Controllerless Networks

Hello,

I'm testing WPA3 on an IAP-315 (v8.6.0.4) with an iPhone X running the latest iOS (v13.5.1). While attempting to associate to the WPA3 SSID, it appears that WPA3 is attempted but falls back to WPA2. Does anyone know if an iPhone X supports WPA3? Auth trace buff shows the following:

Also, am I correctly interpreting these logs?

Prod-IAP-315# show ap debug auth-trace-buf mac bc:fe:d9:b9:59:d8

Auth Trace Buffer
-----------------


Jun  6 19:06:56  station-up             *  bc:fe:d9:b9:59:d8  a8:bd:27:8b:a9:b1  -  -    wpa3-sae aes-ccmp-128
Jun  6 19:06:56  wpa2-key1             <-  bc:fe:d9:b9:59:d8  a8:bd:27:8b:a9:b1  -  117
Jun  6 19:06:56  wpa2-key2             ->  bc:fe:d9:b9:59:d8  a8:bd:27:8b:a9:b1  -  135
Jun  6 19:06:56  wpa2-key3             <-  bc:fe:d9:b9:59:d8  a8:bd:27:8b:a9:b1  -  191
Jun  6 19:06:56  wpa2-key4             ->  bc:fe:d9:b9:59:d8  a8:bd:27:8b:a9:b1  -  95
Jun  6 19:07:38  station-up             *  bc:fe:d9:b9:59:d8  a8:bd:27:8b:a9:b1  -  -    wpa3-sae aes-ccmp-128
Jun  6 19:07:38  wpa2-key1             <-  bc:fe:d9:b9:59:d8  a8:bd:27:8b:a9:b1  -  117
Jun  6 19:07:38  wpa2-key2             ->  bc:fe:d9:b9:59:d8  a8:bd:27:8b:a9:b1  -  135
Jun  6 19:07:38  wpa2-key3             <-  bc:fe:d9:b9:59:d8  a8:bd:27:8b:a9:b1  -  191
Jun  6 19:07:38  wpa2-key4             ->  bc:fe:d9:b9:59:d8  a8:bd:27:8b:a9:b1  -  95

Hi,

Apple IOS support WPA3 starting from IOS13.

 For my understanding the 4-way handshake EAP-Key messages are part of the WPA3 flowchart. See this blog for better understanding.

https://wlan1nde.wordpress.com/2018/09/14/wpa3-improving-your-wlan-security/

This is what i see with my iPhone8s

Jun  7 13:21:26  sae-pmk-update         *     40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  -      -      Grp:19 PMK:32 Succ
Jun  7 13:21:26  station-up             *     40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  -      -      wpa3-sae aes-ccmp-128
Jun  7 13:21:26  wpa2-key1             <-     40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  -      29952  
Jun  7 13:21:26  user repkey change     *     40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  65535  -      000c2921bec2000000330078
Jun  7 13:21:26  macuser repkey change  *     40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  65535  -      40:9c:28:6a:86:5f
Jun  7 13:21:26  wpa2-key2             ->     40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  -      34560  
Jun  7 13:21:26  wpa2-key3             <-     40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  -      48896  
Jun  7 13:21:26  wpa2-key4             ->     40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  -      24320  
Jun  7 13:21:26  user repkey change     *     40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  10     -      000c2921bec2000000330078
Jun  7 13:21:26  macuser repkey change  *     40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  10     -      40:9c:28:6a:86:5f
Jun  7 13:21:26  ipuser repkey change   *     40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  10     -      172.16.201.104

And a " show user mac ......." show  me that its using WPA3-SAE

Flags: A: Active, B: Band Steerable, H: Hotspot(802.11u) client, K: 802.11K client, M: Mu beam formee, R: 802.11R client, W: WMM client, w: 802.11w client, V: 802.11v BSS trans capable, P: Punctured preamble, U: HE UL Mu-mimo, O: OWE client, S: SAE client, E: Enterprise client, m: Agile Multiband client, C: Cellular Data Capable - network available, c: Cellular Data Capable - network unavailable, p: Pending GSM activation, T: Individual TWT client, t: Broadcast TWT client

PHY Details: HT   : High throughput;      20: 20MHz;  40: 40MHz; t: turbo-rates (256-QAM)
             VHT  : Very High throughput; 80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz
             HE   : High Efficiency;       80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz
             <n>ss: <n> spatial streams

Association Table
-----------------
Name          bssid              mac                auth  assoc  aid  l-int  essid         vlan-id  tunnel-id  phy              assoc. time  num assoc  Flags   Band steer moves (T/S)  phy_cap
----          -----              ---                ----  -----  ---  -----  -----         -------  ---------  ---              -----------  ---------  -----   ----------------------  -------
HomeLAB-AP02  d0:15:a6:bc:d8:f2  40:9c:28:6a:86:5f  y     y      1    1      HomeLAB-WPA3  201      0x10016    a-VHT-80sgi-2ss  3m:35s       0          WVwSAB  0/0                     a-VHT-80sgi-2ss-VwS

show ap remote debug mgmt-frames ap-name .....

Jun  7 13:21:26.450  assoc-resp  d0:15:a6:bc:d8:f2  40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  15      Success
Jun  7 13:21:26.450  assoc-req   40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  d0:15:a6:bc:d8:f2  0       -
Jun  7 13:21:26.447  auth        d0:15:a6:bc:d8:f2  40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  15      SAE-Confirm:0
Jun  7 13:21:26.446  auth        40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  d0:15:a6:bc:d8:f2  0       SAE-Confirm:0
Jun  7 13:21:26.418  auth        d0:15:a6:bc:d8:f2  40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  15      SAE-Commit:0
Jun  7 13:21:26.413  auth        40:9c:28:6a:86:5f  d0:15:a6:bc:d8:f2  d0:15:a6:bc:d8:f2  0       SAE-Commit:0

Please note that much of the underlying technology, like the 4-way handshake, has not changed between WPA2 and WPA3. That means you cannot rely on these log messages to find out the actual negotiated security.

Please check the 'show ap association' to determine if the connection is on WPA2 or WPA3.

Hi Herman,

I was indeed thinking the same, thanks for the clarification Herman!

We can see the same from the "show user mac ...." command. Hard to see in my last response to this topic, but look for the "S" flag in the output.

HomeLAB-AP02 d0:15:a6:bc:d8:f2 40:9c:28:6a:86:5f y y 1 1 HomeLAB-WPA3 201 0x10016 a-VHT-80sgi-2ss 3m:35s 0 WVwSAB 0/0 a-VHT-80sgi-2ss-VwS

S: SAE client

Marcel,

I don't see those flags in the 'show user mac ...' on my lab controller (8.6.0.2); so it may be version dependent, and the show ap association has always shown the connection encryption status for me. That is why I left that out of my response; I did actually check

Thanks for all your answers to the community BTW, it's really appreciated.

Thanks all for the information! - Just a quick question on WPA3.. I noticed that it disables 802.11r.

Does this mean that WPA3 enabled networks will have longer roaming times for clients vs WPA2 w/ 802.11r enabled?

Hi Regan,

Fast Transition (802.11r) needs to be disabled (802.11r support has been left out of the current versions of WPA3-Personal & WPA3-Enterprise). Roaming will use a PMKID roam for now.

See also this create video from the Mobility Field Day 3:

https://www.youtube.com/watch?v=O233UgBX0tM

https://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/95604/5/2019-10-TechTalk%20Live%20-%20WPA3-OWE-min.pdf

@Herman, your awesome to! There is a lot to learn from each other and thats exactly where this community is designed for. BTW my controllers runs VMC Cluster 8.6.0.4 with AP-505. Time to upgrade ;;)) Just kidding.