Wireless Access

Hello,

We want to test various WPA3 opmodes, including wpa3-aes-ccm-128. My devices connect fine when I change our test SSID to this (using PEAP/MSCHAPv2) but they show the SSID as being WPA/WPA2 not WPA3 when I look at the network details. I was using an AP-314 and now an AP-635. Is there a way to check on the controllers what opmode ArubaOS thinks my clients are using?

I have Opmode transition disabled so I was assuming the clients would have to use WPA3 or not be able to connect? (I'm not sure which of them I would expect to support WPA3, my laptop is definitely old enough that it might be borderline, but my MacBook and Pixel are pretty recent).

Thank you,

Guy

show dot1x supplicant-info list-all

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jun 21, 2022 06:18 AM
From: Guy Goodrick
Subject: Configuring WPA3-Enterprise

Hello,

We want to test various WPA3 opmodes, including wpa3-aes-ccm-128. My devices connect fine when I change our test SSID to this (using PEAP/MSCHAPv2) but they show the SSID as being WPA/WPA2 not WPA3 when I look at the network details. I was using an AP-314 and now an AP-635. Is there a way to check on the controllers what opmode ArubaOS thinks my clients are using?

I have Opmode transition disabled so I was assuming the clients would have to use WPA3 or not be able to connect? (I'm not sure which of them I would expect to support WPA3, my laptop is definitely old enough that it might be borderline, but my MacBook and Pixel are pretty recent).

Thank you,

Guy

Great thanks Colin, so I get:

(UWS-MC-A1-DEV) #show dot1x supplicant-info list-all

802.1x User Information
-----------------------
MAC Name Auth AP-MAC Enc-Key/Type Auth-Mode EAP-Type Remote
------------ -------- ---- ------ ------------------- ----------- --------- ------
f8:0f:f9:dd:1a:d9 xxx@xxx.xx.xx Yes 94:64:24:92:6c:f1 * * * * * * * */WPA3-AES-GCMP-256-NON-CNSA Explict Mode EAP-PEAP No

So that looks good to me. I wonder why the devices don't report that, anyway it's reassuring that it does look like they are using WPA3, must be something missing/incorrect in the packet exchange I suppose.
Original Message:
Sent: Jun 21, 2022 07:33 AM
From: Colin Joseph
Subject: Configuring WPA3-Enterprise

show dot1x supplicant-info list-all

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 21, 2022 06:18 AM
From: Guy Goodrick
Subject: Configuring WPA3-Enterprise

Hello,

We want to test various WPA3 opmodes, including wpa3-aes-ccm-128. My devices connect fine when I change our test SSID to this (using PEAP/MSCHAPv2) but they show the SSID as being WPA/WPA2 not WPA3 when I look at the network details. I was using an AP-314 and now an AP-635. Is there a way to check on the controllers what opmode ArubaOS thinks my clients are using?

I have Opmode transition disabled so I was assuming the clients would have to use WPA3 or not be able to connect? (I'm not sure which of them I would expect to support WPA3, my laptop is definitely old enough that it might be borderline, but my MacBook and Pixel are pretty recent).

Thank you,

Guy

Which device(s) and how are they reporting it?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jun 21, 2022 07:45 AM
From: Guy Goodrick
Subject: Configuring WPA3-Enterprise

Great thanks Colin, so I get:

(UWS-MC-A1-DEV) #show dot1x supplicant-info list-all

802.1x User Information
-----------------------
MAC Name Auth AP-MAC Enc-Key/Type Auth-Mode EAP-Type Remote
------------ -------- ---- ------ ------------------- ----------- --------- ------
f8:0f:f9:dd:1a:d9 xxx@xxx.xx.xx Yes 94:64:24:92:6c:f1 * * * * * * * */WPA3-AES-GCMP-256-NON-CNSA Explict Mode EAP-PEAP No

So that looks good to me. I wonder why the devices don't report that, anyway it's reassuring that it does look like they are using WPA3, must be something missing/incorrect in the packet exchange I suppose.
Original Message:
Sent: Jun 21, 2022 07:33 AM
From: Colin Joseph
Subject: Configuring WPA3-Enterprise

show dot1x supplicant-info list-all

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 21, 2022 06:18 AM
From: Guy Goodrick
Subject: Configuring WPA3-Enterprise

Hello,

We want to test various WPA3 opmodes, including wpa3-aes-ccm-128. My devices connect fine when I change our test SSID to this (using PEAP/MSCHAPv2) but they show the SSID as being WPA/WPA2 not WPA3 when I look at the network details. I was using an AP-314 and now an AP-635. Is there a way to check on the controllers what opmode ArubaOS thinks my clients are using?

I have Opmode transition disabled so I was assuming the clients would have to use WPA3 or not be able to connect? (I'm not sure which of them I would expect to support WPA3, my laptop is definitely old enough that it might be borderline, but my MacBook and Pixel are pretty recent).

Thank you,

Guy

Morning,

I'm just looking at the network properties for our testing SSID on each device.
I have an Android 12 phone (Pixel 4a) which seems to get it nearly right, or at least hedges its bets ("WPA/WPA2/WPA3 Enterprise")
Also an old Win 10 laptop which doesn't (just lists it as WPA2-Enterprise)
MacBook 2021 Monterey which lists it as "WPA2 Enterprise"

If I change the opmode from wpa3-aes-ccm-128 to wpa3-aes-gcm-256 then only the Pixel can actually connect - but it does then show it correctly as being "WPA3 Enterprise". The other devices can't tell me any info at all.





Original Message:
Sent: Jun 21, 2022 07:50 AM
From: Colin Joseph
Subject: Configuring WPA3-Enterprise

Which device(s) and how are they reporting it?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 21, 2022 07:45 AM
From: Guy Goodrick
Subject: Configuring WPA3-Enterprise

Great thanks Colin, so I get:

(UWS-MC-A1-DEV) #show dot1x supplicant-info list-all

802.1x User Information
-----------------------
MAC Name Auth AP-MAC Enc-Key/Type Auth-Mode EAP-Type Remote
------------ -------- ---- ------ ------------------- ----------- --------- ------
f8:0f:f9:dd:1a:d9 xxx@xxx.xx.xx Yes 94:64:24:92:6c:f1 * * * * * * * */WPA3-AES-GCMP-256-NON-CNSA Explict Mode EAP-PEAP No

So that looks good to me. I wonder why the devices don't report that, anyway it's reassuring that it does look like they are using WPA3, must be something missing/incorrect in the packet exchange I suppose.
Original Message:
Sent: Jun 21, 2022 07:33 AM
From: Colin Joseph
Subject: Configuring WPA3-Enterprise

show dot1x supplicant-info list-all

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 21, 2022 06:18 AM
From: Guy Goodrick
Subject: Configuring WPA3-Enterprise

Hello,

We want to test various WPA3 opmodes, including wpa3-aes-ccm-128. My devices connect fine when I change our test SSID to this (using PEAP/MSCHAPv2) but they show the SSID as being WPA/WPA2 not WPA3 when I look at the network details. I was using an AP-314 and now an AP-635. Is there a way to check on the controllers what opmode ArubaOS thinks my clients are using?

I have Opmode transition disabled so I was assuming the clients would have to use WPA3 or not be able to connect? (I'm not sure which of them I would expect to support WPA3, my laptop is definitely old enough that it might be borderline, but my MacBook and Pixel are pretty recent).

Thank you,

Guy