Meraki

Community

OWE for Guest Networks

carlto
Comes here often
Thursday
Thursday

OWE for Guest Networks

Hi All

I have enabled OWE on my Guest network, does this force all clients to encrypt the traffic on this Open network? or is it an option, i.e if the client supports it it will use it and if the client doesnt support it, it wont?

Is all of the traffic encrypted?

Labels:
0 Kudos
5 Replies 5
KarstenI
Kind of a big deal
Kind of a big deal
Thursday
Thursday

If you enable OWE, all clients have to support it, and all client traffic will be encrypted. The "best effort" approach, where only supported clients use OWE and clients that don't support it use the open mode, is the OWE-Transition mode, which is not supported in the stable MR release yet. I heard it is implemented in a recent MR32.x version.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
carlto
Comes here often
Thursday
Thursday

Thanks for the update, from your experience, do most clients support it? is it classed as WPA3? or just open mode? 

0 Kudos
In response to carlto
KarstenI
Kind of a big deal
Kind of a big deal
Thursday
Thursday

No, it's still a whole mess. My strategy is:

One SSID "Guest-Fast" with OWE in 5 and 6 GHz

One SSID "Guest" with Open in 2.4 GHz and 5 GHz

 

The guests will try the "Fast" SSID, and if that doesn't work, they typically go to the "normal" SSID and don't complain.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
PhilipDAth
Kind of a big deal
Kind of a big deal
Thursday
Thursday

Does OWE enable the use of the 6Ghz band?

0 Kudos
In response to PhilipDAth
KarstenI
Kind of a big deal
Kind of a big deal
Thursday
Thursday

I am not sure if "enable" is the right term here; it is a requirement from the 802.11ax-2021 amendment:

 

----- snip -----

The following apply to a STA operating in the 6 GHz band:

- The STA shall not use the following pre-RSNA security methods:

  ...

  - Open System authentication without encryption

  ...

----- snap -----

and 

----- snip -----

The STA should use Opportunistic Wireless Encryption, as specified in IETF RFC 8110, when connecting in an infrastructure BSS without authentication (as a replacement for Open System authentication without encryption).

----- snap -----

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.