Running WPA3-Enterprise without 192-bit mode - possible on Unleashed?

kiler129 — Thu, 04 Jul 2024 02:33:20 GMT

While migrating our edu network from WPA2/3-Ent to WPA3-Ent I noticed issues with some older Apple devices. One of such example, which we have many, is 11" iPad Pro (MTXQ2LL/A). Per Apple's documentation it appears there should be no problem. Even the enhanced 192-bit mode is supported "(...) in all iPhone 11 models or later, all iPad models starting with the iPad 7th generation, and all Mac computers with Apple silicon." which appears to cover A10X and newer. The iPad in question is a A12X device, which made no sense.

However, until further back and forth, we found that our devices are able to join our UniFi network at a different facility but not the Ruckus network. After investigation, compounded by complete lack of logs on Apple's side beyond EAP daemon crashing, it appears that Apple has a buggy 192-bit implementation in WPA3-Enterprise mode. The only place I found this discussed on the forum here is with regards to WPA2/3 mixed mode, where @sanjay_kumar was testing this on Android.

Is there a way to disable 192-bit mode, while keeping the network as WPA3-Enterprise on Ruckus Unleashed?

---

Edit:
Ok, I'm starting to believe there's some renaming/nomenclature-confusion going on here, where I'm getting lost myself 😉 Someone from Commscope please correct me, or point to a docs page, if I'm wrong. Preliminarily, looking at official WPA3 specs and doing 802.11 captures, I think this goes like this:

WPA2 Enterprise
- Ruckus "Encryption Method": WPA2
- PMF/80211w-pmf: disabled
- AKM: 00-0F-AC:1 (dot1x w/SHA-1) only
- Effect: all clients use WPA2-Ent security

WPA2/3 Enterprise capability/transition mode
- Ruckus "Encryption Method": WPA2/WPA3-Mixed
- PMF/80211w-pmf: optional (as set by Unleashed, but can be set to required)
- AKM: 00-0F-AC:1 (dot1x w/SHA-1) *or* 00:0F:AC:5 (dot1x w/SHA-256); however, it appears that per spec ("shall enable AT LEAST...") it can support additional auth types (e.g. 00-0F-AC:12).
- Effect: WPA2 clients can associate as WPA2, WPA3 ones benefit from WPA3 security, at minimum all clients must support PMF

WPA3 Enterprise Only
- Ruckus "Encryption Method": not available
- PMF/80211w-pmf: required
- AKM: 00:0F:AC:5 (dot1x w/SHA-256); however, it appears that per spec ("shall enable AT LEAST...") it can support additional auth types (e.g. 00-0F-AC:12) but shall not allow 00-0F-AC:1 (dot1x w/SHA-1)
- Effect: WPA2 clients cannot associate, WPA3 ones benefit from WPA3 security, all clients support PMF anyway

WPA3-Enterprise with 192-bit mode
- Ruckus "Encryption Method": WPA3
- PMF/80211w-pmf: required
- AKM: 00:0F:AC:12 (dot1x w/CNSA) only
- Effect: WPA2 clients cannot associate, WPA3 clients with EC support can associate, WPA3 clients unable to support CNSA fail

So, it appears that "WPA3 Enterprise Only" where "00-0F-AC:1" is disabled isn't possible on Unleashed? Also, it's not clear to me if AKM of "00:0F:AC:12" (CNSA) can co-exist with "00:0F:AC:5", offering capable clients 192-bit mode while also serving older ones the older 128-bit mode?

Some sources appear to claim that WPA3-Enterprise Only Mode is "WPA2-Ent with PMF required", which is incorrect. Ruckus Unleashed "WPA2/WPA3-Mixed" mode with PMF required is closer to more compatible WPA3, but still doesn't allow dropping of the "00-0F-AC:1". This is a bit of a problem as even eduroam networks should soon be configured to disallow WPA2 compat mode but without 192-bit mode that is buggy and not widely supported.

Re: Running WPA3-Enterprise without 192-bit mode - possible on Unleashed?

MariaC862 — Fri, 19 Jul 2024 12:37:26 GMT

Hi @kiler129,

Thank you for your question, in order to help you find accurate data could you please indicate the Unleashed version installed on the aps?

topic Re: Running WPA3-Enterprise without 192-bit mode - possible on Unleashed? in Unleashed

Running WPA3-Enterprise without 192-bit mode - possible on Unleashed?

Re: Running WPA3-Enterprise without 192-bit mode - possible on Unleashed?