Here is the 5th & final post of our WPA3 series. We will cover WPA3-Enterprise in this post which is going to be the replacement for WPA2-Enterprise. WiFi Alliance lists WPA3-Enterprise mode requirements in WPA3 Specification 2.0 (Dec 2019) document. There are 3 modes of operation in WPA3-Enterprise
- WPA3-Enterprise only mode
– When a BSS is configured in WPA3-Enterprise only mode, PMF shall be set to required (MFPR bit in the RSN Capabilities field shall be set to 1 in the RSNE transmitted by the AP)
– A WPA3-Enterprise STA shall negotiate PMF when associating to an AP using WPA3-Enterprise only mode
- WPA3-Enterprise transition mode
– When WPA2-Enterprise and WPA3-Enterprise transition Mode are configured on the same BSS (mixed mode), PMF shall be set to capable (MFPC bit shall be set to 1, and MFPR bit is by default set to 0 in the RSN Capabilities field in the RSNE transmitted by the AP)
– A WPA3-Enterprise STA shall negotiate PMF when associating to an AP using WPA3-Enterprise transition mode
- WPA3-Enterprise 192-bit mode
– When WPA3-Enterprise 192-bit Mode is used by an AP, PMF shall be set to required (MFPR bit in the RSN Capabilities field shall be set to 1 in the RSNE transmitted by the AP).
– When WPA3-Enterprise 192-bit Mode is used by a STA, PMF shall be set to required (MFPR bit in the RSN Capabilities field shall be set to 1 in the RSNE transmitted by the STA).
– Permitted EAP cipher suites for use with WPA3-Enterprise 192-bit Mode are:
ECDHE and ECDSA using the 384-bit prime modulus curve P-384
ECDHE using the 384-bit prime modulus curve P-384
RSA ≥ 3072-bit modulus
RSA ≥ 3072-bit modulus
DHE ≥ 3072-bit modulus
When you configure FT (Fast BSS Transition or 802.11r) in WPA3-Enterprise only or WPA3-Enterprise transition mode ( 1 & 2 modes listed previously), STA shall select the AKM on a BSS in priority order given below
1. FT Authentication using IEEE Std 802.1X (SHA 256) 00-0F-AC:3
2. Authentication using IEEE Std 802.1X (SHA256) 00-0F-AC:5
3. Authentication using IEEE Std 802.1X 00-0F-AC:1
Below shows the different AKM values defined in IEEE-802.11 REVmd ( Revision of 802.11-2016 standard which is going to be 802.11-2020). Note that AKM 8 & 9 used with SAE (WPA3- Personal use AKM 8), AKM 1,3,5,11 (WPA3-Enterprise only or WPA3-Enterprise transition), AKM 12,13 (WPA3-Enterprise 192-bit) & AKM 18 for Enhanced Open (OWE).
You notice some AKM refer “Suite B” a set of cryptographic algorithms (to provide 128 bit and 192 bit security strength) defined by NSA (National Secuirty Agency) in 2005. NSA replaced Suite B with CNSA (Commercial National Security Algorithm Suite – to provide min 192 bit security) in 2018. WPA3-Enterprise 192-bit mode is using AES-256-GCMP encryption and use CNSA approved cipher suites listed below.
AES-256-GCMP : Authenticated Encryption
HMAC-SHA-384 for key derivation & key confirmation
ECDH and ECDSA using 384-bit elliptic curve for key establishment & authentication
In deploying WPA-Enterprise only mode, you can simply enable PMF (Protected Management Frame) in your WPA2-Enterprise SSID, that would be technically WPA3-Enterprise only mode.
If you want to enable WPA3-Enterprise Transition mode, then you can set PMF optional in your SSID configuration, so PMF capable client negotiate it and other clients join SSID without PMF. This is the practical way of enabling WPA3-Enterprise in today’s network unless you want to create a seperate SSID for WPA3-Enterprise.
If you want highest secuirty, then you can go with WPA3-Enterprise 192-bit mode. In that case, you have to use AES-256-GCMP as encryption and either AKM 12 (802.1X, SHA-384) or 13 (FT over 802.1X, SHA-384) in order to provide 192 bit security overall.
In this post we will explore WPA3-Enterprise 192-bit configurations. I have used Cisco IOS-XE based controller (9800-CL running with IOS-XE 17.3.1) & Cisco ISE (v2.7) as RADIUS server. Here is the basic topology for this post (Note that AP is connected to a physical switch and CAPWAP back to WLC, for simplicity not shown those physical switches).
If you want to use WPA3-Enterprise 192 bit mode, you have to choose GCMP256 as encryption method and AKM as “SuiteB192-1X” as shown below.
I have used Windows 10 client with May 2020 update (v2004), You require to upgrade to that in order to support WPA3-Enterprise mode & Enhanced Open (OWE). You can verify supported security methods of your WiFi driver by using “netsh wlan show driver” command on Windows CLI.
You have to create a manual profile in order to configure your client to use WPA3-Enterprise security method. You will notice, you cannot change the Encryption type to GCMP-256 even you select “WPA3-Enterprise” as security type.
You have to select “WPA2-Enterprise” & leave Encryption type to “AES” in this step and proceed.
Once you click “Next” you should able to change the connection settings of this profile.
In the “Security” setting, you can change the security type to “WPA3-Enterprise” and it will automatically select Encryption type as “GCMP-256“. In my case, I have selected the authentication method “Smart Card or other Certificate” in order to use EAP-TLS (Tried to use PEAP and it gave me an error msg saying it is not supported).
You have to select a Trusted root certificate authority applicable to your client certificate by click on the “Setting” button. Also, you can modify certain parameters under the “Advanced Setting” section prior to close that network profile configuration.
Then you can connect to your client to configured SSID. You have to choose appropriate certificate for that. I have used Microsoft CA in my lab setup and already installed a user certificate (issued to firstname.lastname@example.org) on my windows laptop. I used Cisco ISE (v 2.7.x) as RADIUS server and configured for basic 802.1X authentication (No special configs required on RADIUS server). You can verify your client profile configuration using “netsh show wlan profiles” command
C:\Windows\system32>netsh wlan show profiles name="mrn-wpa3e" Profile mrn-wpa3e on interface Wi-Fi: ======================================================================= Applied: All User Profile Profile information ------------------- Version : 1 Type : Wireless LAN Name : mrn-wpa3e Control options : Connection mode : Connect manually Network broadcast : Connect only if this network is broadcasting AutoSwitch : Do not switch to other networks MAC Randomization : Disabled Connectivity settings --------------------- Number of SSIDs : 1 SSID name : "mrn-wpa3e" Network type : Infrastructure Radio type : [ Any Radio Type ] Vendor extension : Not present Security settings ----------------- Authentication : WPA3-Enterprise Cipher : GCMP-256 Security key : Absent 802.1X : Enabled EAP type : Microsoft: Smart Card or other certificate 802.1X auth credential : Machine or user credential Cache user information : No Cost settings ------------- Cost : Unrestricted Congested : No Approaching Data Limit : No Over Data Limit : No Roaming : No Cost Source : Default
Then you can connect your client to WPA3-Enterprise SSID and you can check client connectivity properties
Here is the over the air packet capture. You cand download entire packet capture (mrn-wpa3e-192-overtheair.pcapng). If you look at a Beacon frame, you will see AP advertise its security capability under RSNE. Note that both Group Cipher & Pairwise Cipher is AES-256-GCMP (Suite Type value 9) for data encryption. AKM value is SHA-384 which provides 192-bit security. For Management Frame Protection (MFP), it uses BIP-GMAC-256 (Type value 12)
You can filter EAP Exchange & 4 Way Handshake messages using “eapol” display filter in wireshark. You will see standard TLS 1.2 negotiation followed by 4-Way Handshake to derive unicast & broadcast encryption keys (PTK/GTK)
If you look at “Client Hello” details (frame #280), you will see client listed two TLS cipher suites that supports AES_256_GCMP as the encryption method, SHA-384 for message integrity.
here the Server Hello frame (#299) that Authentication Server selected “ECDHE_ECDSA_WITH_AES_256_GCMP_SHA384” as TLS cipher suite.
Here is the Client Certificate detail in frame#310
In Cisco presentations, it says that Authenticator use RADIUS AVP 188 (WLAN-AKM-Suite) to inform Auth server that SSID configured with 192-bit security. However, I could not see such AVP value in my testing where 9800 WLC inform Cisco ISE that AVP in those RADIUS request messages.
Here is the packet capture (ise-wpa3e-tcpdump.pcap) taken from ISE end (Operations -> Troubleshoot -> General tools -> TCP Dump). I wouod expect to see it in initial Access Request message (frame#1) send by WLC (100.10) to ISE (100.12)
If you look at frame#3 in that capture, it is the “Client Hello” message encapsulate into RADIUS by WLC and forward it to ISE.
You can delete wireless SSID profile by simply forget SSID or using “netsh wlan delete profile” command as shown below
C:\Windows\system32>netsh wlan delete profile name="mrn-wpa3e" i=* Profile "mrn-wpa3e" is deleted from interface "Wi-Fi".
You can find which product support WPA3-Enterprise using WiFi Alliance webpage product finder. Example below show how to filter WPA3-Enterprise supported computer & Accessories. (Noticed Intel AX210 – certified recently for WiFi6E – 6GHz band)
Be familiar with this latest security enhancements and test it in your environment. When we go to 6GHz, you will see only WPA3 and Enchance Open going to be supported (No transition modes, No WPA2 and no WPA). Here is a WPA3 micro course I developed for WiFiTraining if you are interested to learn all these new security bit more in detail.
1. Wireless Security Enhancement by Stephen Orr – Mobility Field Day 5 (July 2020)
2. WPA3,OWE & DPP by Hemant Chaskar – WLPC Phoenix 2019 (Feb)
3. Advancements in Wireless Secuirty – BRKEWN 2006 by Stephen Orr – CiscoLive 2020 Barcelona (Jan)