Windows 11 Wpa3 Enterprise
Chrystal Dueno
WPA3 Personal works great. If I set Aruba to WAP3 Enterprize 128 and use WPA2 Enterprise ( only option on client win 10 ) then that works but I have no idea what its doing. WPA3 Enterprise 256 and CNSA don't work currently for me because I think I need to do better config woth my Freeradius server with the EAP-TLS settings.
WHat I need is a way to know what cipher is use for a client. How do I do that ? I could do it on the Windows 10 side or the Aruba side. I cannot find any tool or way to do this. I need a minimum way to see if the connection is using 128 or 192 bits.
You can sniff some 802.11 frames with a wirelesscard that support monitor mode (most likely with linux or a wlanpi). For example a 802.11 beacon frame send out by the AP advertise his capabilities. See attachment an example with difference beacons between wpa3-personal, wpa3-enterprise 128bit, wpa3-enterprise 256bit or with CNSA.
Thanks for the help. i am using wpad-wolfssl. it sets the wpa3 enterprise to gcmp-256. It seems the better way to handle this is to use wpa2 enterpise. Their are three options for wpa3 enterprise encryption. The issue is that gcmp-256 can cause slowdowns for certain devices. GCMP-128 does not seem to be affected. Their is the issue of windows 10 machines not fast roaming on gcmp.
So I was playing with that yesterday. And sure set a ssid to only be wpa3, and phone (iphone XR running 14.4) connected.. So yeah it works - but was wondering how do you know your using wpa3 on a ssid that is set for wpa2/wpa3 because some devices on that network don't yet support wpa3.. Iot devices for sure many do not support such new features, or for that matter even 5ghz for wifi. be it n or ac..
The controller doesn't have a way to show if a device is using wpa2 or wpa3.. At least not yet. So you really have to do it on the client device. Well apple in their infinite wisdom clearly don't see the point of their users actually seeing any decent info about the connection
This provides lots of good info.. Actual channel your connected to, the VHT. Actual signal strength.. If your wpa2 or wpa3.. Actual BSSID which can be useful when you have more than 1 AP.. I wish they also would show you actual PHY (connection rate) for both tx and rx.. But hey it got the info I was looking for specifically.. But you can get the connection rate from the controller if your running unifi stuff.
I was excited to see the option for WPA3 with my controller upgrade , but then sadly I discovered the AC-AP-PRO does not have firmware on the 5.x branch. Some of the other AC class APs have 5.4.x, but mine doesn't, which is strange to me because it's the "Pro" model.
Nevertheless, I did install the developer profile you suggested and that did confirm that it is indeed connecting with WPA2 when I put it in WPA2/WPA3 mode. If you put it in WPA3 Only Mode it doesn't connect, probably because of the AP firmware.
Yes 100% have AC-Pro. I realized that I needed to allow it to load Beta firmware in order to get the 5.63 branch. If you only allow it to access the "release" firmware it only gave me options for 4.23 firmware. At least on my setup anyway.
Since I am on controller 6.2.2.5, it allows you to change the firmware setting for Beta in the GUI now. [edit] Link didn't work, guess because I am new. Here is a screenshot of how to set the release channel through the GUI:
slightly off topic but I'm curious. I haven't had a chance to look into WPA3 much yet as my devices don't support it yet but I'm wondering how much of an improvement and/or how much more secure is it compared to WPA2?
Yeah the problem with wpa3 is going to be support from older devices, and when if iot devices will start to support it. I find it highly unlikely that old iot devices like lightbulbs and such will be able to just get a firmware upgrade and support it. And who is going to want to switch out all their old iot just to support wpa3... They can add up in cost. I have like 16 light bulbs.. I got them for good prices.. But even at $10 each your talking 160$ and then all the setup time to replace them all.. Yeah prob not going to happen They will get replaced when they fail most likely.. So hopefully years down the road.
The biggest drawback with changes in wifi, is until such time you can move all your devices to the new whatever - your still going to be open to the old security issues. You could completely isolate your networks so that anything on the wpa2 doesn't have access to anything on your wired or wpa3 wireless networks. This is pretty much the case with my iot stuff.. The 2 vlans I have for say roku's and alexa stuff has no access into the rest of my network.. Other than plex on port 32400..
My trusted wifi network which is now using wpa3 enterprise, and eap-tls.. Is fine all my devices that I allow to access that network support it. But I was hoping to move my guest wifi to wpa3, but sadly guest devices are not up to speed yet. Nephew brought over his laptop, and couldn't get on my guest network, had to switch it to wpa2/wpa3 mode for him to get on.
edit: Another little problem which I hope they address at some point, is in the unifi controller there is no way to see if a client used wpa2 or wpa3.. So hard to even know if your iot devices would work.. Only way to know would be to switch to wpa3 only and see what doesn't connect At some point hope they show you what the client used in the controller.
Are you having any roaming issues with this 5.6.x firmware? Spent most of the weekend at the back of the house (living, kitchen, master) but my office is at the front of the house and when I came up here this morning realized both my work and personal phones were constantly dropping and reconnecting when on the WPA3 enabled network which is 5G only. I grabbed my PC from my night stand and brought it up here to the front of the house and it stayed connected but I realized it did not roam from the back of the house AP to the front of the house AP per the Ubiquiti management portal. Even though I'm practically right under the front of the house AP, it's still connected to the back of the house AP. It's just that the laptops have more ability to stay connected to a 5Ghz AP that is farther away.
After further experimentation I realized that nothing is roaming from whatever AP it originally connects to. The phones stay connected if I move them over to my mixed 2.4G/5G SSID, but that is because of the longer reach of 2.4. They don't roam off the AP they originally joined even on 2.4.
Here just walked from one end of the house to other - see on guestroom AP, then moved to Kitchen AP.. You can see in the event log on the controller as I moved it transitioned to the hallway for a bit as walked between the 2 areas
Have not noticed any sort of issues with the 5.60, and now the 5.60.3 firmware running.. If I recall there might of been one beta firmware between that had some issues but that was like one of the first that rolled out after 5.43, where I rolled back 5.43.. But ran on 5.60 for very long time, and just recently moved to the 5.60.3
d3342ee215