Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

WPA3 Transition mode with Enterprise 802.1X radius

Tom42
Here to help
‎Aug 7 2023 6:21 AM
‎Aug 7 2023 6:21 AM

WPA3 Transition mode with Enterprise 802.1X radius

I have recently installed some CW9166 6ghz access points.

Would like to enable WPA3 to enable 6ghz operation, however there is no option to enable WPA3 transition mode when you are using Enterprise 802.1x security on an SSID.

We have some devices with chipsets that dont seem to support WPA3, so when we move the SSID into native WPA3 mode these devices can no longer connect to it.

Would like to avoid having to create a separate SSID for these devices if possible as that starts getting a bit messy to push out and manage.

Is there any way around this problem or are there any plans for this config setting to be added within the dashboard?

0 Kudos
Subscribe
20 Replies 20
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 7 2023 7:38 AM
‎Aug 7 2023 7:38 AM

Sadly, with the MR we can't use one SSID with WPA3 on 6GHz and WPA3 Transition on 2.4/5 GHz. You likely need a new WPA3-only SSID and migrate all capable devices into this SSID.

Subscribe
In response to KarstenI
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Aug 7 2023 8:16 AM
‎Aug 7 2023 8:16 AM

That's not just MR but everywhere.  Since if you use transition mode that would mean you also support WPA2 association but that is not allowed in 6 GHz.

So yes you have to have a seperate SSID if you want to support anything below WPA3 and enable 6 GHz on it.

Subscribe
In response to GIdenJoe
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 7 2023 8:20 AM
‎Aug 7 2023 8:20 AM

On Catalyst, it is possible in newer Firmware versions. If Transition mode is configured, it enables WPA3-Transition on 2.4 and 5, but WPA3-only on 6 GHz.

 

EDIT: I just looked; the same is valid for Mist. This makes me think it could be common outside of the Meraki world.

 

EDIT2: I still would prefer a separate SSID in most cases as I am not a friend of any transition mode.

Subscribe
In response to KarstenI
Tom42
Here to help
‎Aug 7 2023 8:50 AM
‎Aug 7 2023 8:50 AM

Yeah, thats what i'd like from "Transition" mode! - WPA3 only just for 6ghz.

If catalyst supports it is this a setting that is likely to sneak into an MR firmware very soon?

0 Kudos
Subscribe
In response to Tom42
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 7 2023 8:59 AM
‎Aug 7 2023 8:59 AM

As always, I would not wait for it. At least not if it is not in the newest Beta.

0 Kudos
Subscribe
In response to Tom42
thomasthomsen
Head in the Cloud
‎Mar 18 2024 1:32 PM
‎Mar 18 2024 1:32 PM

And here we are .... almost 7 months later, still no "transition mode" like on 9800 17.12 software.

0 Kudos
Subscribe
In response to KarstenI
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Aug 7 2023 12:12 PM
‎Aug 7 2023 12:12 PM

I stand corrected!

0 Kudos
Subscribe
UKDanJones
Building a reputation
‎Aug 7 2023 9:05 AM
‎Aug 7 2023 9:05 AM

I haven't tested it yet but I'd be surprised if clients that are capable of WPA2 couldn't do WPA3 enterprise as they're effectively the same thing... 

 

have you tried setting a WPA3 enterprise SSID and connecting your devices?

Please feel free to hit that kudos button
0 Kudos
Subscribe
In response to UKDanJones
UKDanJones
Building a reputation
‎Aug 7 2023 9:06 AM
‎Aug 7 2023 9:06 AM

There's only a difference in WPA2/3 when you use a PSK/passphrase - SAE is the difference. 

Please feel free to hit that kudos button
0 Kudos
Subscribe
In response to UKDanJones
RideCampy
Conversationalist
‎Mar 18 2024 12:39 PM
‎Mar 18 2024 12:39 PM

Don't forget MFP is required not optional with WPA3.

0 Kudos
Subscribe
In response to UKDanJones
Tom42
Here to help
‎Aug 7 2023 9:21 AM
‎Aug 7 2023 9:21 AM

I have tried converting existing SSID's over to WPA3.
Once i have done this devices with the Intel AC8265 chipset will no longer connect, and if you google this it appears that they dont support WPA3. Unfortunately there are multiple trolleys full of the same laptop model on site!.
All other devices seem fine (atleast once you go to MR 29.6.1 firmware!)

0 Kudos
Subscribe
In response to UKDanJones
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 7 2023 12:37 PM
‎Aug 7 2023 12:37 PM

>I haven't tested it yet but I'd be surprised if clients that are capable of WPA2 couldn't do WPA3 enterprise as they're effectively the same thing

 

I've tried this and found it unworkable - too many driver bugs.

0 Kudos
Subscribe
In response to UKDanJones
RideCampy
Conversationalist
‎Mar 18 2024 12:38 PM
‎Mar 18 2024 12:38 PM

MFP is required for WPA3 that is the difference when we are talking .1X.

Subscribe
In response to RideCampy
TBHPTL
A model citizen
‎Mar 18 2024 12:56 PM
‎Mar 18 2024 12:56 PM

Its  more than just MFP...

0 Kudos
Subscribe
In response to RideCampy
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 18 2024 1:37 PM
‎Mar 18 2024 1:37 PM

And AKM5 instead of AKM1.

0 Kudos
Subscribe
In response to KarstenI
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Mar 19 2024 3:16 AM
‎Mar 19 2024 3:16 AM

Really?  Can you show an OTA of that?  I have only witnessed a difference in the PMF part.
I am talking about the regular AES version, not the higher 192bit version of it.

0 Kudos
Subscribe
In response to GIdenJoe
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 19 2024 3:23 AM
‎Mar 19 2024 3:23 AM

It's in the WPA3 specification:

KarstenI_0-1710843715786.jpeg

 

Subscribe
In response to KarstenI
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Mar 19 2024 5:21 AM
‎Mar 19 2024 5:21 AM

Ok great.  I will have to perform an OTA then to verify.
I always used to look for the 802.11 specification documentation but you have to pay for those documents.  Didn't know the WPA documentation were freely available 😉

0 Kudos
Subscribe
In response to GIdenJoe
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 19 2024 6:00 AM
‎Mar 19 2024 6:00 AM

The actual standard 802.11-2020 is also free:

https://standards.ieee.org/products-programs/ieee-get-program/

 

For this topic, it is important to notice that WPA3 is nothing more than a specification and certification, mainly based on the features available in the standard.

0 Kudos
Subscribe
In response to GIdenJoe
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 19 2024 6:08 AM
‎Mar 19 2024 6:08 AM

@GIdenJoe wrote:

Ok great.  I will have to perform an OTA then to verify.

The compare feature in Wi-Fi Explorer Pro is great for showing the differences between two SSIDs.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.