Meraki

jacfraze

Hey, forgive me if this has been asked before but.

Is there a way to programatically toggle on
WPA encryption = WPA3
802.11w = Required (reject unsupported clients)
AND
WPA3 Cipher Suite = GCMP 256

at the same time?

We are able to do WPA3 + 802.11w but I cant seem to find an API to enable GCMP 256 in the "Advanced WPA3 settings(Cipher and AKM suite settings)"

PhilipDAth

I believe GCMP 256 requires you to use WPA3-192 (and not WPA3). Also note that WPA3-192 only supports EAP-TLS, and requires certificates using 4096-bit RSA keys or better.

https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/WPA3_Encryption_and_Configuratio...

PhilipDAth

It appears that WPA3's "personal mode" can also utilise GCM256.

https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/WPA3_Encryption_and_Configuratio...

KarstenI

It's not that easy with GCMP-256 ...

For IEEE 802.11be GCMP-256 support is mandatory ("An EHT RSNA STA shall support GCMP-256"). I don't find any hint in the standard that differentiates between SAE and 802.1X here.

But GCMP-256 was in the standard before, and the usage is allowed. The WPA3 specification doesn't require it, but defines that it can be enabled for both WPA3-Personal and WPA3-Enterprise.

And while the WFA disallows any other ciphers for WPA3-192, the standard would allow CCMP-256 for the same setting.

And for the certificates for WPA3-192, 3072-bit RSA is enough. But I would go for EC certificates with 384 bits.

If GCMP-256 can not be enabled in a specific combination, it's likely the decision of the vendor to do it "this way". The Catalyst 9800 has the same "problem".

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Meraki

Community

API to toggle on GCMP 256 in Wireless > Access Control

API to toggle on GCMP 256 in Wireless > Access Control