Controllerless Networks

Deploying WPA3 Enterprise is confuzing.

Windows 10 does not have a WPA3 Enterprise option. There are some documents showing you use WPA2 Enterprise option. Windows does have a WPA3 Personal option.

Also WPA3 Enterprise has 2 encryption strengths.

I have searched everywhere trying to figure out how to tell what cipher suite is in use on a active connection. I need to know exactly what cipher is in use.

The network is IAP-305's..

Also is there a guide, FAQ, Step by step on setting up a WPA3 Enterprise setup. I have a Freeradius WPA2 Enterprise network now.

I want the higher 192 bit encryption. I assume I need CNSA and I will need to use certs ?

The following Intel® Wireless Adapters support WPA3-Personal (aka WPA3-SAE) and WPA3- Enterprise on Windows® 10 (May 2019 Update).

• Intel® Wi-Fi 6 (Gig+) Desktop Kit
• Intel® Wi-Fi 6 AX201
• Intel® Wi-Fi 6 AX200
• Intel® Wireless-AC 9560
• Intel® Wireless-AC 9462
• Intel® Wireless-AC 9461
• Intel® Wireless-AC 9260

You didn't list the type of wireless adaptor you have, but if its intel the above are the only ones that supports WPA3.

If you have one of the above models and it's not working make sure you have the updated drives for it.

If you have the supported wireless adaptor and the latest driver and it's still not working, I would contact the hardware vendor for support.

Yes I saw that Intel post. Its almost the only thing that comes up when you google WPA3 Enterprise. The adapters are AX200's with current drivers that show supported..

BUT also note the Itel post also says

"Users can conect to WPA-3 Enterprise Network with Windows(r) 10 May 2019 release when selecting the WPA2-enterprise option in the User Interface."

Sooo..... Does that mean WPA3 Enterprise is not working ? Or, that it does work ?

This is one of the reasons I need to know how to look at the cipher.

WPA3 Personal works great. If I set Aruba to WAP3 Enterprize 128 and use WPA2 Enterprise ( only option on client win 10 ) then that works but I have no idea what its doing. WPA3 Enterprise 256 and CNSA don't work currently for me because I think I need to do better config woth my Freeradius server with the EAP-TLS settings.

WHat I need is a way to know what cipher is use for a client. How do I do that ? I could do it on the Windows 10 side or the Aruba side. I cannot find any tool or way to do this. I need a minimum way to see if the connection is using 128 or 192 bits.

On the windows client site you can use "netsh wlan show driver" to see the supported cypher and authentication methods. My windows 10 build 1809 doesn't support WPA3.

You can sniff some 802.11 frames with a wirelesscard that support monitor mode (most likely with linux or a wlanpi). For example a 802.11 beacon frame send out by the AP advertise his capabilities. See attachment an example with difference beacons between wpa3-personal, wpa3-enterprise 128bit, wpa3-enterprise 256bit or with CNSA.

A good starting point in your journey  is to read the documents from the WiFi Alliance.

https://www.wi-fi.org/download.php?file=/sites/default/files/private/WPA3_Security_Considerations_201911.pdf

Something iam not sure about and ask myself. Is the Arubaos Advanced Cryptography licence required to do CSNA? Because SHA-384 is part of suit-B i think this is needed.

https://www.arubanetworks.com/assets/ds/DS_OS_ACR.pdf

CNSA establishes a suite of cryptographic algorithms that all
afford roughly the same level of protection: SHA384 for
hashing, NIST’s p384 elliptic curve for key establishment and
digital signatures, and AES-GCM-256 for data encryption and
authentication. With CNSA, the EAP method must be EAP-TLS
and the negotiated TLS cipher suite must exclusively use
cryptographic algorithms from the CNSA suite.

Attachment(s)

WPA3.pdf   278 KB 1 version