Wireless Access

We have two 7200 controllers, a virtual Mobility Conductor running 8.10.0.13, and primarily use AP-515 and AP-325 access points. We've recently purchased Aruba AP-635 access points to replace the AP-325s and plan to enable the 6 GHz band. Our campus environment currently uses WPA2-Enterprise on the 2.4 GHz and 5 GHz bands.

Initially , I thought WPA3 Transition Mode would apply to the 6 GHz band but after reviewing the requirements and configuration options for WPA3 and the 6 GHz band, I noticed that the 6 GHz band requires WPA3 and is not backward compatible with WPA2 ( no transition mode). This means we cannot configure a single SSID to support both WPA2 and WPA3 across all frequency bands.

We have several older devices that only support WPA2, and I would prefer not to create separate SSIDs for WPA2 and WPA3 devices. Aruba TAC has confirmed that to use the 6 GHz band, we need to set up an SSID with WPA3 specifically for that band while continuing to use WPA2 for legacy clients on the 2.4 GHz and 5 GHz bands.

I am not satisfied with this solution. Is there a way to configure a single SSID that supports both the 5 GHz and 6 GHz bands while still providing compatibility for WPA2 devices?

WPA3 with transition mode enabled should be providing the backwards compatibility for the WPA2 devices.  The transition mode setting is ignored when that virtual-ap is applied to a 6 GHz radio.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Aug 08, 2024 03:37 PM
From: bluesky
Subject: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

We have two 7200 controllers, a virtual Mobility Conductor running 8.10.0.13, and primarily use AP-515 and AP-325 access points. We've recently purchased Aruba AP-635 access points to replace the AP-325s and plan to enable the 6 GHz band. Our campus environment currently uses WPA2-Enterprise on the 2.4 GHz and 5 GHz bands.

Initially , I thought WPA3 Transition Mode would apply to the 6 GHz band but after reviewing the requirements and configuration options for WPA3 and the 6 GHz band, I noticed that the 6 GHz band requires WPA3 and is not backward compatible with WPA2 ( no transition mode). This means we cannot configure a single SSID to support both WPA2 and WPA3 across all frequency bands.

We have several older devices that only support WPA2, and I would prefer not to create separate SSIDs for WPA2 and WPA3 devices. Aruba TAC has confirmed that to use the 6 GHz band, we need to set up an SSID with WPA3 specifically for that band while continuing to use WPA2 for legacy clients on the 2.4 GHz and 5 GHz bands.

I am not satisfied with this solution. Is there a way to configure a single SSID that supports both the 5 GHz and 6 GHz bands while still providing compatibility for WPA2 devices?

We have two 7200 controllers, a virtual Mobility Conductor running 8.10.0.13, and primarily use AP-515 and AP-325 access points. We've recently purchased Aruba AP-635 access points to replace the AP-325s and plan to enable the 6 GHz band. Our campus environment currently uses WPA2-Enterprise on the 2.4 GHz and 5 GHz bands.

Initially , I thought WPA3 Transition Mode would apply to the 6 GHz band but after reviewing the requirements and configuration options for WPA3 and the 6 GHz band, I noticed that the 6 GHz band requires WPA3 and is not backward compatible with WPA2 ( no transition mode). This means we cannot configure a single SSID to support both WPA2 and WPA3 across all frequency bands.

We have several older devices that only support WPA2, and I would prefer not to create separate SSIDs for WPA2 and WPA3 devices. Aruba TAC has confirmed that to use the 6 GHz band, we need to set up an SSID with WPA3 specifically for that band while continuing to use WPA2 for legacy clients on the 2.4 GHz and 5 GHz bands.

I am not satisfied with this solution. Is there a way to configure a single SSID that supports both the 5 GHz and 6 GHz bands while still providing compatibility for WPA2 devices?

Take some caution when using WPA3/WPA2 Transition Mode SSIDs.

I found out later that WPA2 transition mode also enforces MFP (or PMF), i.e. Management frame protection. If you have many diverse client types and ages, this can cause problems for those clients.

I would advise going with a new SSID and WPA3/WPA2 for newer tested clients... ones that have stable WPA3 and 6Ghz operation.

Leave WPA2 for the older clients who don't support 6Ghz.

Original Message:
Sent: Aug 08, 2024 03:37 PM
From: bluesky
Subject: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

We have two 7200 controllers, a virtual Mobility Conductor running 8.10.0.13, and primarily use AP-515 and AP-325 access points. We've recently purchased Aruba AP-635 access points to replace the AP-325s and plan to enable the 6 GHz band. Our campus environment currently uses WPA2-Enterprise on the 2.4 GHz and 5 GHz bands.

Initially , I thought WPA3 Transition Mode would apply to the 6 GHz band but after reviewing the requirements and configuration options for WPA3 and the 6 GHz band, I noticed that the 6 GHz band requires WPA3 and is not backward compatible with WPA2 ( no transition mode). This means we cannot configure a single SSID to support both WPA2 and WPA3 across all frequency bands.

We have several older devices that only support WPA2, and I would prefer not to create separate SSIDs for WPA2 and WPA3 devices. Aruba TAC has confirmed that to use the 6 GHz band, we need to set up an SSID with WPA3 specifically for that band while continuing to use WPA2 for legacy clients on the 2.4 GHz and 5 GHz bands.

I am not satisfied with this solution. Is there a way to configure a single SSID that supports both the 5 GHz and 6 GHz bands while still providing compatibility for WPA2 devices?

This is incorrect. WPA3 Transition Mode (TM) on Aruba APs only enforces PMF in bands where it is required such as 6 GHz. TM does not enforce PMF on 2.4/5 GHz.

WPA3 TM operation in 2.4/5 GHz:

• PMF is Optional (MFPR=0/MFPC=1) 

WPA3 TM operation in 6 GHz:

• PMF is Required (MFPR=1/MFPC=1)

This is documented here. https://www.arubanetworks.com/techdocs/aos/wifi-design-deploy/security/modes/

Original Message:
Sent: Aug 09, 2024 02:16 AM
From: Network Support
Subject: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

Take some caution when using WPA3/WPA2 Transition Mode SSIDs.

I found out later that WPA2 transition mode also enforces MFP (or PMF), i.e. Management frame protection. If you have many diverse client types and ages, this can cause problems for those clients.

I would advise going with a new SSID and WPA3/WPA2 for newer tested clients... ones that have stable WPA3 and 6Ghz operation.

Leave WPA2 for the older clients who don't support 6Ghz.

Original Message:
Sent: Aug 08, 2024 03:37 PM
From: bluesky
Subject: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

We have two 7200 controllers, a virtual Mobility Conductor running 8.10.0.13, and primarily use AP-515 and AP-325 access points. We've recently purchased Aruba AP-635 access points to replace the AP-325s and plan to enable the 6 GHz band. Our campus environment currently uses WPA2-Enterprise on the 2.4 GHz and 5 GHz bands.

Initially , I thought WPA3 Transition Mode would apply to the 6 GHz band but after reviewing the requirements and configuration options for WPA3 and the 6 GHz band, I noticed that the 6 GHz band requires WPA3 and is not backward compatible with WPA2 ( no transition mode). This means we cannot configure a single SSID to support both WPA2 and WPA3 across all frequency bands.

We have several older devices that only support WPA2, and I would prefer not to create separate SSIDs for WPA2 and WPA3 devices. Aruba TAC has confirmed that to use the 6 GHz band, we need to set up an SSID with WPA3 specifically for that band while continuing to use WPA2 for legacy clients on the 2.4 GHz and 5 GHz bands.

I am not satisfied with this solution. Is there a way to configure a single SSID that supports both the 5 GHz and 6 GHz bands while still providing compatibility for WPA2 devices?

Thank you schmelzle! So you are saying that the 6 GHz band cannot be configured with WPA2/WPA3 Transition Mode due to the mandatory security features of WPA3 for the 6 GHz band, which are not backward compatible with WPA2. Therefore, we should use one SSID for WPA2 on the 2.4 GHz and 5 GHz bands, and another SSID for WPA3 on the 6 GHz band. Right? Sorry I am confused.

This is incorrect. WPA3 Transition Mode (TM) on Aruba APs only enforces PMF in bands where it is required such as 6 GHz. TM does not enforce PMF on 2.4/5 GHz.

WPA3 TM operation in 2.4/5 GHz:

• PMF is Optional (MFPR=0/MFPC=1) 

WPA3 TM operation in 6 GHz:

• PMF is Required (MFPR=1/MFPC=1)

This is documented here. https://www.arubanetworks.com/techdocs/aos/wifi-design-deploy/security/modes/

Original Message:
Sent: Aug 09, 2024 02:16 AM
From: Network Support
Subject: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

Take some caution when using WPA3/WPA2 Transition Mode SSIDs.

I found out later that WPA2 transition mode also enforces MFP (or PMF), i.e. Management frame protection. If you have many diverse client types and ages, this can cause problems for those clients.

I would advise going with a new SSID and WPA3/WPA2 for newer tested clients... ones that have stable WPA3 and 6Ghz operation.

Leave WPA2 for the older clients who don't support 6Ghz.

Original Message:
Sent: Aug 08, 2024 03:37 PM
From: bluesky
Subject: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

We have two 7200 controllers, a virtual Mobility Conductor running 8.10.0.13, and primarily use AP-515 and AP-325 access points. We've recently purchased Aruba AP-635 access points to replace the AP-325s and plan to enable the 6 GHz band. Our campus environment currently uses WPA2-Enterprise on the 2.4 GHz and 5 GHz bands.

Initially , I thought WPA3 Transition Mode would apply to the 6 GHz band but after reviewing the requirements and configuration options for WPA3 and the 6 GHz band, I noticed that the 6 GHz band requires WPA3 and is not backward compatible with WPA2 ( no transition mode). This means we cannot configure a single SSID to support both WPA2 and WPA3 across all frequency bands.

We have several older devices that only support WPA2, and I would prefer not to create separate SSIDs for WPA2 and WPA3 devices. Aruba TAC has confirmed that to use the 6 GHz band, we need to set up an SSID with WPA3 specifically for that band while continuing to use WPA2 for legacy clients on the 2.4 GHz and 5 GHz bands.

I am not satisfied with this solution. Is there a way to configure a single SSID that supports both the 5 GHz and 6 GHz bands while still providing compatibility for WPA2 devices?

Thank you schmelzle! So you are saying that the 6 GHz band cannot be configured with WPA2/WPA3 Transition Mode due to the mandatory security features of WPA3 for the 6 GHz band, which are not backward compatible with WPA2. Therefore, we should use one SSID for WPA2 on the 2.4 GHz and 5 GHz bands, and another SSID for WPA3 on the 6 GHz band. Right? Sorry I am confused.

This is incorrect. WPA3 Transition Mode (TM) on Aruba APs only enforces PMF in bands where it is required such as 6 GHz. TM does not enforce PMF on 2.4/5 GHz.

WPA3 TM operation in 2.4/5 GHz:

• PMF is Optional (MFPR=0/MFPC=1) 

WPA3 TM operation in 6 GHz:

• PMF is Required (MFPR=1/MFPC=1)

This is documented here. https://www.arubanetworks.com/techdocs/aos/wifi-design-deploy/security/modes/

Original Message:
Sent: Aug 09, 2024 02:16 AM
From: Network Support
Subject: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

Take some caution when using WPA3/WPA2 Transition Mode SSIDs.

I found out later that WPA2 transition mode also enforces MFP (or PMF), i.e. Management frame protection. If you have many diverse client types and ages, this can cause problems for those clients.

I would advise going with a new SSID and WPA3/WPA2 for newer tested clients... ones that have stable WPA3 and 6Ghz operation.

Leave WPA2 for the older clients who don't support 6Ghz.

Original Message:
Sent: Aug 08, 2024 03:37 PM
From: bluesky
Subject: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

We have two 7200 controllers, a virtual Mobility Conductor running 8.10.0.13, and primarily use AP-515 and AP-325 access points. We've recently purchased Aruba AP-635 access points to replace the AP-325s and plan to enable the 6 GHz band. Our campus environment currently uses WPA2-Enterprise on the 2.4 GHz and 5 GHz bands.

Initially , I thought WPA3 Transition Mode would apply to the 6 GHz band but after reviewing the requirements and configuration options for WPA3 and the 6 GHz band, I noticed that the 6 GHz band requires WPA3 and is not backward compatible with WPA2 ( no transition mode). This means we cannot configure a single SSID to support both WPA2 and WPA3 across all frequency bands.

We have several older devices that only support WPA2, and I would prefer not to create separate SSIDs for WPA2 and WPA3 devices. Aruba TAC has confirmed that to use the 6 GHz band, we need to set up an SSID with WPA3 specifically for that band while continuing to use WPA2 for legacy clients on the 2.4 GHz and 5 GHz bands.

I am not satisfied with this solution. Is there a way to configure a single SSID that supports both the 5 GHz and 6 GHz bands while still providing compatibility for WPA2 devices?