Meraki

Community

How to get WPA3-192 bit working?

Solved
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

How to get WPA3-192 bit working?

Has anyone had success getting WPA3-192-bit to work with WiFi-6E using EAP-TLS (EAP-TLS is the only supported option)?

 

I note that the RADIUS server has specific certificate and crypto requirements.  I have implemented those.

https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/WPA3_Encryption_and_Configuratio...

 

It is unclear to me whether the supplicant has any specific certificate requirements.  My clients don't have certificates as strong, but I am not keen to roll that change out, and I am not clear that it is required.

 

I have checked that the client's WiFi chipset supports WPA3-192.  We are using the latest drivers.

 

The client has CW9164I.  I have tried multiple firmware versions.

 

I note that when it discusses WiFi7, it states that you must use SSIDs #13 - #15.  I have not tried that yet.  I will try that today.

 

When the client brings up the list of SSIDs in Windows 11, Windows shows a "cross" next to the SSID, and refuses to allow them to connect.

 

 

I feel close to giving up.  I'm hoping someone has managed to get this going and can give me a hint.

Labels:
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

I have managed to get this to go.

 

I had one user manually configure the SSID in Windows to use WPA3-192.  It then worked.  I then had them "forget" the SSID, click on the SSID again, and it again "just worked".

 

There must have been some bad state in the SSID configuration in Windows from all the experimenting we had been doing.

We are going to pilot the config for a week, and then commence planning a full WPA3-192 roll-out.

 

Also of note is that we did not have to use SSID slots SSIDs #13 - #15.

View solution in original post

9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

I found this interesting command to check if your clients can support WPA3-192:

netsh wlan show drivers

 

It should output something like:

PhilipDAth_0-1756150880579.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

I have managed to get this to go.

 

I had one user manually configure the SSID in Windows to use WPA3-192.  It then worked.  I then had them "forget" the SSID, click on the SSID again, and it again "just worked".

 

There must have been some bad state in the SSID configuration in Windows from all the experimenting we had been doing.

We are going to pilot the config for a week, and then commence planning a full WPA3-192 roll-out.

 

Also of note is that we did not have to use SSID slots SSIDs #13 - #15.

KarstenI
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Regarding the certificate requirements: Yes, all certs have to be at least EC-384 or RSA-3072. However, for my tests, only Android failed the connection when this requirement was not met. All the others didn't complain.

 

Some more Info on 192-bit mode: https://cyber-fi.net/index.php/2024/11/03/wpa3-192-bit-mode/

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

This is the combination that worked for me:

  • RADIUS server certificate meeting the stated requirements
  • Client certificates are nowhere near as strong.  Definately not meeting the requirements.

 

The RADIUS server is Microsoft NPS, and the clients are all Windows 11 using Intel WiFi NICs.

0 Kudos
In response to PhilipDAth
KarstenI
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Yes, this combination also worked for me. But I would monitor every Windows update if they changed the behavior. I consider it a bug to allow the connection, but I assume that Apple and Microsoft disagree. IMO, only Android does it correctly.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

That is a good, comprehensive article.  The author sounds familiar.  🙂

In response to KarstenI
RaphaelL
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Side note. 

 

@KarstenI I didn't know you had a blog. Nice articles are great presentation skills ! Good job

KarstenI
Kind of a big deal
Kind of a big deal
a week ago
a week ago

And for the SSID slots: All my WPA3-192bit SSIDs run on lower numbers. I read the document as indicating that this change is only for Wi-Fi 7.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Noted.  I tried it out of desperation, but it made no difference.

 

So I am leaning towards:

  • Migrating from WiFi5 to WiFi-6E with WPA3-192 requires a new SSID.  There is no way to do an in-place migration.
  • Migrating from anything to WiFi7 will require yet another new SSID, and it has to be configured in a slot with no other SSIDs.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.