Wireless Access

------------------------------
Steinar
------------------------------

In general WPA3 Enterprise AES-128-CCM works fine where clients that can do WPA3 and that can't can still fallback to WPA2 Enterprise. Some clients may not understand/like parts of WPA3, like that PMF/MFP is enabled mandatory. I'd try to pin down which clients have issues and update drivers or do some more analysis before downgrading security for your full network.

Or don't I understand your issue?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 06, 2023 10:51 AM
From: Steinar Grande
Subject: Missed logins with 802.1x SSID and WPA3 AES CCM 128,

We've had some suspicious missed logins with 802.1x SSID and WPA3 AES CCM 128,

Changing "back" to WPA2 AES might look a bit better..maybe

 

anyone else ?

------------------------------
Steinar
------------------------------

Hi, thanks for reply
This is highly volatile, it is extremely difficult to investigating thousands of student pc/mac for any misbehaving driver.

This is a longshot, and varius also between 5Ghz SSIDs and 6GHz, which does it it a wild gueswork :(

And yes you understand correct..

Disabling PMF/MFP, is only an option on 5Ghz, if I remember correct..?

(mandatory on 6Ghz ?)

------------------------------
Steinar
------------------------------

Yes, protected management frames are mandatory on 6GHz because these are mandatory for WPA3 which is mandatory on WiFi-6E.

Even with thousands of users, with uncontrolled devices, it may be good to find one or a few and do further investigations on those because it may help to develop more generic guidance for the wider user population. If you don't want to invest time in there, and moving back to WPA2 (Except of 6GHz), and that resolves your issue, that's an option as well, but at one point in time you probably have to, and yes or no (most of) the issues have resolved automatically by then.

Aruba Support should be able to assist you in the troubleshooting, but they would need some more detailed and reproducible data on client issues.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 06, 2023 11:48 AM
From: Steinar Grande
Subject: Missed logins with 802.1x SSID and WPA3 AES CCM 128,

Hi, thanks for reply
This is highly volatile, it is extremely difficult to investigating thousands of student pc/mac for any misbehaving driver.

This is a longshot, and varius also between 5Ghz SSIDs and 6GHz, which does it it a wild gueswork :(

And yes you understand correct..

Disabling PMF/MFP, is only an option on 5Ghz, if I remember correct..?

(mandatory on 6Ghz ?)

------------------------------
Steinar
------------------------------