In this post we will look at “Enhanced Open – Transition Mode“. It is designed to increase adaptability of Enhanced Open network even all devices in a network not supporting it. As of today all client devices do not support “Enhanced Open” or “OWE” , end users will face issues connecting those unsupported devices to “Enhanced Open” enabled SSID.

With Transition mode, you will create two SSIDs. One with Enhanced Open enabled. The other with Open Auth + Transition mode enabled. Only Open Auth SSID is broadcasting its SSID name. So client devices only see one SSID, however if device is capable of OWE, it will connect to Enhanced Open SSID smoothly.

Above shown our test topology. SSID1 (CWAP-Open) is “Enhanced Open” enabled. Note that SSID name is not broadcasting .We used same SSID in Enhanced Open – Part 1 blog post. SSID2 (Guest) is configured with Open Auth (ie L2 security set to None) in OWE Transition mode. Note that we included SSID1 as “Enhanced Open SSID” under SSID2 configuration as shown below. (Cisco AireOS 8.10.x WLC)

Here is the packet capture when Pixel3 & AirCheckG2 connecting “Guest” SSID which is the only one visible. Note I have used alias/name resolution for simple way of understanding the flow. You may not see it when you open in wireshark. Here is details of MAC address to Name resolution for your reference.

0c:d0:f8:95:60:ab -> C9117 (BSSID for CWAP-Open SSID)
0c:d0:f8:95:60:ad -> C9117 (BSSID for Guest SSID)
ba:17:f2:89:d0:06 -> MRN-PIX3 (Pixel Phone WiFi MAC Address)
6c:0b:84:c2:4e:99 -> AirCheckG2 (AirCheck WiFi MAC Address)

If you look at beacon frames, you will see beacon frames from both SSIDs, however SSID name visible only in “Guest” SSID. If you look at Tagged parameters, you notice it got Vendor Specific element “OWE Transition Mode” beacon frames or Probe Responses frames in both SSID. Below shows beacon frame for SSID2 – Guest.

Here is the OWE Transition mode element format defined in WiFi Alliance OWE Specification v1.0

You will see those field information in OWE Transition Mode element in that beacon frame. Note that Band Info & Channel Info are optional fields. Valid options are to include both these info fields or not to include both fields.

In our case, these both of them are not present. In my case both SSID configured for 5GHz band (have to test later modifying those bands in each SSID). Note that SSID name & BSSID information is listed under OWE Transition information element.

Here is the beacon frame for “Enhanced Open” SSID named “CWAP-Open”

Note important points in “Enhanced Open” SSID beacon frame (same info is there in Probe Response frames too)

• SSID  length is zero
• Contain “RSNE” to indicate OWE support.
• Contain OWE Transition Element

Here is details of those elements that are in our interest (SSID, RSNE, OWE Transition).

Now when Pixel device connecting to “Guest” SSID, you noticed it is connected to CWAP-Open SSID like a magic 🙂 . That is the SSID with “Enhanced Open” support to encrypt data traffic.

 

If you look at those frame details, you see client is using “Enhanced Open” security that we discussed in detail on my previous post.

However, when AirCheckG2 trying to connect, it is connected to “Guest” SSID which is doing Open Auth. You notice 2 open Authentication frames (#2757,2760) & Association Request/Response (#2762,2764) & then clear text data frames. Note that below wireshark display filter used to narrow down frame related to AG2 & filter out control frames.

wlan.addr== 6c:0b:84:c2:4e:99 && not wlan.fc.type==1

WiFi alliance is suggesting to use this method as a transition solution until all end points starts supporting Enhanced Open. This is the method, if you have to implement “Enhanced Open” wireless network today until all devices start supporting this security method.

References
1. Aruba Hardened WiFi Security for Evolving Threat Landscapes with Chuck Lukaszewski
2. WPA3, OWE and DPP | Hemant Chaskar | WLPC Phoenix 2019

Related Posts
1. End of Cisco AireOS?
2. Enhanced Open – Part 1
3. WPA3-SAE Mode
4. WPA3-SAE Transition Mode