07-03-2024 04:59 PM - edited 07-03-2024 07:33 PM
While migrating our edu network from WPA2/3-Ent to WPA3-Ent I noticed issues with some older Apple devices. One of such example, which we have many, is 11" iPad Pro (MTXQ2LL/A). Per Apple's documentation it appears there should be no problem. Even the enhanced 192-bit mode is supported "(...) in all iPhone 11 models or later, all iPad models starting with the iPad 7th generation, and all Mac computers with Apple silicon." which appears to cover A10X and newer. The iPad in question is a A12X device, which made no sense.
However, until further back and forth, we found that our devices are able to join our UniFi network at a different facility but not the Ruckus network. After investigation, compounded by complete lack of logs on Apple's side beyond EAP daemon crashing, it appears that Apple has a buggy 192-bit implementation in WPA3-Enterprise mode. The only place I found this discussed on the forum here is with regards to WPA2/3 mixed mode, where @sanjay_kumar was testing this on Android.
Is there a way to disable 192-bit mode, while keeping the network as WPA3-Enterprise on Ruckus Unleashed?
---
Edit:
Ok, I'm starting to believe there's some renaming/nomenclature-confusion going on here, where I'm getting lost myself 😉 Someone from Commscope please correct me, or point to a docs page, if I'm wrong. Preliminarily, looking at official WPA3 specs and doing 802.11 captures, I think this goes like this:
So, it appears that "WPA3 Enterprise Only" where "00-0F-AC:1" is disabled isn't possible on Unleashed? Also, it's not clear to me if AKM of "00:0F:AC:12" (CNSA) can co-exist with "00:0F:AC:5", offering capable clients 192-bit mode while also serving older ones the older 128-bit mode?
Some sources appear to claim that WPA3-Enterprise Only Mode is "WPA2-Ent with PMF required", which is incorrect. Ruckus Unleashed "WPA2/WPA3-Mixed" mode with PMF required is closer to more compatible WPA3, but still doesn't allow dropping of the "00-0F-AC:1". This is a bit of a problem as even eduroam networks should soon be configured to disallow WPA2 compat mode but without 192-bit mode that is buggy and not widely supported.