Meraki

Community

iPSK without Radius not compatible with 6ghz?

Solved
nerdherd
Comes here often
‎Jan 5 2023 9:32 AM
‎Jan 5 2023 9:32 AM

iPSK without Radius not compatible with 6ghz?

Hi All, finally got some MR57s for testing.

 

Unfortunately I missed the memo (and still cant find it)...Apparently iPSK without radius is not compatible with 6 ghz? 

 

Regular PSK doesnt give any issue, but iPSK says "This SSID will not be broadcast on the 6 GHz band. Use OWE to enable this band." (WPA3 is also not available as an option when iPSK selected)

 

Seems weird since I thought iPSK from a client perspective is just PSK.

 

Is this a limitation right now because it's still in development? or is iPSK never going to work with 6ghz?

I cant find any documentation that says either way

 

Thanks for any help!

Labels:
0 Kudos
1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 5 2023 2:40 PM
‎Jan 5 2023 2:40 PM

The way the actual WPA3-SAE implementation is done, MPSK (or iPSK without RADIUS) can not work. The AP had to try multiple PSKs until the right one is matched. But this was prohibited by design in WPA3. On each connect, only one PSK can be checked. iPSK with RADIUS could work, but probably needs to be implemented.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

10 Replies 10
NolanHerring
Kind of a big deal
‎Jan 5 2023 9:49 AM
‎Jan 5 2023 9:49 AM

I can't speak for Meraki, but 6GHz (Wi-Fi 6E) requires WPA3 or better. Meraki's current implementation of iPSK does not support WPA3, so that is why you are running into that. 

Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 5 2023 11:56 AM
‎Jan 5 2023 11:56 AM

I've had terrible compatibility issues with clients when using WPA3 (last tested about a month ago).  IMHO, WPA3 is not ready for production deployment.

0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 5 2023 2:40 PM
‎Jan 5 2023 2:40 PM

The way the actual WPA3-SAE implementation is done, MPSK (or iPSK without RADIUS) can not work. The AP had to try multiple PSKs until the right one is matched. But this was prohibited by design in WPA3. On each connect, only one PSK can be checked. iPSK with RADIUS could work, but probably needs to be implemented.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
nerdherd
Comes here often
‎Jan 11 2023 5:31 AM
‎Jan 11 2023 5:31 AM

Thank you!  Didnt know that's how iPSK worked under the hood.

0 Kudos
In response to KarstenI
ethan_isenberg
Comes here often
‎Mar 12 2024 12:58 PM
‎Mar 12 2024 12:58 PM

Are you saying that IPSK without RADIUS will never be able to support WPA3 ?

0 Kudos
In response to ethan_isenberg
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 12 2024 1:05 PM
‎Mar 12 2024 1:05 PM

@KarstenI is right (iPSK with WPA3 can not work - any vendor - fundamental WPA3 design decision).

 

This is more @KarstenI's area than mine, but I am sceptical that iPSK with RADIUS can be made to work with WPA3 - for the same reason.

In response to ethan_isenberg
KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 12 2024 1:57 PM
‎Mar 12 2024 1:57 PM

Let's get a little deeper:

WLAN-Security-en.278.jpeg

 

This is the Authentication step before the association. In message 1, the client starts the authentication by sending cryptographic material based on the passphrase.

The AP sends back its cryptographic material, which is also based on the passphrase. At this step, the AP needs to know the passphrase. For iPSK with RADIUS, the AP could have queried the RADIUS server after the client's message, as the client MAC is known after this first packet.

But without RADIUS, the AP only has a list of possible passphrases and must choose one. The AP doesn't know which, so this will never work.

 

The following is what is done with WPA2 and iPSK without RADIUS. Basically the AP does a dictionary attack on the PSK based on a small list of possible passphrases:

WLAN-Security-en.115.jpeg

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
thomasthomsen
Kind of a big deal
‎Dec 13 2023 5:38 AM
‎Dec 13 2023 5:38 AM

Perhaps somewhat off-topic. Do anyone know if Meraki will support WPA3 iPSK with Radius ?

Its possible to do on the 9800 WLC, as far as I can tell.

In response to thomasthomsen
KarstenI
Kind of a big deal
Kind of a big deal
‎Dec 13 2023 6:11 AM
‎Dec 13 2023 6:11 AM

As of 30.5 it is not available. I also hope for this feature.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to thomasthomsen
TyShawn
A model citizen
‎Mar 14 2024 3:43 PM
‎Mar 14 2024 3:43 PM

This needs to be an option at some point.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.