iPSK without Radius not compatible with 6ghz?

Solved
nerdherd
Comes here often

iPSK without Radius not compatible with 6ghz?

Hi All, finally got some MR57s for testing.

 

Unfortunately I missed the memo (and still cant find it)...Apparently iPSK without radius is not compatible with 6 ghz? 

 

Regular PSK doesnt give any issue, but iPSK says "This SSID will not be broadcast on the 6 GHz band. Use OWE to enable this band." (WPA3 is also not available as an option when iPSK selected)

 

Seems weird since I thought iPSK from a client perspective is just PSK.

 

Is this a limitation right now because it's still in development? or is iPSK never going to work with 6ghz?

I cant find any documentation that says either way

 

Thanks for any help!

1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal

The way the actual WPA3-SAE implementation is done, MPSK (or iPSK without RADIUS) can not work. The AP had to try multiple PSKs until the right one is matched. But this was prohibited by design in WPA3. On each connect, only one PSK can be checked. iPSK with RADIUS could work, but probably needs to be implemented.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

10 Replies 10
NolanHerring
Kind of a big deal

I can't speak for Meraki, but 6GHz (Wi-Fi 6E) requires WPA3 or better. Meraki's current implementation of iPSK does not support WPA3, so that is why you are running into that. 

Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal
Kind of a big deal

I've had terrible compatibility issues with clients when using WPA3 (last tested about a month ago).  IMHO, WPA3 is not ready for production deployment.

KarstenI
Kind of a big deal
Kind of a big deal

The way the actual WPA3-SAE implementation is done, MPSK (or iPSK without RADIUS) can not work. The AP had to try multiple PSKs until the right one is matched. But this was prohibited by design in WPA3. On each connect, only one PSK can be checked. iPSK with RADIUS could work, but probably needs to be implemented.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
nerdherd
Comes here often

Thank you!  Didnt know that's how iPSK worked under the hood.

ethan_isenberg
Comes here often

Are you saying that IPSK without RADIUS will never be able to support WPA3 ?

PhilipDAth
Kind of a big deal
Kind of a big deal

@KarstenI is right (iPSK with WPA3 can not work - any vendor - fundamental WPA3 design decision).

 

This is more @KarstenI's area than mine, but I am sceptical that iPSK with RADIUS can be made to work with WPA3 - for the same reason.

KarstenI
Kind of a big deal
Kind of a big deal

Let's get a little deeper:

WLAN-Security-en.278.jpeg

 

This is the Authentication step before the association. In message 1, the client starts the authentication by sending cryptographic material based on the passphrase.

The AP sends back its cryptographic material, which is also based on the passphrase. At this step, the AP needs to know the passphrase. For iPSK with RADIUS, the AP could have queried the RADIUS server after the client's message, as the client MAC is known after this first packet.

But without RADIUS, the AP only has a list of possible passphrases and must choose one. The AP doesn't know which, so this will never work.

 

The following is what is done with WPA2 and iPSK without RADIUS. Basically the AP does a dictionary attack on the PSK based on a small list of possible passphrases:

WLAN-Security-en.115.jpeg

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
thomasthomsen
Kind of a big deal

Perhaps somewhat off-topic. Do anyone know if Meraki will support WPA3 iPSK with Radius ?

Its possible to do on the 9800 WLC, as far as I can tell.

KarstenI
Kind of a big deal
Kind of a big deal

As of 30.5 it is not available. I also hope for this feature.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
TyShawn
A model citizen

This needs to be an option at some point.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels