Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

WPA3 enterprise with RADIUS server (EAP-TLS)

RLNG
Getting noticed
‎Sep 23 2023 8:37 AM
‎Sep 23 2023 8:37 AM

WPA3 enterprise with RADIUS server (EAP-TLS)

Has anyone used WAP3 192-bit Security with the RADIUS server to authenticate corp users using certs(EAP-TLS)?

 

We are currently using EAP-TLS but on Meraki, it's WAP2 only. If so are there any changes that need to be made on the Radius server?

 

All of our corp laptops support WAP3 enterprise. 

Labels:
0 Kudos
17 Replies 17
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 23 2023 8:41 AM
‎Sep 23 2023 8:41 AM

There's no changes necessary on the radius server.

 

WPA3-Enterprise

WPA3 Enterprise builds upon WPA2 and is meant to replace it in the future

 

.https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/WPA3_Encryption_and_Configuratio...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
RLNG
Getting noticed
‎Sep 23 2023 8:45 AM
‎Sep 23 2023 8:45 AM

I noticed when I choose WAP3 on Meraki the 802.11r gets disabled and 802.11w changes to Required (reject unsupported clients). Also, it's not possible to change these options.

 

Are we going to lose the seamless roaming features that .11r provides? 

 

I currently have 802.11r as Adaptive & 802.11w as Enabled(Allow unsupported clients)

0 Kudos
In response to RLNG
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 23 2023 9:01 AM
‎Sep 23 2023 9:01 AM

For me it's not a problem, even though not every device supports 802.11r and 802.11w.

 

What defines a good wireless network is good design.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
RLNG
Getting noticed
‎Sep 23 2023 9:30 AM
‎Sep 23 2023 9:30 AM

If not all devices support 802.11w, will that not cause an issue since WPA3 automatically chooses 802.11w to Required (reject unsupported clients)?

0 Kudos
In response to RLNG
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 23 2023 9:49 AM
‎Sep 23 2023 9:49 AM

Yes, it is. So my suggest is my suggestion is not to use only WPA3 and 802.11w if you are not sure that all clients are not compatible.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to RLNG
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 23 2023 9:51 AM
‎Sep 23 2023 9:51 AM

It's very clear on the documentation.

 

802.11w can be set to Required, however WPA2 clients which do not support MFP will not be able to associate

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to RLNG
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 23 2023 1:52 PM
‎Sep 23 2023 1:52 PM

Having 802.11w required is the main feature of WPA3.

In response to KarstenI
RLNG
Getting noticed
‎Sep 23 2023 2:26 PM
‎Sep 23 2023 2:26 PM

How can I tell if a supplicant especially a laptop supports 802.11w or not?

0 Kudos
In response to RLNG
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 23 2023 2:45 PM
‎Sep 23 2023 2:45 PM

Googling will certainly help here. Or configure a new SSID with WPA2 and .11w enabled. With this one, you can test it. I assume you will find more clients not supporting 192Bit mode than not supporting .11w.

In response to RLNG
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 23 2023 2:59 PM
‎Sep 23 2023 2:59 PM

I think reading the device specifications can help, right?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to RLNG
TBHPTL
A model citizen
‎Sep 24 2023 9:16 AM
‎Sep 24 2023 9:16 AM

no,  MR30.5 adds support for 802.11r with WPA3...

In response to TBHPTL
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 24 2023 9:33 AM
‎Sep 24 2023 9:33 AM

For some customers (including some of mine) it could be a problem that v30 is still beta. For me, it runs very good in a couple of networks.

In response to KarstenI
TBHPTL
A model citizen
‎Sep 24 2023 9:43 AM
‎Sep 24 2023 9:43 AM

Agreed, I'm in the no Beta club. I would wait until it hits release candidate and then only after that has baked for quite a while.

In response to RLNG
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 24 2023 3:51 PM
‎Sep 24 2023 3:51 PM

>I noticed when I choose WAP3 on Meraki the 802.11r gets disabled and 802.11w changes to Required (reject unsupported clients). Also, it's not possible to change these options.

 

That's because these features are mandatory in WPA3.

 

My personal experience - I can' get WPA3 running reliably - like being able to stay connected for a whole working day.  It keeps breaking.

 

I would not personally roll out WPA3 to a client at this point in time.  So much stuff doesn't work with it enabled.

In response to PhilipDAth
RLNG
Getting noticed
‎Sep 25 2023 3:43 PM
‎Sep 25 2023 3:43 PM

Thank you for your suggestion. Have you changed it back to WPA2 due to an issue or still operating on WAP3? 

0 Kudos
ggarolla
Conversationalist
‎Jan 10 2024 12:23 AM
‎Jan 10 2024 12:23 AM

I was able to test WPA3-Enterprise with 192-bit security.

However, the option for 802.11r is disabled and cannot be changed: in WPA3 Specification there is no explicit mention of it being supported for the 192-bit implementation, but no further explanation is given.

I suppose it might be related to some security concerns.

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jan 14 2024 4:02 AM
‎Jan 14 2024 4:02 AM

WPA3 mandates the use of protected management frames (so 802.11w amendement is set to required).
WPA3 Enterprise with 802.11r fast transition is only supported on MR30.X software train and higher.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.