Wireless Access

We have an SSID which is configured to use opmode wpa3-aes-ccm-128 with transition mode enabled. However, the following two features in the SSID profile cannot be enabled as the opmode is WPA3 and can only be configured for WPA2 opmode SSIDs. Does this mean that WPA2 clients which are also capable of using MFA cannot utilise MFA at all on a WPA3 SSJD? 

Error: MFP settings are not user configurable for WPA3 opmodes

Enable Management Frame Protection (for WPA2 opmodes)   Disabled

Require Management Frame Protection (for WPA2 opmodes)  Disabled - I wouldn't enable this feature anyway as this could potentially cause issues for clients connecting using WPA2 without MFA capabilities. 

Hi there,

The MFPR/MFPC bits are not user configurable on WPA3 opmodes.

Which version of AOS are you running? wpa3-aes-ccm-128 does support transition mode starting in AOS 8.11.

------------------------------
Josh

Original Message:
Sent: Mar 07, 2023 06:38 AM
From: AdamNewsonCU
Subject: MFP for WPA2 clients on a WPA3 SSID

We have an SSID which is configured to use opmode wpa3-aes-ccm-128 with transition mode enabled. However, the following two features in the SSID profile cannot be enabled as the opmode is WPA3 and can only be configured for WPA2 opmode SSIDs. Does this mean that WPA2 clients which are also capable of using MFA cannot utilise MFA at all on a WPA3 SSJD? 

Error: MFP settings are not user configurable for WPA3 opmodes

Enable Management Frame Protection (for WPA2 opmodes)   Disabled

Require Management Frame Protection (for WPA2 opmodes)  Disabled - I wouldn't enable this feature anyway as this could potentially cause issues for clients connecting using WPA2 without MFA capabilities. 

The MFPR/MFPC bits are not user configurable on WPA3 opmodes.

-Understood. As MFP is a prerequisite to using WPA3 this must just be happening 'in the background' for clients connecting to our WPA3 SSID. However, the clients which then fall back to using WPA2 (if connecting to our WPA3 in transition SSID) would they use MFP (if capable) when connecting to a .ax AP-5xx? ie without the additional settings enabled? In an Aruba doc there's "Only 11ax-capable APs will support MFP in tunnel mode with WPA2-AES". 

Which version of AOS are you running? wpa3-aes-ccm-128 does support transition mode starting in AOS 8.11.

-We're currently using wpa3-aes-ccm-128 in transition mode now and we're running 8.10.0.5. This seems to be working well and I can see WPA2 clients connecting to the SSID in the dot1x supplicant list. Is it documented somewhere about transition mode not being available for wpa3-aes-ccm-128 until 8.11? 

Hi there,

The MFPR/MFPC bits are not user configurable on WPA3 opmodes.

Which version of AOS are you running? wpa3-aes-ccm-128 does support transition mode starting in AOS 8.11.

------------------------------
Josh

Original Message:
Sent: Mar 07, 2023 06:38 AM
From: AdamNewsonCU
Subject: MFP for WPA2 clients on a WPA3 SSID

We have an SSID which is configured to use opmode wpa3-aes-ccm-128 with transition mode enabled. However, the following two features in the SSID profile cannot be enabled as the opmode is WPA3 and can only be configured for WPA2 opmode SSIDs. Does this mean that WPA2 clients which are also capable of using MFA cannot utilise MFA at all on a WPA3 SSJD? 

Error: MFP settings are not user configurable for WPA3 opmodes

Enable Management Frame Protection (for WPA2 opmodes)   Disabled

Require Management Frame Protection (for WPA2 opmodes)  Disabled - I wouldn't enable this feature anyway as this could potentially cause issues for clients connecting using WPA2 without MFA capabilities. 

Yes. WPA2 clients capable of MFP can use MFP on 802.11ax APs with wpa3-aes-ccm-128. In 2.4 / 5 GHz, the MFP bits will be MFPR=0/MFPC=1. 

The release notes for 8.11 indicate support for transition mode. The option allows one to decide whether legacy WPA2 clients should be able to connect. Disabling transition mode removes AKM:1 from the RSNIE. 

The MFPR/MFPC bits are not user configurable on WPA3 opmodes.

-Understood. As MFP is a prerequisite to using WPA3 this must just be happening 'in the background' for clients connecting to our WPA3 SSID. However, the clients which then fall back to using WPA2 (if connecting to our WPA3 in transition SSID) would they use MFP (if capable) when connecting to a .ax AP-5xx? ie without the additional settings enabled? In an Aruba doc there's "Only 11ax-capable APs will support MFP in tunnel mode with WPA2-AES". 

Which version of AOS are you running? wpa3-aes-ccm-128 does support transition mode starting in AOS 8.11.

-We're currently using wpa3-aes-ccm-128 in transition mode now and we're running 8.10.0.5. This seems to be working well and I can see WPA2 clients connecting to the SSID in the dot1x supplicant list. Is it documented somewhere about transition mode not being available for wpa3-aes-ccm-128 until 8.11? 

Hi there,

The MFPR/MFPC bits are not user configurable on WPA3 opmodes.

Which version of AOS are you running? wpa3-aes-ccm-128 does support transition mode starting in AOS 8.11.

------------------------------
Josh

Original Message:
Sent: Mar 07, 2023 06:38 AM
From: AdamNewsonCU
Subject: MFP for WPA2 clients on a WPA3 SSID

We have an SSID which is configured to use opmode wpa3-aes-ccm-128 with transition mode enabled. However, the following two features in the SSID profile cannot be enabled as the opmode is WPA3 and can only be configured for WPA2 opmode SSIDs. Does this mean that WPA2 clients which are also capable of using MFA cannot utilise MFA at all on a WPA3 SSJD? 

Error: MFP settings are not user configurable for WPA3 opmodes

Enable Management Frame Protection (for WPA2 opmodes)   Disabled

Require Management Frame Protection (for WPA2 opmodes)  Disabled - I wouldn't enable this feature anyway as this could potentially cause issues for clients connecting using WPA2 without MFA capabilities. 

Thanks for the responses. 

Yes. WPA2 clients capable of MFP can use MFP on 802.11ax APs with wpa3-aes-ccm-128. In 2.4 / 5 GHz, the MFP bits will be MFPR=0/MFPC=1.

-Is there a useful command to run to see the MFP statistics? 

Original Message:
Sent: Mar 08, 2023 08:31 AM
From: JS90
Subject: MFP for WPA2 clients on a WPA3 SSID

Yes. WPA2 clients capable of MFP can use MFP on 802.11ax APs with wpa3-aes-ccm-128. In 2.4 / 5 GHz, the MFP bits will be MFPR=0/MFPC=1. 

The release notes for 8.11 indicate support for transition mode. The option allows one to decide whether legacy WPA2 clients should be able to connect. Disabling transition mode removes AKM:1 from the RSNIE. 

------------------------------
Josh

Original Message:
Sent: Mar 08, 2023 05:05 AM
From: AdamNewsonCU
Subject: MFP for WPA2 clients on a WPA3 SSID

The MFPR/MFPC bits are not user configurable on WPA3 opmodes.

-Understood. As MFP is a prerequisite to using WPA3 this must just be happening 'in the background' for clients connecting to our WPA3 SSID. However, the clients which then fall back to using WPA2 (if connecting to our WPA3 in transition SSID) would they use MFP (if capable) when connecting to a .ax AP-5xx? ie without the additional settings enabled? In an Aruba doc there's "Only 11ax-capable APs will support MFP in tunnel mode with WPA2-AES". 

Which version of AOS are you running? wpa3-aes-ccm-128 does support transition mode starting in AOS 8.11.

-We're currently using wpa3-aes-ccm-128 in transition mode now and we're running 8.10.0.5. This seems to be working well and I can see WPA2 clients connecting to the SSID in the dot1x supplicant list. Is it documented somewhere about transition mode not being available for wpa3-aes-ccm-128 until 8.11? 

Original Message:
Sent: Mar 07, 2023 10:15 PM
From: Josh Schmelzle
Subject: MFP for WPA2 clients on a WPA3 SSID

Hi there,

The MFPR/MFPC bits are not user configurable on WPA3 opmodes.

Which version of AOS are you running? wpa3-aes-ccm-128 does support transition mode starting in AOS 8.11.

------------------------------
Josh

Original Message:
Sent: Mar 07, 2023 06:38 AM
From: AdamNewsonCU
Subject: MFP for WPA2 clients on a WPA3 SSID

We have an SSID which is configured to use opmode wpa3-aes-ccm-128 with transition mode enabled. However, the following two features in the SSID profile cannot be enabled as the opmode is WPA3 and can only be configured for WPA2 opmode SSIDs. Does this mean that WPA2 clients which are also capable of using MFA cannot utilise MFA at all on a WPA3 SSJD? 

Error: MFP settings are not user configurable for WPA3 opmodes

Enable Management Frame Protection (for WPA2 opmodes)   Disabled

Require Management Frame Protection (for WPA2 opmodes)  Disabled - I wouldn't enable this feature anyway as this could potentially cause issues for clients connecting using WPA2 without MFA capabilities.