Controllerless Networks

 View Only
last person joined: 2 days ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

Question about WPA3-Enterprise implementation on Aruba APs: Recommended operation mode?

This thread has been viewed 31 times
  • 1.  Question about WPA3-Enterprise implementation on Aruba APs: Recommended operation mode?

    Posted 18 days ago

    Good afternoon All,

    I've been running some tests on our production network regarding the idea of migrating our corporate wireless from WPA2-Enterprise to WPA3-Enterprise. We have several AP535s in our production environment, managed by one of them acting as the Virtual Controller, and we are using Windows NPS with EAP-TLS for Radius authentication. 

    When trying to complete this process, I noticed that Aruba offers three different operation modes for implementing WPA3-Enterprise:

    Since I had no information on the difference between these operation modes, I did some online research and found the information below:
    WPA3-Enterprise (CCM 128) - Transition mode, that allows WPA2-only capable clients to connect.
    WPA3-Enterprise (GCM 256) - Only WPA3. Does not support WPA2 clients.
    WPA3-Enterprise (CNSA) - 192-bit mode. WPA3 only and enforces specific EAP certificate ciphers. 

    I created a test SSID and tested the three operation modes, and these are the results:
    CCM 128 - I am able to connect, but even WPA3-capable devices always negotiate WPA2-Enterprise as the type of security.
    GCM 256 - I tested with several devices that support WPA3, but I am unable to connect at all.
    CNSA - I was able to connect, and the tested laptops show "WPA3-Enterprise" as the security mode. 

    My doubts are as follow:
    - I understand CCM 128 supports backward compatibility with WPA2 devices, but why does it also force devices that supports WPA3-Enterprise to use WPA2-Enterprise instead?
    -Not sure if the reason that the tested laptops reject "GCM 256" is simply because they don't support this type of operation mode or if I am missing some specific configuration on my NPS server. Whenever the authentication is completed by server-client certificates, it fails and ends up asking me for credentials that don't exist, as they are not supposed to be used by this type of authentication (EAP-TLS).
    -CNSA provides "WPA3-Enterprise" as the type of security to the tested laptops. However, I'm not sure if this operation mode would support WPA2-only capable devices.

    I have the impression that the connection problem and even the downgrading experience when using CCM 128 could have been related to the fact that the laptops only support CNSA:

    Below is the full encryption type as listed by the Aruba Virtual Controller:
    CCM 128GCM 256
    CNSA

    What would be the recommended operation mode to use? Also, would the first option work at all by allowing both WPA3 and WPA2-capable devices to connect based on their compatibility? Or am I misunderstand the way this operation mode actually works?

    Sorry if I my question got too long. I wanted to make sure I provided all the acquired information, and I asked the right questions that will guide me towards the best implementation of WPA3-Enterprise on Aruba APs. 

    Thanks in advance for your time.



  • 2.  RE: Question about WPA3-Enterprise implementation on Aruba APs: Recommended operation mode?

    Posted 14 days ago

    Good morning. Here is a good reference for WPA3 from the WiFi Alliance. 

    https://www.wi-fi.org/discover-wi-fi/security

    From my testing, when using WPA3-AES-CCM-128, without Transition Mode enabled (Will not allow fallback to WPA2), Windows does connect and it also show as it is connected via WPA2. However if you look at the Controller, the client it is indeed using WPA3. 

    I am not certain any clients (maybe Linux) support the GCM-256 encryption method. None the clients I tested worked. 



    ------------------------------
    Philip Wightman, ACEX #69
    Aruba Partner Ambassador
    ------------------------------



  • 3.  RE: Question about WPA3-Enterprise implementation on Aruba APs: Recommended operation mode?

    Posted 4 days ago

    Configure RADIUS server: Set up a RADIUS server, such as Aruba ClearPass or another compatible RADIUS server. Configure user accounts, authentication policies, and certificate management on the RADIUS server. MyBalanceNow

    Certificate infrastructure: Deploy a Public Key Infrastructure (PKI) to issue digital certificates for secure authentication. This includes generating and managing certificate authorities (CAs), server certificates, and client certificates.

    Configure APs: Configure the Aruba APs to enable WPA3-Enterprise mode and specify the RADIUS server details for authentication. This involves setting up the appropriate SSID profiles, security settings, and EAP methods on the APs.

    Configure network devices: Ensure that the network switches and controllers are properly configured to support WPA3-Enterprise. This includes configuring the appropriate VLANs, security policies, and access control lists (ACLs) to enable secure network access.

    Test and troubleshoot: Test the WPA3-Enterprise implementation thoroughly to verify proper functionality. Troubleshoot any issues that may arise, such as certificate validation problems, authentication failures, or compatibility issues with client devices.