KRACK or PMKID vulnerabilities impact and Fast Roaming 802.11r

SOLVED
nscheffer
Getting noticed

KRACK or PMKID vulnerabilities impact and Fast Roaming 802.11r

Hi,

 

I got the following config :

- several MR52 using WPA2-PSK for most of the SSIDs used

- on some SSID Adaptative 802.11r enabled due to a large majority of iOS and Mac OS devices with Fast Lane enabled

- 802.11w enabled

 

Due to the KRACK or PMKID vulnerabilities it's recommended to disable 802.11r when using WPA2-PSK but we are loosing all benefit when using Apple devices with Cisco products, what is the alternative to keep 802.11r ?

Thanks in advance.

Regards.

Nicolas Scheffer

 

1 ACCEPTED SOLUTION
4 REPLIES 4
PhilipDAth
Kind of a big deal
Kind of a big deal

If you increase your PSK length to 11 digits or more you practically don't have a problem anymore.

 

A better solution is to use WPA2-Enterprise mode, because you can use this with 802.11r without issue.  You can use this either with RADIUS (if you have Active Directory for example) of it you have a smaller number of users you can use Meraki Authentication.

 

You could also use Meraki Systems Manager with Systems Manager authentication, which uses certificate based authentication.

Hi Philip,

 

Thanks for the quick answer.

WPA2-Enterprise mode could be a solution for managed devices I got using Meraki Systems Manager.

When you say to use Meraki Systems Manger for authentication (using Certificates created during enrolment, which is nice I really like it !) how to do it ?

- Associations requirements is WPA2-Enterprise with Meraki Authentication 

- but where you specify you want to use Cert authentication instead of login/password ?

 

Nicolas

Excellent !

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels