WPA3 enterprise with RADIUS server (EAP-TLS)

RLNG
Getting noticed

WPA3 enterprise with RADIUS server (EAP-TLS)

Has anyone used WAP3 192-bit Security with the RADIUS server to authenticate corp users using certs(EAP-TLS)?

 

We are currently using EAP-TLS but on Meraki, it's WAP2 only. If so are there any changes that need to be made on the Radius server?

 

All of our corp laptops support WAP3 enterprise. 

17 Replies 17
alemabrahao
Kind of a big deal
Kind of a big deal

There's no changes necessary on the radius server.

 

WPA3-Enterprise

WPA3 Enterprise builds upon WPA2 and is meant to replace it in the future

 

.https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/WPA3_Encryption_and_Configuratio...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RLNG
Getting noticed

I noticed when I choose WAP3 on Meraki the 802.11r gets disabled and 802.11w changes to Required (reject unsupported clients). Also, it's not possible to change these options.

 

Are we going to lose the seamless roaming features that .11r provides? 

 

I currently have 802.11r as Adaptive & 802.11w as Enabled(Allow unsupported clients)

alemabrahao
Kind of a big deal
Kind of a big deal

For me it's not a problem, even though not every device supports 802.11r and 802.11w.

 

What defines a good wireless network is good design.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RLNG
Getting noticed

If not all devices support 802.11w, will that not cause an issue since WPA3 automatically chooses 802.11w to Required (reject unsupported clients)?

alemabrahao
Kind of a big deal
Kind of a big deal

Yes, it is. So my suggest is my suggestion is not to use only WPA3 and 802.11w if you are not sure that all clients are not compatible.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

It's very clear on the documentation.

 

802.11w can be set to Required, however WPA2 clients which do not support MFP will not be able to associate

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KarstenI
Kind of a big deal
Kind of a big deal

Having 802.11w required is the main feature of WPA3.

RLNG
Getting noticed

How can I tell if a supplicant especially a laptop supports 802.11w or not?

KarstenI
Kind of a big deal
Kind of a big deal

Googling will certainly help here. Or configure a new SSID with WPA2 and .11w enabled. With this one, you can test it. I assume you will find more clients not supporting 192Bit mode than not supporting .11w.

alemabrahao
Kind of a big deal
Kind of a big deal

I think reading the device specifications can help, right?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
TBHPTL
A model citizen

no,  MR30.5 adds support for 802.11r with WPA3...

KarstenI
Kind of a big deal
Kind of a big deal

For some customers (including some of mine) it could be a problem that v30 is still beta. For me, it runs very good in a couple of networks.

TBHPTL
A model citizen

Agreed, I'm in the no Beta club. I would wait until it hits release candidate and then only after that has baked for quite a while.

PhilipDAth
Kind of a big deal
Kind of a big deal

>I noticed when I choose WAP3 on Meraki the 802.11r gets disabled and 802.11w changes to Required (reject unsupported clients). Also, it's not possible to change these options.

 

That's because these features are mandatory in WPA3.

 

My personal experience - I can' get WPA3 running reliably - like being able to stay connected for a whole working day.  It keeps breaking.

 

I would not personally roll out WPA3 to a client at this point in time.  So much stuff doesn't work with it enabled.

RLNG
Getting noticed

Thank you for your suggestion. Have you changed it back to WPA2 due to an issue or still operating on WAP3? 

ggarolla
Conversationalist

I was able to test WPA3-Enterprise with 192-bit security.

However, the option for 802.11r is disabled and cannot be changed: in WPA3 Specification there is no explicit mention of it being supported for the 192-bit implementation, but no further explanation is given.

I suppose it might be related to some security concerns.

GIdenJoe
Kind of a big deal
Kind of a big deal

WPA3 mandates the use of protected management frames (so 802.11w amendement is set to required).
WPA3 Enterprise with 802.11r fast transition is only supported on MR30.X software train and higher.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels