Controllerless Networks

Testing with Instant AP and WPA3-PSK/OWE:

Iphone 8 connects with PSK but is not shown in Instant Gui as client but it works and you can see it with 'show ap association". It does not support OWE. <- can someone confirm if this a bug in the UI?

Android (Mi 8 Pro) does not authenticate on WPA3 PSK but supports OWE. It asks for PSK but does not get the auth working.

In 'show ap association" you see it as not authenticated

Are you able to provide an example of the output? Do you have transitional mode enabled as well? Unsupported clients will still connect if 'opmode-transition' is enabled. To disable, use 'opmode-transition-disable ' on the SSID Profile to remove the transitional SSID.

What output exactly?

Im testing at the moment OWE and WPA3 so i started 2 threats.

For WPA3 i have configured an SSID and i am able to connect. with Notebook, Iphone and 1 Android, but second Android does not authenticate.

wlan ssid-profile xxxxxxxxxx-WPA3
enable
index 1
type employee
essid xxxxxxxxxxxxxx-WPA3
wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
opmode wpa3-sae-aes
max-authentication-failures 0
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

what commands to verify the devices are connected with WPA3-PSK?

That disappearing of the iphone can not be reproduces. I have now 3 different devices on the WPA3 SSID but one which das not authenticate

Use the below commands to verify what the client is connected and what is supported along with the mode that your BSSID is in.

#show ap association
#show ap bss-table

WPA3-SAE advertises its requirement for Protected Management Frame (PMF). All devices must be SAE capable and must support PMF. In WPA3-SAE Transition Mode, both WPA2-PSK and WPA3-SAE are configured on the same SSID in a mixed mode. PMF is not required but the SSID will advertise its capability to support it.

Does the Android in question support PMF?

Thank You! I think now i got a lot more understanding.

I did a WPA3-SAE SSID and it seems that all devices connected with WPA2.

That one device which does not connect is the only device, which schows SAE in WIFI Security and which support OWE also.  But it does not connect to the WPA3-SAE SSID and does not show the Captive portal in a OWE SSID.

I think it's  to early and the android does not support it fully (but Snaprdragon 845 chipset should be able to)

xxxxxxxxxxxxxxx xxxxxxxxxxxx-WPA3 ?/? 192.168.0.254 a-VHT ap 100E/28.5/28.5 2 AP303h 0 10m:8s W3M

AP303h xxxxxxxxxxxxxx xxxxxxxxxxxx y y 2 250 xxxxxxxxx-WPA3 1 a-VHT-80sgi-2ss 7m:48s 1 WVwM Yes (Implicit) 0.0.0.0

I'm not aware of any generic available client device that supports WPA3 SAE or OWE. Most clients will see an OWE (with transition mode disabled) network as PSK, which is not the case and authentication will fail.

All demo's that I have seen are done with a special modified Ubuntu Linux client.

Also be aware that as of today, WPA3 and OWE are only supported on the 300 and 500 series Access Points. Older access points will revert to the WPA2 / Open equivalent.

As WPA3 (not OWE) is a mandatory part of the 802.11ax client certification, it is expected that WPA3 will arrive as soon as companies are seeking that certification.

In case you haven't seen the video, I would really recommend watching the WPA3 video from Security Field Day.

After one day of testing in my home lab with AP303h and Instant 8.4.0.0 and 12 different clients:

I can confirm OWE SSID (opmode-transition-disable) working with Android Device "Mi 8 pro"  Android 9 Patchlevel 2019-01-01, Snapdragon 845

WPA3-AES-SAE (opmode-transition-disable) not working with same device, even devices shows SAE in Wifi Settings.

I know there is no Android official supporting WPA3 yet but im am testing with transition mode on/off.Strange behaviour is that even with transition mode that one device can not connect because it is trying do do SAE but fails.

Can you advice me some commands for investigating WPA3 Auth Issues on Instant?

That is good news that the first clients are starting to support WPA3 and OWE. I have seen really weird things, like on Windows 10 insider builds where you can configure WPA3-SAE, but cannot save it. So clients appear to be rare and if they exist immature at the moment.

If you really want to troubleshoot at this point in time, for SAE you can see from the Instant AP the confirm and commit messages with the command: show ap debug mgmt-frames. Also, the command show ap debug auth-trace-buf may provide additional information. For myself, it helped a lot to do a wireless capture and see and understand the frames that are in the air to follow the association and authentication process. 

If people see clients that do properly support WPA3 and/or OWE, please report them here. It doesn't like there are any certified yet.

More testing:

If the WPA3-SSID is set 2.4 Ghz my Testclient is able to connect and shows SAE. Also the AP shows the Client with WvwS flags.

Connection attemp sometimes fails but if it connects (3/10), it stays connected.

If the SSID is set to 5Ghz connection always fails.

Im am unsure if this behaviour is client or ap related, but I did pcap of the connection attemps. So if someone from aruba wann do some more investigation tell me. i can provide the pcaps