Wireless Access

 View Only
last person joined: 9 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

WPA-3 Enterprise - have you got it working?

This thread has been viewed 35 times
  • 1.  WPA-3 Enterprise - have you got it working?

    Posted Aug 28, 2022 08:46 PM

    Hey Airheads,

    I've been trying to get WPA3-Enterprise working without success and i'm keen to hear if its just me or if others have had problems as well.

    I've run a test setup on AP-503H in Central AOS 10.3.1.

    I've setup 2 SSID;

    -WPA3-CCM
    -WPA3-GCM

    Each is bridging to local VLAN and authenticating to ClearPass. Each has MFP enabled.

    If i try and connect to these with my Android device (S22 Android 12) using WPA3-CCM it works however the device only connects at WPA2 level.
    If i connect the android to the WPA3-GCM network it connects fine with WPA3 but no traffic flows.


    For Windows i've had a different issue.

    I'm running Win 10 21H2 and i've got one laptop with Intel AX-201 and current drivers along with another laptop with same windows version and Intel AC-9560.

    In both windows test cases i have several issues:

    1) trying to auto connect - device requests a preshared key so its not trying EAP
    2) trying to manually set a profile using Network & Sharing Centre - if you select WPA3-Enterprise the windows menu errors out saying an unexpected error occured. consistent on both windows machines.
    3) Creating a manually profile using WPA2-Enterprise, then changing the settings to WPA3-Enterprise overcomes error#2 . The only option is GCM256 so this is selected with EAP-TLS. Root CA is trusted and selected as trust point in profile. When this is done, windows shows the network profile but says unable to connect and has a cross over the profile like its not valid.


    I've done some PCAPS and i'm convinced the WPA3 SSID are not broadcasting the right AKM suites for WPA3.

    The WPA3-GCM SSID is supporting the following in beacons

    00-0f-ac:05 - WPA (SHA256)
    00-0f-ac:03 - FT over IEEE 802.1x

    If i disable 802.11r then i just get
    00-0f-ac:05 - WPA (SHA256)

    For some reason windows doesn't like this but Android does (however won't pass traffic)

    For the WPA3-CCM SSID it's showing the following in beacons:

    00-0f-ac:01 - WPA
    00-0f-ac-03 - FT over IEEE 802.1x

    If i'm reading the standard correctly, neither of these AKM suites are WPA3 compatible.












    ​​



  • 2.  RE: WPA-3 Enterprise - have you got it working?

    Posted Nov 29, 2022 11:12 AM
    Following, I have the same issue.

    Please help us.


  • 3.  RE: WPA-3 Enterprise - have you got it working?

    EMPLOYEE
    Posted Nov 29, 2022 07:36 PM
    with WPA3-GCM, the main thing is that both the client driver and supplicant must support the AKM / ciphers.
    you can use this command on the MD to see "show dot1x supplicant-info"

    [mynode] #show dot1x supplicant-info 1c:c1:xx:xx:xx:xx 34:8a:yy:yy:yy:yy

    Detailed 802.1x Supplicant Information

    Name                             ub1
    MAC Address                1c:c1:xx:xx:xx:xx
    AP MAC Address           34:8a:yy:yy:yy:yy
    Status                             Authentication Success
    Unicast Cipher               WPA3-AES-GCMP-256-NON-CNSA
    Multicast Cipher            WPA3-AES-GCMP-256-NON-CNSA

    The above is from linux client on AX210



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 4.  RE: WPA-3 Enterprise - have you got it working?

    Posted Nov 30, 2022 02:50 AM
    But what about WIN10/11?



  • 5.  RE: WPA-3 Enterprise - have you got it working?

    Posted Nov 30, 2022 02:55 AM
    Win 10 current build does not work with GCM. You can't configure the supplicant, it errors out. Even if you configure it, the supplicant pops up asking for a PSK. I think its not interpreting the key suite correctly.

    At least thats my experience with AOS 10.


  • 6.  RE: WPA-3 Enterprise - have you got it working?

    Posted Nov 29, 2022 09:10 PM
    hey there,

    so i did some testing with my local tac engineer. in summary we found that the windows and standard linux supplicants would not support configuration to support WPA3. TAC was able to manully configure a suplicant configuration that worked for linux but this was definitely not working "out of the box" or using standard configuration tools.

    For Android i found it worked but there were bugs which stopped traffic flowing for WIFI6 radios. iOS didn't work at all.

    In the end i decided to give up and wait until client support is a little better and until all the bugs are ironed out.


  • 7.  RE: WPA-3 Enterprise - have you got it working?

    Posted Nov 29, 2022 11:09 PM
    So, WPA2-ENT is chosen right now?

     

    --
    Contact me:
    Mobile : +972-58-7590782
    Blog : Miata - A way of life : mymiata.co.il






  • 8.  RE: WPA-3 Enterprise - have you got it working?

    EMPLOYEE
    Posted Nov 30, 2022 06:00 AM
    did you try with windows 10 /11 (build 21H2 or later) intel driver version 20.60.x or later?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 9.  RE: WPA-3 Enterprise - have you got it working?

    Posted Nov 30, 2022 06:56 AM
    hi,

    22H2 version with latest intel driver for 200ax adaptor.