This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unleashed sends AKM:5 only in WPA2/3 mode - bug or intended behavior?

kiler129
New Contributor II

‎02-14-2025 02:58 PM - edited ‎02-14-2025 04:43 PM

I have a client that supports WPA2 and 2.4Ghz only. The network on Ruckus side is configured as:

  • Authentication Method: 802.1X EAP (with external RADIUS server)
  • Encryption Method: WPA2/WPA3-Mixed
  • Wi-Fi 6: Enabled
  • OFDM Only: Enabled
  • BSS Min Rate: 12Mb

The client refuses to connect, so I started debugging and did a packet capture. I can see probe request frames from the client and probe response frames from my Ruckus AP. However, what I found is puzzling - Ruckus replies, as per RSN Information, with:

  • GCS: AES
  • PCS Count: 1
  • PCS includes "AES (CCM)" only, which is correct
  • AKM Count: 1
  • AKM includes "WPA (SHA256) (5)" only which doesn't seem correct

The client, rightfully so, refuses to attempt to connect to the ap as "WPA (SHA256) (5)" implies WPA3-only mode. Per official WPA3 specification (v3.4) section 3.3:

 

When an AP's BSS is operating in WPA3-Enterprise Transition Mode:
    1. The AP's BSS Configuration shall enable at least AKM suite selectors 00-0F-AC:1 (IEEE 802.1X with SHA-1) and 00-0F-AC:5 (IEEE 802.1X with SHA-256) in the BSS.

 

Ruckus Unleashed 200.15.6.112.54 doesn't seem to be doing that. Is there any explanation for this behavior?

 

---------------- EDIT ---------------- 

Just as I submitted this post I found two very important posts by @sanjay_kumar (RUCKUS employee at the time of writing):

So, Ruckus is playing a bit loose with terminology and allows for a bit of an impossible configuration if Ruckus names are to be read for their face values. However, I captured some 802.11 packets and pulled Wireshark... and:

  • WPA2/WPA3-Mixed and PMF required (80211w-pmf 2) => WPA3 only, 128-bit mode [AKM: SHA256/5 only]
  • WPA2/WPA3-Mixed and PMF optional (80211w-pmf 1) => WPA3-Transitional, as per WPA3 specification [AKM: WPA/1 + SHA256/5]
  • WPA3 and PMF required => WPA3 only, 192-bit mode [AKM: SHA384-SuiteB/12 only]
  • WPA3 and PMF optional => not possible as PMF is required for Ruckus "WPA3" mode (confirmed on the AP; returns "For encrypton type 'owe'/'wpa3', the value should be 2.") 

So it seems like in Ruckus terminology WPA2/3-Mixed **and** PMF required is in reality WPA3-only 128-bit and has nothing to do with WPA2 (?!). This seems like something that needs clarification in documentation at least and even better change in the UI. If PMF and AKMs supported are inherently coupled, which it seems they are per WPA3 spec, that should be coupled logically in Ruckus UI. Currently I am selecting "WPA3" in UI I am getting in fact "WPA3-Enterprise 192-bit" and PMF (not available in UI) is automatically forced to required. When I select "WPA2/3-Mixed" in the UI I am getting in practice something that is called "WPA3-Enterprise Only" by the official WiFi specification if PMF is required and "WPA3-Enterprise Transition" when if PMF is optional. 

This sounded like a familiar-ish issue and I found my own post which I forgot about where I was trying to get WPA3-only but in 128-bit mode, as 192-bit only mode is still too new and I'm not sure if Ruckus can support 128+192bit mode or if it's even valid per spec. I think HPE nailed support document showing their config vs WiFI spec terms: https://arubanetworking.hpe.com/techdocs/aos/wifi-design-deploy/security/modes/ even if their naming in the config is still mysterious ("wpa3-cnsa"?!)

0 Kudos
0 REPLIES 0
Copyright © 2025 Khoros, LLC