I have recently installed some CW9166 6ghz access points.
Would like to enable WPA3 to enable 6ghz operation, however there is no option to enable WPA3 transition mode when you are using Enterprise 802.1x security on an SSID.
We have some devices with chipsets that dont seem to support WPA3, so when we move the SSID into native WPA3 mode these devices can no longer connect to it.
Would like to avoid having to create a separate SSID for these devices if possible as that starts getting a bit messy to push out and manage.
Is there any way around this problem or are there any plans for this config setting to be added within the dashboard?
Sadly, with the MR we can't use one SSID with WPA3 on 6GHz and WPA3 Transition on 2.4/5 GHz. You likely need a new WPA3-only SSID and migrate all capable devices into this SSID.
That's not just MR but everywhere. Since if you use transition mode that would mean you also support WPA2 association but that is not allowed in 6 GHz.
So yes you have to have a seperate SSID if you want to support anything below WPA3 and enable 6 GHz on it.
On Catalyst, it is possible in newer Firmware versions. If Transition mode is configured, it enables WPA3-Transition on 2.4 and 5, but WPA3-only on 6 GHz.
EDIT: I just looked; the same is valid for Mist. This makes me think it could be common outside of the Meraki world.
EDIT2: I still would prefer a separate SSID in most cases as I am not a friend of any transition mode.
Yeah, thats what i'd like from "Transition" mode! - WPA3 only just for 6ghz.
If catalyst supports it is this a setting that is likely to sneak into an MR firmware very soon?
As always, I would not wait for it. At least not if it is not in the newest Beta.
And here we are .... almost 7 months later, still no "transition mode" like on 9800 17.12 software.
I stand corrected!
I haven't tested it yet but I'd be surprised if clients that are capable of WPA2 couldn't do WPA3 enterprise as they're effectively the same thing...
have you tried setting a WPA3 enterprise SSID and connecting your devices?
There's only a difference in WPA2/3 when you use a PSK/passphrase - SAE is the difference.
Don't forget MFP is required not optional with WPA3.
I have tried converting existing SSID's over to WPA3.
Once i have done this devices with the Intel AC8265 chipset will no longer connect, and if you google this it appears that they dont support WPA3. Unfortunately there are multiple trolleys full of the same laptop model on site!.
All other devices seem fine (atleast once you go to MR 29.6.1 firmware!)
>I haven't tested it yet but I'd be surprised if clients that are capable of WPA2 couldn't do WPA3 enterprise as they're effectively the same thing
I've tried this and found it unworkable - too many driver bugs.
MFP is required for WPA3 that is the difference when we are talking .1X.
Its more than just MFP...
And AKM5 instead of AKM1.
Really? Can you show an OTA of that? I have only witnessed a difference in the PMF part.
I am talking about the regular AES version, not the higher 192bit version of it.
Ok great. I will have to perform an OTA then to verify.
I always used to look for the 802.11 specification documentation but you have to pay for those documents. Didn't know the WPA documentation were freely available 😉
The actual standard 802.11-2020 is also free:
https://standards.ieee.org/products-programs/ieee-get-program/
For this topic, it is important to notice that WPA3 is nothing more than a specification and certification, mainly based on the features available in the standard.
@GIdenJoe wrote:Ok great. I will have to perform an OTA then to verify.
The compare feature in Wi-Fi Explorer Pro is great for showing the differences between two SSIDs.
I know that this thread was started a good while back now. But is there any update on whether WPA3 mixed mode with Enterprise is going to be supported?