I'm testing use of WPA3-enterprise using the following equipment and although everything seems to work, my WPA3 clients can't ping each other, other devices on the same lan or have internet access. Strangely enough they can ping the default gateway. Devices on a WPA2-enterprise equivalent have no problem even though they are both using the same configs and client vlan
iPhone running 16.1.1
macOS running 12.6.1
Arubaos 126.96.36.199 MM (VM) and 7210 MC running in FIPS mode
Sufficient licenses installed on controller.
L2 blocking disabled (deny inter-user-traffic ) drop broadcast and multicast is enabled and convert broadcast ARP request to unicast is enabled on all SSIDs
ClearPass 6.10.7 onboarding certificates for edge clients to authenticate using eap-tls ( also performed. by ClearPass)
The setup supports
1) open guest wifi SSID using ClearPass captive portal
2) WPA2-enterprise network with clients using EAP-TLS
3) WPA2-PSK network with ClearPass authenticating / authorising clients and using device fingerprinting to allow connectivity
4) WPA2-psk network just using a shared key (legacy)
The WPAx networks (2) (3) also use Downloadable User Roles to grant an "Allow All" ACL and specify the numeric destination VLAN and hence the address space to place devices in.
DHCP performed by ISC DHCP server on a different subnet. UDP helpers forward DHCP requests to both the DHCP server and ClearPass
AP group of 303H APs supporting all the above SSIDS
AP group with 1 503H AP - Used to test wired auth connectivity but also for WPA3 testing
AP group with 2 335 APs just to test WPA3 connectivity
Two additional SSIDs created with same names/ authentication as (2) & (3) but with WPA3 text appended to SSID names
5) WPA3-enterprise network ( CSNA suite enabled)
6).ClearPass captive portal with enhanced open
(5) uses the same client VLAN as (2), (6) the same VLAN as (3)
So for example an iPhone connected to (2) obtains an IP address in the address space 192.168.230.x. Same iPhone connected to (5) with random mac address generation obtains a different IP address in the same 192.168.230.x address range
A Macbook Air cannot do mac address randomisation so it has the same IP address when connected to either (2) or (5)
With DHCP requests, WPA2 seem to see just one request, it responds and client obtains an IP address. With WPA3 I see multiple DHCP Discover /Offer entries in the server dhcp log until eventually the client obtains an ip address
Anything connected to (1) - (4) just works. Profiles are downloaded, you can see them assigned to the client and each client has the network access its supposed to have.
When connecting to (5) however although the client obtains an IP address and can ping the default gateway ( 192.168.230.1- same as (2) its the same VLAN) it can't ping anything else. Two devices connected to (5) cannot ping each other or devices connected to (2) which are on the same network.
ClearPass authenticates every device and downloads the role
The controller can see every device, which role is applied and what its IP address is
Looking at Traffic analysis / sessions I can see traffic to/from remote IP addresses for the WPA3 clients along with everything else, just the MacBook thinks that its not connected or seeing any traffic
Flip the Air over to SSID (2) … everything is ok
At a loss as to what is going on