This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Unleashed sends AKM:5 only in WPA2/3 mode - bug or intended behavior?

kiler129
New Contributor II

‎02-14-2025 02:58 PM - edited ‎02-14-2025 04:43 PM

I have a client that supports WPA2 and 2.4Ghz only. The network on Ruckus side is configured as:

  • Authentication Method: 802.1X EAP (with external RADIUS server)
  • Encryption Method: WPA2/WPA3-Mixed
  • Wi-Fi 6: Enabled
  • OFDM Only: Enabled
  • BSS Min Rate: 12Mb

The client refuses to connect, so I started debugging and did a packet capture. I can see probe request frames from the client and probe response frames from my Ruckus AP. However, what I found is puzzling - Ruckus replies, as per RSN Information, with:

  • GCS: AES
  • PCS Count: 1
  • PCS includes "AES (CCM)" only, which is correct
  • AKM Count: 1
  • AKM includes "WPA (SHA256) (5)" only which doesn't seem correct

The client, rightfully so, refuses to attempt to connect to the ap as "WPA (SHA256) (5)" implies WPA3-only mode. Per official WPA3 specification (v3.4) section 3.3:

 

When an AP's BSS is operating in WPA3-Enterprise Transition Mode:
    1. The AP's BSS Configuration shall enable at least AKM suite selectors 00-0F-AC:1 (IEEE 802.1X with SHA-1) and 00-0F-AC:5 (IEEE 802.1X with SHA-256) in the BSS.

 

Ruckus Unleashed 200.15.6.112.54 doesn't seem to be doing that. Is there any explanation for this behavior?

 

---------------- EDIT ---------------- 

Just as I submitted this post I found two very important posts by @sanjay_kumar (RUCKUS employee at the time of writing):

So, Ruckus is playing a bit loose with terminology and allows for a bit of an impossible configuration if Ruckus names are to be read for their face values. However, I captured some 802.11 packets and pulled Wireshark... and:

  • WPA2/WPA3-Mixed and PMF required (80211w-pmf 2) => WPA3 only, 128-bit mode [AKM: SHA256/5 only]
  • WPA2/WPA3-Mixed and PMF optional (80211w-pmf 1) => WPA3-Transitional, as per WPA3 specification [AKM: WPA/1 + SHA256/5]
  • WPA3 and PMF required => WPA3 only, 192-bit mode [AKM: SHA384-SuiteB/12 only]
  • WPA3 and PMF optional => not possible as PMF is required for Ruckus "WPA3" mode (confirmed on the AP; returns "For encrypton type 'owe'/'wpa3', the value should be 2.") 

So it seems like in Ruckus terminology WPA2/3-Mixed **and** PMF required is in reality WPA3-only 128-bit and has nothing to do with WPA2 (?!). This seems like something that needs clarification in documentation at least and even better change in the UI. If PMF and AKMs supported are inherently coupled, which it seems they are per WPA3 spec, that should be coupled logically in Ruckus UI. Currently I am selecting "WPA3" in UI I am getting in fact "WPA3-Enterprise 192-bit" and PMF (not available in UI) is automatically forced to required. When I select "WPA2/3-Mixed" in the UI I am getting in practice something that is called "WPA3-Enterprise Only" by the official WiFi specification if PMF is required and "WPA3-Enterprise Transition" when if PMF is optional. 

This sounded like a familiar-ish issue and I found my own post which I forgot about where I was trying to get WPA3-only but in 128-bit mode, as 192-bit only mode is still too new and I'm not sure if Ruckus can support 128+192bit mode or if it's even valid per spec. I think HPE nailed support document showing their config vs WiFI spec terms: https://arubanetworking.hpe.com/techdocs/aos/wifi-design-deploy/security/modes/ even if their naming in the config is still mysterious ("wpa3-cnsa"?!)

1 REPLY 1

BobaEnjoyer
New Contributor III

‎03-11-2025 01:24 AM

I haven't troubleshooted WPA3-Enterprise in about a year or two (I took a break), but I seem to recall never being able to get Unleashed to work in WPA3-Enterprise mode because of incorrect AKM settings.  There really needs to be a couple standards-compliant options in the GUI:  WPA3-Enterprise in standard mode (not the 192-bit mode), and WPA3-Enterprise 192-bit mode.
I just upgraded from a R710 (on Unleashed 200.15) to a R650 (on Unleashed 200.17), so I'll re-visit this issue and provide better packet caps and documentation.  I'd given up out of frustration on getting WPA3-Enterprise working and just used WPA2-Enterprise, then went into the CLI and set PMF to Required.  Interestingly when I do that, in the "Clients" section in the GUI, it lists "WPA3-AES-SHA256" when it's really just WPA2 with PMF Required, which is in spec.

0 Kudos
Copyright © 2025 Khoros, LLC
li.common.scroll-to.top

Type a product name