Configure RADIUS server: Set up a RADIUS server, such as Aruba ClearPass or another compatible RADIUS server. Configure user accounts, authentication policies, and certificate management on the RADIUS server. MyBalanceNow
Certificate infrastructure: Deploy a Public Key Infrastructure (PKI) to issue digital certificates for secure authentication. This includes generating and managing certificate authorities (CAs), server certificates, and client certificates.
Configure APs: Configure the Aruba APs to enable WPA3-Enterprise mode and specify the RADIUS server details for authentication. This involves setting up the appropriate SSID profiles, security settings, and EAP methods on the APs.
Configure network devices: Ensure that the network switches and controllers are properly configured to support WPA3-Enterprise. This includes configuring the appropriate VLANs, security policies, and access control lists (ACLs) to enable secure network access.
Test and troubleshoot: Test the WPA3-Enterprise implementation thoroughly to verify proper functionality. Troubleshoot any issues that may arise, such as certificate validation problems, authentication failures, or compatibility issues with client devices.
Original Message:
Sent: May 15, 2023 04:06 PM
From: Youmedina10
Subject: Question about WPA3-Enterprise implementation on Aruba APs: Recommended operation mode?
Good afternoon All,
I've been running some tests on our production network regarding the idea of migrating our corporate wireless from WPA2-Enterprise to WPA3-Enterprise. We have several AP535s in our production environment, managed by one of them acting as the Virtual Controller, and we are using Windows NPS with EAP-TLS for Radius authentication.
When trying to complete this process, I noticed that Aruba offers three different operation modes for implementing WPA3-Enterprise:

Since I had no information on the difference between these operation modes, I did some online research and found the information below:
WPA3-Enterprise (CCM 128) - Transition mode, that allows WPA2-only capable clients to connect.
WPA3-Enterprise (GCM 256) - Only WPA3. Does not support WPA2 clients.
WPA3-Enterprise (CNSA) - 192-bit mode. WPA3 only and enforces specific EAP certificate ciphers.
I created a test SSID and tested the three operation modes, and these are the results:
CCM 128 - I am able to connect, but even WPA3-capable devices always negotiate WPA2-Enterprise as the type of security.
GCM 256 - I tested with several devices that support WPA3, but I am unable to connect at all.
CNSA - I was able to connect, and the tested laptops show "WPA3-Enterprise" as the security mode.
My doubts are as follow:
- I understand CCM 128 supports backward compatibility with WPA2 devices, but why does it also force devices that supports WPA3-Enterprise to use WPA2-Enterprise instead?
-Not sure if the reason that the tested laptops reject "GCM 256" is simply because they don't support this type of operation mode or if I am missing some specific configuration on my NPS server. Whenever the authentication is completed by server-client certificates, it fails and ends up asking me for credentials that don't exist, as they are not supposed to be used by this type of authentication (EAP-TLS).
-CNSA provides "WPA3-Enterprise" as the type of security to the tested laptops. However, I'm not sure if this operation mode would support WPA2-only capable devices.
I have the impression that the connection problem and even the downgrading experience when using CCM 128 could have been related to the fact that the laptops only support CNSA:

Below is the full encryption type as listed by the Aruba Virtual Controller:
CCM 128
GCM 256
CNSA

What would be the recommended operation mode to use? Also, would the first option work at all by allowing both WPA3 and WPA2-capable devices to connect based on their compatibility? Or am I misunderstand the way this operation mode actually works?
Sorry if I my question got too long. I wanted to make sure I provided all the acquired information, and I asked the right questions that will guide me towards the best implementation of WPA3-Enterprise on Aruba APs.
Thanks in advance for your time.