- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WPA3 errors without WPA3 configured
Have an SSID that is configured for WPA2-Enterprise using Radius/802.1x-PEAP. 802.11w is set to required. SSID is running in NAT mode.
At times I am seeing errors like the following:
Client made an 802.1X authentication request to the RADIUS server, but it did not respond. auth_mode='wpa3-802.1x' radius_proto='ipv4' radius_ip='192.168.xxx.xxx' reason='radius_login_failure' radio='0' vap='3' channel='6' rssi='42'
The client is configured for WPA2. The client was successfully connected and then all the sudden couldn't roam to this AP and the above error was seen in the connection log. Eventually, with no changes to the client or on the dashboard, the client was able to connect.
APs are MR42s and they are running MR 29.4.1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Disable 802.11w and all will be fine.
Some legacy devices that do not support 802.11w may not be able to connect to an SSID even if in mixed mode. This may be due to the device improperly handling the advertised information contained within the beacons.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I wasn't getting hammered with deauthentications from a neighbor then I would disable 802.11w.
Why would 802.11w trigger WPA3 errors?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Disable 802.11w and all will be fine.
Some legacy devices that do not support 802.11w may not be able to connect to an SSID even if in mixed mode. This may be due to the device improperly handling the advertised information contained within the beacons.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That the thing, the device does support 802.11w. It was previously connected and was able to connect after the fact eventually.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WPA3 Transition Mode
WPA3 SAE has a transition mode (sometimes called mixed mode) created to allow WPA2 clients to co-exist on the same SSID used for WPA3. Although WPA3 needs to have Management Frame Protection (MFP/802.11w) set to Required, the Dashboard can also be set to Enabled, so that the STA which are not compliant with either WPA3 or MFP can still connect seamlessly.
802.11w can be set to Required, however WPA2 clients which do not support MFP will not be able to associate.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WPA3 transition mode is only if you are doing PSK. Isn't available for WPA3-Enterprise.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, but it explains the following behaviors that you informed us about, you can open a support case to confirm. 😉
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Opened a case. This behavior is a known bug.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have any update from the case? when it will be solved?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks man 🙂 you saved my day!!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of having the SSID in NAT mode, try putting the device directly on the network, using Bridge Mode.
Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂
All code examples are provided as is. Responsibility for Code execution lies solely your own.