Wireless Access

I've just set up an AP group with 1 AP (303H) on it and a dedicated SSID on our dev ArubaOS 8.5 system and set up key management to be wpa3-enterprise.

Surprisingly enough my iPhone running iOS 12.3.1 connected to it so I'm assuming that if the client isn't capable of WPA3, it drops down to WPA2 ... but how do you tell?

The ArubaOS GUI doesn't seem to tell you.... or I'm looking in the wrong place ?

Would be good to know just before I start playing with wpa_supplicant 2.8 which does support SAE

Rgds

Alex

Take a look at the AP BSS Table and AP Association and the Flags assigned to the BSSID and Client. Just a note a WPA3 SSID will be in transition mode (WPA3/WPA2) by default unless it is explicitly disabled. 

#show ap bss-table

Flags:       K = 802.11K Enabled; W = 802.11W Enabled; 3 = WPA3 BSS; O = OWE Transition mode OWE BSS; o = OWE Transition mode Open BSS; M = WPA3-SAE mixed mode BSS

#show ap association

Flags: A: Active, B: Band Steerable, H: Hotspot(802.11u) client, K: 802.11K client, M: Mu beam formee, R: 802.11R client, W: WMM client, w: 802.11w client, V: 802.11v BSS trans capable, P: Punctured preamble, U: HE UL Mu-mimo, O: OWE client, S: SAE client, E: Enterprise client

Guess long and short of it is  if we have  WPA3-enterprise  instead of WPA2-Enterprise associated with a WLAN, what do we look at and where to see if a client connectred system is a WPA2 device or a WPA3 one.

So are we down to a packet trace then ?

When you type "show ap association client-mac <mac of iphone>" what are the flags?  Is there an "S" flag to indicate that it is an SAE client?

I will save you time.  Do you have a phone that actually supports WPA3?  If not, don't bother... :(

As in NOT iphones.

What to dio if an Iphone (5) with IOS 13 can not connect to a SSID with WPA3 transistion Mode on?