:PWE = f(password)<br>i,j ← random<br>J = -j * PWE<br>SAE Authentication Commit
Client->>+AP:SAE Authentication Confirm<br>S = m * ((i+j) * J)<br>PMK = KDF(S, label)
AP->>+Client:SAE Authentication Confirm<br>S = i * ((m+n) * N)<br>PMK = KDF(S, label)
Note over AP,Client: Association
Note over AP,Client: 4-way handshake
This means the password or password-derived data is never sent over the air. Unlike with WPA2-Personal (PSK), knowledge of the password cannot decrypt SAE encrypted data frames. The PMK is needed to decrypt SAE encrypted data frames and the only parties that know the PMK are the client and AP which performed SAE. This means the SAE protocol is resistant to active, passive, and dictionary attacks.
WPA3-Personal Only Mode
WPA3-Personal advertises or negotiates the following capabilities in beacons, probe response, or association:
AKM suite selector as 00-0F-AC:8 (SAE).
Pairwise cipher suite selector as 00-0F-AC:4 (CCMP-128).
Group data cipher suite selector as 00-0F-AC:4 (CCMP-128).
Group management cipher suite selector as 00-0F-AC:6 (BIP-CMAC-128).
Protected Management Frames are mandatory (MFPR=1 and MFPC=1).
WPA3-Personal (SAE) illustration of operations
Note
When SAE with AKM:24 is negotiated, Hash-to-Element (H2E) is enforced. With AKM:24, the hash algorithm is based on the Diffie-Hellman (DH) group used with SAE. For example, a prime with a length of 384 (p384) will use SHA-384 instead of SHA-256.
GCMP-256 for cipher suites and BIP-GMAC-256 for group management may be advertised along with AKM:24.
Wi-Fi 7 connections must use AKM:24 for WPA3-Personal.
WPA3-Personal Transition Mode
WPA3-Personal may be deployed in transition mode that allows both SAE clients and PSK clients to connect to the same Basic Service Set (BSS), which is a mixed mode of operation. The beacon or probe response contains an AKM list in the RSNE which will contain both PSK (AKM:2) and SAE (AKM:8).
This means the password is shared between WPA2-Personal and WPA3-Personal. The WPA2-Personal network is still vulnerable to all the classic issues. If an attacker gains knowledge of the password by attacking WPA2-Personal, they will get access to the network, but will not be able to decrypt WPA3-Personal sessions. Downgrade attacks from WPA3-Personal to WPA2-Personal are also possible.
Due to the same BSS servicing both WPA2-Personal (PSK) and WPA3-Personal (SAE) clients, Protected Management Frames are optional (MFPR=0 and MFPC=1) for WPA3-Personal Transition networks.
WPA3-Personal in Transition Mode advertises or negotiates the following capabilities in beacons, probe response, or association:
AKM suite selectors include 00-0F-AC:2 (PSK) and 00-0F-AC:8 (SAE).
Pairwise cipher suite selector as 00-0F-AC:4 (CCMP-128).
Group data cipher suite selector as 00-0F-AC:4 (CCMP-128).
Group management cipher suite selector as 00-0F-AC:6 (BIP-CMAC-128).
Protected Management Frames are optional (MFPR=1 and MFPC=0).
WPA3-Personal Transition Mode RSNE example
Note
A drawback of WPA3-Personal in transition mode includes downgrade attacks where attackers target PSK rather than SAE to gain network access or force clients that support SAE into connecting to a rogue PSK network.
Consider disabling transition mode to limit attack vectors. Consider deploying WPA3-Personal and WPA2-Personal on different individual VAPs and logically separated and isolated network segments, and if you do so make sure to use different credentials on the WPA3-Personal and WPA2-Personal networks.
Hash-to-element (also referred to as hash-to-curve or direct hashing) is a cryptographic method for generation of the password element (PWE) which replaces the weaker and original hunting-and-pecking (also referred to as looping) method for SAE. With hash-to-element, WPA3-Personal is further resistant to side-channel attacks and timing attacks.
SAE H2E capability can be found in beacon and probe response frames in the extended RSN capabilities field of the RSN eXtension element (RSNXE).
RSNXE example
Status code 126 found in the authentication frame from the client indicates which method is used.
SAE authentication frame example
PWE derivation behavior starting in AOS 8.10 and 10.4:
Operation in the 2.4 GHz and 5 GHz bands:
Hash-to-element (H2E) is preferred but allows hunting-and-pecking if the client does not support H2E.
Operation in the 6 GHz band:
Enforces use of H2E and does not allow hunting-and-pecking.
Support for hash-to-element (H2E) is mandatory for WPA3 certified devices.
For use-cases where WPA2-Personal was used before, WPA3-Personal is a suitable replacement to provide better security, even when a non-complex password is used. WPA3-Personal provides stronger data encryption and protection than WPA2-Personal.
WPA3-Personal is also suitable for use-cases where WPA2-Personal is no longer allowed such as with 6 GHz operation and Wi-Fi 7 connectivity.
Note
Support for multiple password solutions are currently limited to WPA2-Personal.
3 - Enhanced Open
Securing Open networks with automated encryption and PMF.
Wi-Fi networks with Open security transport and pass data in the clear offering no encryption or protection from passive eavesdroppers.
Enhanced Open provides unauthenticated data encryption and protects data from sniffers.
Protocol
Open security is one of the original IEEE 802.11 access methods for connecting clients to APs. Open uses an authentication architecture called Open System Authentication (OSA). OSA offers no encryption. When utilized independently, OSA permits WLAN access to any client.
sequenceDiagram
Note over Client,AP: Discovery
Note over Client,AP: Open System Authentication
Note over Client,AP: Association
Enhanced Open adds automatic encryption without requiring credentials. Enabling private communication between client and AP. Encryption is provided by Opportunistic Wireless Encryption (OWE) defined in RFC 8110. With OWE, the client and AP performs an unauthenticated Diffie-Hellman key exchange which results in a unique pairwise secret key (PMK). The resulting key is used in a 4-way handshake post association to generate the traffic encryption keys.
sequenceDiagram
Note over Client,AP: Discovery
Note over Client,AP: Open System Authentication
Client->>+AP:Association request with<br>Diffie-Hellman parameter<br>X (public key)
Note left of AP:PMK generation:<br>y←random<br>Y=y*g<br>S=y*X<br>PMK=KDF(S,label)
AP->>+Client:Association response with<br>Diffie-Hellman parameter<br>Y (public key)
Note right of Client:PMK generation:<br>x←random<br>X=x*g<br>S=x*Y<br>PMK=KDF(S,label)
Note over AP,Client: 4-way handshake
The resulting benefit is a Wi-Fi network more secure than a shared and public PSK (WPA2-Personal) because OWE is not susceptible to a passive attack which results in an attacker being able to eavesdrop, forge, and replay frames on the network. Enhanced Open is also easier to deploy because there is nothing to provision. There is no password.
Enhanced Open Only Mode
Enhanced Open advertises or negotiates the following capabilities in beacons, probe response, or association:
AKM suite selector as 00-0F-AC:18 (OWE).
Pairwise cipher suite selector as 00-0F-AC:4 (CCMP-128), 00-0F-AC:8
(GCMP-128),00-0F-AC:9 (GCMP-256), or00-0F-AC:1 (CCMP-256) could be negotiated.
Group data cipher suite selector as 00-0F-AC:4 (CCMP-128).
Group management cipher suite selector as 00-0F-AC:6 (BIP-CMAC-128).
Protected Management Frames are mandatory (MFPR=1 and MFPC=1).
Enhanced Open (OWE) RSNE example
Enhanced Open Transition Mode
Enhanced Open Transition Mode (OWETM) offers a backwards compatible transition from unencrypted Open Wi-Fi networks. OWETM provides the ability for non-OWE clients (Open) and OWE capable clients to connect to the same Wi-Fi network.
This is accomplished by creating and broadcasting two Basic Service Sets (BSSes) with separate beacons for each. Both BSSes point at the other through the OWE Transition Mode Vendor IE.
BSS-1 for Open for non-OWE clients with the IE to indicate BSS-2.
BSS-2 for “hidden” OWE with a zero length SSID (hidden) and the IE to
indicate BSS-1.
Enhanced Open (OWE) Transition Mode RSNE example
Note
What is that _owetm_ and 446f0799?
Enhanced Open in Transition Mode produces two BSSes.
The “Open” BSS which uses the SSID as configured.
The OWE BSS which uses a unique auto-generated SSID.
Here is the makeup of the autogenerated SSID:
_owetm_ is the prefix
wpa3technote_owe is the SSID (or up to 16 characters of it in this case as the actual SSID in this example is wpa3technote_owe_compat)
446f0799 is a cyclic redundancy check (CRC)
The beacon and probe response frames of the Open BSS includes an OWE Transition Mode IE to encapsulate the BSSID and SSID of the OWE BSS.
The Open BSS and associated clients do not benefit from Protected
Management Frames or data encryption.
The beacon and probe response frames from the OWE BSS include an OWE Transition Mode IE to encapsulate the BSSID and SSID of the Open BSS.
The beacon frame from the OWE BSS will be zero length and includes the OWE Authentication and Key Management (AKM) selector (00-0F-AC) of AKM:18 in the RSNE.
PMF is required (MFPR=1 and MFPC=1) for the OWE BSS.
The OWE client benefits from both encryption and PMF.
The OWE client discovers the OWE AP by using active or passive scanning.
Note
A drawback of Enhanced Open in transition mode is one additional BSS is advertised for every OWE BSS which needs to be accounted for.
Another drawback is the unencrypted Open BSS.
MAC authentication
When using Enhanced Open and authorizing connecting devices using a MAC authentication method, note that the client association will be rejected if the MAC authentication returns a REJECT message on the authentication attempt. This is a change in behavior when compared against an Open network where the client device would stay associated and be left assigned in the logon user role. The MAC authentication service used by an Enhanced Open network will need to always allow the authentication attempt and return the appropriate user role for the session to continue, whether that be a user role that enforces a captive portal, allows full access to the network, or otherwise configured.
Best Practices
Enhanced Open is suitable for use-cases such as captive portals, coffee shops, cafés, schools, enterprises, public venues like airports, stadiums, etc., anywhere that encryption is needed but identity and authentication is not.
4 - Troubleshooting
Useful CLI commands for security mode verification.
AOS 8
(MD) # show ap association
(MD) # show ap bss-table
(MD) # show ap essid
(MD) # show ap owe-tm-info
(MD) # show auth-tracebuf mac <client-mac>
(MD) # show dot1x supplicant-info <client-mac> <bssid>
(MD) # show dot1x supplicant-info pmkid
(MD) # show log security
(MD) # show wlan ssid-profile <profile-name>
AOS 10
(AP) # show ap association
(AP) # show ap bss-table
(AP) # show ap debug client-table
(AP) # show ap debug mgmt-frames mac <client-mac>
(AP) # show clients debug advanced
(AP) # show log security
(AP) # show network
(AP) # show network <profile-name>
