Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

MFP for WPA2 clients on a WPA3 SSID

This thread has been viewed 25 times
  • 1.  MFP for WPA2 clients on a WPA3 SSID

    Posted Mar 07, 2023 06:39 AM

    We have an SSID which is configured to use opmode wpa3-aes-ccm-128 with transition mode enabled. However, the following two features in the SSID profile cannot be enabled as the opmode is WPA3 and can only be configured for WPA2 opmode SSIDs. Does this mean that WPA2 clients which are also capable of using MFA cannot utilise MFA at all on a WPA3 SSJD? 

    Error: MFP settings are not user configurable for WPA3 opmodes

    Enable Management Frame Protection (for WPA2 opmodes)   Disabled

    Require Management Frame Protection (for WPA2 opmodes)  Disabled - I wouldn't enable this feature anyway as this could potentially cause issues for clients connecting using WPA2 without MFA capabilities. 



  • 2.  RE: MFP for WPA2 clients on a WPA3 SSID

    EMPLOYEE
    Posted Mar 07, 2023 10:15 PM

    Hi there,

    The MFPR/MFPC bits are not user configurable on WPA3 opmodes.

    Which version of AOS are you running? wpa3-aes-ccm-128 does support transition mode starting in AOS 8.11.



    ------------------------------
    Josh
    ------------------------------



  • 3.  RE: MFP for WPA2 clients on a WPA3 SSID

    Posted Mar 08, 2023 05:06 AM

    The MFPR/MFPC bits are not user configurable on WPA3 opmodes.

    -Understood. As MFP is a prerequisite to using WPA3 this must just be happening 'in the background' for clients connecting to our WPA3 SSID. However, the clients which then fall back to using WPA2 (if connecting to our WPA3 in transition SSID) would they use MFP (if capable) when connecting to a .ax AP-5xx? ie without the additional settings enabled? In an Aruba doc there's "Only 11ax-capable APs will support MFP in tunnel mode with WPA2-AES". 

    Which version of AOS are you running? wpa3-aes-ccm-128 does support transition mode starting in AOS 8.11.

    -We're currently using wpa3-aes-ccm-128 in transition mode now and we're running 8.10.0.5. This seems to be working well and I can see WPA2 clients connecting to the SSID in the dot1x supplicant list. Is it documented somewhere about transition mode not being available for wpa3-aes-ccm-128 until 8.11? 




  • 4.  RE: MFP for WPA2 clients on a WPA3 SSID

    EMPLOYEE
    Posted Mar 08, 2023 08:32 AM

    Yes. WPA2 clients capable of MFP can use MFP on 802.11ax APs with wpa3-aes-ccm-128. In 2.4 / 5 GHz, the MFP bits will be MFPR=0/MFPC=1. 

    The release notes for 8.11 indicate support for transition mode. The option allows one to decide whether legacy WPA2 clients should be able to connect. Disabling transition mode removes AKM:1 from the RSNIE. 



    ------------------------------
    Josh
    ------------------------------



  • 5.  RE: MFP for WPA2 clients on a WPA3 SSID

    Posted Mar 08, 2023 09:40 AM

    Thanks for the responses. 

    Yes. WPA2 clients capable of MFP can use MFP on 802.11ax APs with wpa3-aes-ccm-128. In 2.4 / 5 GHz, the MFP bits will be MFPR=0/MFPC=1.

    -Is there a useful command to run to see the MFP statistics? 




  • 6.  RE: MFP for WPA2 clients on a WPA3 SSID

    EMPLOYEE
    Posted Mar 08, 2023 10:31 AM

    You should see some PMF stats at the bottom of the output for-

    show ap debug radio-stats ap-name <ap_name> radio 2 advanced 

    Example-

    show ap debug radio-stats ap-name ap635_bd14 radio 2 advanced  | include PMF
    PMF:Action Encryption Requests   49153
    PMF:Deauth Encryption Requests   5
    PMF:Action Decryption Requests   36376
    PMF:Deauth Decryption Requests   34
    PMF: Encrypted Action Frames     49147
    PMF: Encrypted Deauth            2
    PMF: Decrypted Action frames     36353
    PMF: Decrypted Deauth            34



    ------------------------------
    Josh
    ------------------------------