hey there,
so i did some testing with my local tac engineer. in summary we found that the windows and standard linux supplicants would not support configuration to support WPA3. TAC was able to manully configure a suplicant configuration that worked for linux but this was definitely not working "out of the box" or using standard configuration tools.
For Android i found it worked but there were bugs which stopped traffic flowing for WIFI6 radios. iOS didn't work at all.
In the end i decided to give up and wait until client support is a little better and until all the bugs are ironed out.
Original Message:
Sent: Nov 29, 2022 11:12 AM
From: Shmuel Mazor
Subject: WPA-3 Enterprise - have you got it working?
Following, I have the same issue.
Please help us.
Original Message:
Sent: Aug 28, 2022 08:46 PM
From: Scott Doorey
Subject: WPA-3 Enterprise - have you got it working?
Hey Airheads,
I've been trying to get WPA3-Enterprise working without success and i'm keen to hear if its just me or if others have had problems as well.
I've run a test setup on AP-503H in Central AOS 10.3.1.
I've setup 2 SSID;
-WPA3-CCM
-WPA3-GCM
Each is bridging to local VLAN and authenticating to ClearPass. Each has MFP enabled.
If i try and connect to these with my Android device (S22 Android 12) using WPA3-CCM it works however the device only connects at WPA2 level.
If i connect the android to the WPA3-GCM network it connects fine with WPA3 but no traffic flows.
For Windows i've had a different issue.
I'm running Win 10 21H2 and i've got one laptop with Intel AX-201 and current drivers along with another laptop with same windows version and Intel AC-9560.
In both windows test cases i have several issues:
1) trying to auto connect - device requests a preshared key so its not trying EAP
2) trying to manually set a profile using Network & Sharing Centre - if you select WPA3-Enterprise the windows menu errors out saying an unexpected error occured. consistent on both windows machines.
3) Creating a manually profile using WPA2-Enterprise, then changing the settings to WPA3-Enterprise overcomes error#2 . The only option is GCM256 so this is selected with EAP-TLS. Root CA is trusted and selected as trust point in profile. When this is done, windows shows the network profile but says unable to connect and has a cross over the profile like its not valid.
I've done some PCAPS and i'm convinced the WPA3 SSID are not broadcasting the right AKM suites for WPA3.
The WPA3-GCM SSID is supporting the following in beacons
00-0f-ac:05 - WPA (SHA256)
00-0f-ac:03 - FT over IEEE 802.1x
If i disable 802.11r then i just get
00-0f-ac:05 - WPA (SHA256)
For some reason windows doesn't like this but Android does (however won't pass traffic)
For the WPA3-CCM SSID it's showing the following in beacons:
00-0f-ac:01 - WPA
00-0f-ac-03 - FT over IEEE 802.1x
If i'm reading the standard correctly, neither of these AKM suites are WPA3 compatible.