WPA3 Encryption and Configuration Guide (2024)

Last updated
Save as PDF

Introduction

The original Wi-Fi Protected Access (WPA) standard was released in 2003 to replace the WiredEquivalentPrivacy security algorithm(WEP), which was then in turn superseded by WPA2in 2004. WPA3, announced by the Wi-Fi Alliance in 2018, introduced new features to simplify Wi-Fi security, including enabling better authentication, increased cryptographic strength, and requiring the use of Protected Management Frames (PMFs) to increase network security.

This article provides insight into WPA3 to help users make educated network security decisions.

WPA3 is enabled by default on wireless networks configured forMR27.X

Legacy access points(802.11acWave-1 or older) willnot support WPA3/MR 27+;if configured with an SSID that uses WPA3,the APs will encrypttrafficusing WPA2.For more informationcheckMR Mixed Firmware Networks

Encryption

Cisco Meraki supports two WPA3 modes:

WPA3-Personal
WPA3-Enterprise

WPA3-Personal allows for better password-based authentication even when using non-complex combinations. WPA3 uses Simultaneous Authentication of Equals (SAE) to provide stronger defenses against password guessing. SAE is a secure key establishment protocol.

WPA3-Personal

WPA3-Personalusing Simultaneous Authentication of Equals (SAE)builds uponWPA2 PSK, where users can authenticate using a passphraseonly.

SAE adds a layer of security by authenticating both the STA and Meraki APeven before having an Association Request/Response. This provides anadvantage when using non-complex passphrases.SAEis a variant of RFC7664, the Dragonfly Key Exchange.

WPA3-Personal has two variants:

WPA3Only
WPA3 TransitionMode

WPA3 Only

When using WPA3 only, the access point will transmit in the beacon the capability to only accept STAusing WPA3 SAE.When usingtransition mode, the access point will broadcast in the beacon capabilities to accept STA using both WPA2 and WPA3. In this configuration, STA that do not support WPA3 can still connect to the SSID.

WPA2relies on complexity of the password for dictionary attacks. Consider this while using transition mode for the password.

WPA3 SAEfollows the following process:

Probe Request
- Regular request to AP after beacon.
Probe Response
- Regular response to STA.
Authentication (Commit) from STA to AP
- This packet is an 802.11 authentication frame.
- Commit will includeSAEauthentication SeqNumber 1 with a scalar and an element not related to the password to be used.
- This is used to generate the PMKon the STA.
  See Also
  What do WEP and WPA mean?WEP, WPA, WPA2, and WPA3: Main differences How can you monitor WPA3 performance on a wireless network?How To Secure Your Home Wi-Fi Network
Authentication (Commit) fromAP to STA
- This packet is an 802.11 authentication frame.
- Commit will include SAEauthentication SeqNumber 1 with a scalar and an element not related to the password to be used.
- This is used to generate the PMKon the AP.
Authentication (Confirm) from STA to AP
- This packet is an 802.11 authentication frame.
- Confirm includes Seq Number 2with confirm message with key generated for AP to validate.
Authentication (Confirm) from AP to STA
- This packet is an 802.11 authentication frame.
- Confirm includes Seq Number 2 with confirm message with key generated letting STAknow the key is correct or rejecting the authentication.
Regular Association Request
Regular Association Response
4-way handshake utilizing PMKgenerated with SAEmethod.After this step regular data can be transmitted

Configuration

To enable WPA3-SAE, navigate toWireless > Configure > Access control > Securityand change the WPAencryption selection toWPA3 only.

WPA3 Transition Mode

WPA3 SAE has a transition mode (sometimes called mixed mode) created to allowWPA2 clients to co-existon the same SSIDused for WPA3. AlthoughWPA3 needs to have Management Frame Protection (MFP/802.11w)set toRequired, the Dashboardcan also be set toEnabled, so that the STA which arenot compliant with either WPA3 or MFP can still connect seamlessly.

802.11w can be set toRequired, howeverWPA2 clients which do not support MFPwillnotbe able to associate.

Configuration

To enable WPA3 Transition Mode, navigate toWireless > Configure > Access Control > Securityand set theWPAencryption selection toWPA3Transition Mode.

Client Behavior Chart for WPA3 Personal

The following chart delineatesthe different connection behaviors of STA based on the dashboard configuration:

WPA3-Enterprise

WPA3Enterprise builds uponWPA2andis meant to replace it in the future.

Modes of operation

WPA3 Enterprise has two modes of operation available on dashboard to meet the network requirements as needed.

Prior to March 13th, 2023, dashboard offered a single mode of operation "WPA3 Only" that enforced WPA3 192-bit security.

WPA3 Only

This mode uses the sameciphers as WPA2, but requires 802.11w (PMF) to be enabled.

WPA3 192-bit

This mode utilizes 192-bit security while stillusing the 802.1Xstandardto provide a secure wireless network for enterprise use. This provides a superior encryption method to better protect any kind of data.Thesecurity suite is aligned with the recommendations from the Commercial National Security Algorithm (CNSA) suite and is commonly placed in high-security Wi-Fi networks such as in government, defense, finance, and other industries.

WPA3 192-bit security will be exclusive for EAP-TLS, which will require certificates on both the supplicantand RADIUS server. Also, to use WPA3192-bit enterprise, the RADIUS serversmustuse one of the permitted EAP ciphers:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

WPA3-Enterprise 192-bitfollows a similar process as the one in WPA2, however, it is enhanced due to the aforementionedciphers.

The WPA3192-bitprocessis the following:

Regular Probe Request from STA to AP
Probe Response will include RSNSHA384Suite-b stating this is WPA3 enterprise with 192-bit security
Regular 802.11 Authentication with SEQ1 from STA to AP
Regular 802.11 Authentication with SEQ2from AP to STA
Association Request including RSN capabilities from STA to AP
Association Response from AP to STA
EAP process that will include Identity Request/Response and exchange of credentials with RADIUS server using EAP-TLSprotocol
If authentication is complete with RADIUS server it will send an Access-Accept message which will be transmitted to the STAfrom the AP as a "Success" message
Finally, based on EAP process a PMK will be created and 4-way handshake will generate valid keys to ensure encryption. After this step, regular data can be transmitted

Configuration

To enable thison the dashboard, follow these steps:

Navigate toWireless>Access control > Security
SelectEnterprise with my RADIUS server
Set the WPAencryption selection as WPA3 Only orWPA3192-bit security as required.
Configure the RADIUS server.

WPA3 192-bitis not supported with MerakiCloud Authentication.

Opportunistic wireless encryption (OWE)

Opportunistic wireless encryption (OWE) provides a secure integration for clients without requesting the user to input credentials or a password.

Detailed in RFC 8110, OWE offers clients protection similar to SAE.

In order to configure it go to:

Wireless > Configure > Access control > Security and select Opportunistic Wireless Encryption (OWE)

OWE transition is not yet supported.

OWE is presented in the new Access Control page from MR 27.1 and up.

Clients that do not support OWE will fail when trying to join the SSID.

WPA3 and 6 GHz

6 GHz SSIDs only support the use of WPA3, this means that transition mode will not be supported. Therefore, if a configuration that is not supported on the SSID is implemented, 6 GHz will be turned off by default.

It is recommended to use different SSID names if encryptions will be mismatched (WPA2 on 2.4/5 GHz vs WPA3 on 6 GHz).

Compatibility Configuration:

Security Type:	2.4/5 GHz	6 GHz
Open	ON	OFF
OWE*	ON	ON
OWE* Transition	ON	OFF
WPA2 Personal	ON	OFF
WPA2 Enterprise	ON	OFF
WPA3 Personal	ON	ON
WPA3 Personal Transition	ON	OFF
WPA3 Enterprise	ON	ON
WPA3 Enterprise 192-bit	ON	ON

*OWE is available on the new access control page.

Below are the three most typical types of WLAN and themost popular choice of security protocol for each:

	2.4/5 GHz	6 GHz
Corporate Access	WPA2-Enterprise	WPA3-Enterprise
SMB & Home Office	WPA2-PSK	WPA3-SAE-H2E
Wi-Fi HotSpot	Open	OWE

Over time it is expected for newer client drivers to support WPA3-Enterprise and WPA3-SAE-H2E mode on both the 2.4 & 5 GHz bands as well as 6 GHz.This will then allow clients to seamlessly roam between 2.4/5 GHz and 6 GHz bands usingWPA3-SAE-H2E.

New Behavior in MR 30.X Firmware

MR 30 firmware has added support for 802.11r (excluding802.11r Adaptive mode)to work with most WPA3 encryption options.

Network administrators can now configurefast roaming on the network by navigating to Wireless > Configure > Access control > WPA encryption

Cisco Meraki supports Fast Transition with the following WPA3 modes:

WPA3 Personal
- WPA3 only
WPA3 Transition Mode
- WPA3 Enterprise
- WPA3 only

Configuration for WPA3 Personal

Navigate to Wireless > Configure >Access control > Security
Select Password
Set the WPA encryptiontoWPA3 Only orWPA3 Transition Mode
Enable 802.11r

Configuration for WPA3 Enterprise

Navigate to Wireless > Configure > Access control > Security
Select Enterprise with my RADIUS server
Set the WPA encryptiontoWPA3 Only
Enable 802.11r
Configure the RADIUS server.

WPA3 Transition Mode for RADIUS Authentication

Note: Thisfeature is available from 31.1.x and above firmware versions.

WPA3 Transition mode for 802.1X enables clients to connect to a single SSID with dynamic encryption. This is done by using WPA2 for 2.4 GHz and 5 GHz, while using WPA3 for 6 GHz radio. This allows Wi-Fi 5, 6 and 6E clients to connect to the same broadcasting SSID configured for RADIUS-based authentication. With WPA3 Transition Mode clients can seamlessly roam between WPA2 enterprise and WPA3 enterprise SSIDs without disruption.

Configuration

Within the Access Control page, WPA3 Transition Mode can be set for SSIDs using 802.1X-based authentication.

For further information, please refer to this link.

Dashboard Configuration		Client behavior
WPA3	802.11w PMF	WPA2 STA	WPA2 STA PMF	WPA3 STA
Only	Required	Cannot Connect	Cannot Connect	Connects
Transition	Required	Cannot Connect	Connects	Connects
Transition	Enabled	Connects	Connects	Connects