Hi All, finally got some MR57s for testing.
Unfortunately I missed the memo (and still cant find it)...Apparently iPSK without radius is not compatible with 6 ghz?
Regular PSK doesnt give any issue, but iPSK says "This SSID will not be broadcast on the 6 GHz band. Use OWE to enable this band." (WPA3 is also not available as an option when iPSK selected)
Seems weird since I thought iPSK from a client perspective is just PSK.
Is this a limitation right now because it's still in development? or is iPSK never going to work with 6ghz?
I cant find any documentation that says either way
Thanks for any help!
Solved! Go to solution.
The way the actual WPA3-SAE implementation is done, MPSK (or iPSK without RADIUS) can not work. The AP had to try multiple PSKs until the right one is matched. But this was prohibited by design in WPA3. On each connect, only one PSK can be checked. iPSK with RADIUS could work, but probably needs to be implemented.
I can't speak for Meraki, but 6GHz (Wi-Fi 6E) requires WPA3 or better. Meraki's current implementation of iPSK does not support WPA3, so that is why you are running into that.
I've had terrible compatibility issues with clients when using WPA3 (last tested about a month ago). IMHO, WPA3 is not ready for production deployment.
The way the actual WPA3-SAE implementation is done, MPSK (or iPSK without RADIUS) can not work. The AP had to try multiple PSKs until the right one is matched. But this was prohibited by design in WPA3. On each connect, only one PSK can be checked. iPSK with RADIUS could work, but probably needs to be implemented.
Thank you! Didnt know that's how iPSK worked under the hood.
Are you saying that IPSK without RADIUS will never be able to support WPA3 ?
Let's get a little deeper:
This is the Authentication step before the association. In message 1, the client starts the authentication by sending cryptographic material based on the passphrase.
The AP sends back its cryptographic material, which is also based on the passphrase. At this step, the AP needs to know the passphrase. For iPSK with RADIUS, the AP could have queried the RADIUS server after the client's message, as the client MAC is known after this first packet.
But without RADIUS, the AP only has a list of possible passphrases and must choose one. The AP doesn't know which, so this will never work.
The following is what is done with WPA2 and iPSK without RADIUS. Basically the AP does a dictionary attack on the PSK based on a small list of possible passphrases:
Perhaps somewhat off-topic. Do anyone know if Meraki will support WPA3 iPSK with Radius ?
Its possible to do on the 9800 WLC, as far as I can tell.
As of 30.5 it is not available. I also hope for this feature.
This needs to be an option at some point.