Wireless Access

 View Only
Expand all | Collapse all

Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

This thread has been viewed 45 times
  • 1.  Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

    Posted Aug 08, 2024 07:50 PM

    We have two 7200 controllers, a virtual Mobility Conductor running 8.10.0.13, and primarily use AP-515 and AP-325 access points. We've recently purchased Aruba AP-635 access points to replace the AP-325s and plan to enable the 6 GHz band. Our campus environment currently uses WPA2-Enterprise on the 2.4 GHz and 5 GHz bands.

    Initially , I thought WPA3 Transition Mode would apply to the 6 GHz band but after reviewing the requirements and configuration options for WPA3 and the 6 GHz band, I noticed that the 6 GHz band requires WPA3 and is not backward compatible with WPA2 ( no transition mode). This means we cannot configure a single SSID to support both WPA2 and WPA3 across all frequency bands.

    We have several older devices that only support WPA2, and I would prefer not to create separate SSIDs for WPA2 and WPA3 devices. Aruba TAC has confirmed that to use the 6 GHz band, we need to set up an SSID with WPA3 specifically for that band while continuing to use WPA2 for legacy clients on the 2.4 GHz and 5 GHz bands.

    I am not satisfied with this solution. Is there a way to configure a single SSID that supports both the 5 GHz and 6 GHz bands while still providing compatibility for WPA2 devices?



  • 2.  RE: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

    Posted Aug 08, 2024 08:58 PM

    WPA3 with transition mode enabled should be providing the backwards compatibility for the WPA2 devices.  The transition mode setting is ignored when that virtual-ap is applied to a 6 GHz radio.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

    Posted Aug 08, 2024 10:05 PM
    Edited by schmelzle Aug 09, 2024 09:00 AM

    Like Carson said. Configure the SSID for WPA3. Enable both Transition Mode and 6 GHz.

    This should accomplish what you're asking for. A single SSID that allows WPA2 clients in the "legacy" bands of 2.4/5 and also supports WPA3 only in the 6 GHz band. However, at some point, you should consider moving away from transition mode. Like when WPA2 only clients are phased out.




  • 4.  RE: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

    Posted Aug 09, 2024 02:16 AM

    Take some caution when using WPA3/WPA2 Transition Mode SSIDs.

    I found out later that WPA2 transition mode also enforces MFP (or PMF), i.e. Management frame protection. If you have many diverse client types and ages, this can cause problems for those clients.

    I would advise going with a new SSID and WPA3/WPA2 for newer tested clients... ones that have stable WPA3 and 6Ghz operation.

    Leave WPA2 for the older clients who don't support 6Ghz.




  • 5.  RE: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

    Posted Aug 09, 2024 09:03 AM
    Edited by schmelzle Aug 09, 2024 09:04 AM

    This is incorrect. WPA3 Transition Mode (TM) on Aruba APs only enforces PMF in bands where it is required such as 6 GHz. TM does not enforce PMF on 2.4/5 GHz.

    WPA3 TM operation in 2.4/5 GHz:

    • PMF is Optional (MFPR=0/MFPC=1) 

    WPA3 TM operation in 6 GHz:

    • PMF is Required (MFPR=1/MFPC=1)

    This is documented here. https://www.arubanetworks.com/techdocs/aos/wifi-design-deploy/security/modes/




  • 6.  RE: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

    Posted Aug 09, 2024 10:54 AM

    Thank you schmelzle! So you are saying that the 6 GHz band cannot be configured with WPA2/WPA3 Transition Mode due to the mandatory security features of WPA3 for the 6 GHz band, which are not backward compatible with WPA2. Therefore, we should use one SSID for WPA2 on the 2.4 GHz and 5 GHz bands, and another SSID for WPA3 on the 6 GHz band. Right? Sorry I am confused.




  • 7.  RE: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

    Posted Aug 09, 2024 11:20 AM

    No, that's not at all what was shared.  The WLAN configured for WPA3 Transition Mode will provide backward compatibility with WPA2 when operating in the bands (2.4 and 5 GHz) where such is allowed.

    Create one VAP profile that has WPA3 TM enabled.  Apply VAP to AP group.  WLAN will operate as WPA3 TM in 2.4 and 5 GHz.  WLAN will operate as WPA3 in 6 GHz.

    You do not need to create separate SSID or VAP profiles.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 8.  RE: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

    Posted Aug 09, 2024 11:21 AM

    No, that is not what I'm saying.

    The configuration you're after is WPA3 with Transition Mode.

    When you have WPA3 in Transition Mode, TM will be effective in 2.4/5 GHz only. Effective operation in 6 GHz will result in TM disabled (and this is automatically handled for you, nothing you configure).

    You can use a WPA3 Transition Mode SSID to support WPA2/WPA3 clients in 2.4/5 while supporting WPA3 clients in 6 GHz. One SSID. One configuration. Security parameters are handled automatically depending on the band of operation.




  • 9.  RE: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

    Posted Aug 09, 2024 08:13 PM
    Thanks for pointing that out. It seems I need to reword my statement. MFPR=0 MFPC=1 - is true. I confirmed that in my original wireless pcaps just now. I'm just hoping my note helps someone else to avoid the issues we had.
    The majority of our WPA2 clients on WPA3-TM mode SSID's had constant problems with connecting and maintaining connections or performance across our networks and it got worse the higher the version we went, especially on 10.4.1 and later.
    In the UI config I had MFP option set to disabled, but this had no effect on the outcome. The capable option was enforced - per WPA3-TM.
    The symptoms were consistently slow performance and failure to connect across many areas but mostly when client activity was busy. I saw constant reports of high error rates across those APs, with clients constantly switching to other radios or APs in the vicinity due to the error rates, leading to areas where a majority of clients couldn't actually get service.
    What I found in wireless pcaps on those network locations were the following:
    1. WPA3-TM SSID's - WPA2 clients were indeed opting in for MFP if they supported it, but it wasn't reliable. We have a mix of managed and unmanaged windows and osx laptops on the 2 SSID's, and the behaviour was inconsistent.
    2. WPA3-TM SSID's - Were enforcing association rate limiting to WPA2 clients and refusing connections for many clients, essentially creating blackholes.
    We have other WPA2 only SSIDs that never had these problems. We've only recently removed WPA3-TM from our SSIDs, and with WPA2-Enterprise the problems with the denied access and low performance have completely vanished.
    In our case, WPA3-TM caused a lot of problems. I'm assuming that 6Ghz capable clients would have more tested and reliable chipsets and firmware to handle the higher requirements. Anything that doesn't support 6Ghz, I would probably leave on WPA2 SSID's instead, unless proven to be reliable on WPA3-TM or there is a security requirement to enforce WPA3, but then you could just use WPA3 only SSID's for those.
    My suggestion for anyone rolling out WPA3-TM is to do enough testing to ensure reliability is achieved and to only do that for tested and homogenous sets of clients, and use WPA2 for any clients you can't control that for.



  • 10.  RE: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

    Posted Aug 09, 2024 10:37 PM

    Can you clarify for us the problems you experiences were with WPA3 TM enabled for WPA3-Personal (SAE) or WPA3-Enterprise (.1X)?




  • 11.  RE: Single SSID for WPA2 and WPA3 on 5 GHz and 6 GHz

    Posted Aug 10, 2024 12:26 AM

    WPA3 TM and WPA3-Enterprise, EAP-TLS clients. AOS10 and Gateway clusters.

    All client profiles are WPA2-Enterprise, mixed set of clients managed and unmanaged, Windows and OSX. Mostly see problems in locations with client count gets higher or where unmanaged client count is the majority, for example, anywhere there is a high population of student BYO. Problem present in 10.4.0 but gets worse in 10.4.1 with constant user reports of no connection or poor performance.

    Using WPA2-Enterprise for SSID, those issues stop. No user reports since except for where we had memory leaks and AP lockups on 10.3.1.4. On 10.4.1.3 again now, those ceased as well. Now waiting for more time and results for following steps. This has involved Aruba CE's throughout this process.

    My suspect is the maturity level of WPA2 MFP function in client chipset/firmware. However, this is fairly difficult to prove with such a diverse range of client types for unmanaged, and several generations of client types for managed, and just the time needed. However, I haven't been on AOS8 for a couple years or so, so can't rule out it's a AOS10 thing.

    As the WPA2-Enterprise setting resolves those issues, I might just have to leave it as it is purely due to time constraints.