Skip to main content

 

Cisco Meraki Documentation

WPA3 Encryption and Configuration Guide

  1. Last updated
  2. Save as PDF

Introduction

The original Wi-Fi Protected Access (WPA) standard was released in 2003 to replace the Wired Equivalent Privacy security algorithm (WEP), which was then in turn superseded by WPA2 in 2004. WPA3, announced by the Wi-Fi Alliance in 2018, introduced new features to simplify Wi-Fi security, including enabling better authentication, increased cryptographic strength, and requiring the use of Protected Management Frames (PMFs) to increase network security.

This article provides insight into WPA3 to help users make educated network security decisions.

WPA3 is enabled by default on wireless networks configured for MR 27.X

Legacy access points (802.11ac Wave-1 or older) will not support WPA3/MR 27+; if configured with an SSID that uses WPA3, the APs will encrypt traffic using WPA2. For more information check MR Mixed Firmware Networks

Encryption

Cisco Meraki supports two WPA3 modes:

  • WPA3-Personal
  • WPA3-Enterprise
     

WPA3-Personal allows for better password-based authentication even when using non-complex combinations. WPA3 uses Simultaneous Authentication of Equals (SAE) to provide stronger defenses against password guessing. SAE is a secure key establishment protocol.

WPA3-Personal

WPA3-Personal using Simultaneous Authentication of Equals (SAE) builds upon WPA2 PSK, where users can authenticate using a passphrase only.

SAE adds a layer of security by authenticating both the STA and Meraki AP even before having an Association Request/Response. This provides an advantage when using non-complex passphrases. SAE is a variant of RFC 7664, the Dragonfly Key Exchange.

WPA3-Personal has two variants:

  • WPA3 Only 
  • WPA3 Transition Mode

WPA3 Only

When using WPA3 only, the access point will transmit in the beacon the capability to only accept STA using WPA3 SAE. When using transition mode, the access point will broadcast in the beacon capabilities to accept STA using both WPA2 and WPA3. In this configuration, STA that do not support WPA3 can still connect to the SSID.

WPA2 relies on complexity of the password for dictionary attacks. Consider this while using transition mode for the password.
"WPA3 only" will use AES in GCM (Galois/Counter Mode) mode for encryption 

WPA3 SAE follows the following process:

Screen_Shot_2020-02-13_at_8.48.35_AM.png

  1. Probe Request

    • Regular request to AP after beacon.

  2. Probe Response

    • Regular response to STA.

  3. Authentication (Commit) from STA to AP

    • This packet is an 802.11 authentication frame.

    • Commit will include SAE authentication Seq Number 1 with a scalar and an element not related to the password to be used.

    • This is used to generate the PMK on the STA.

  4. Authentication (Commit) from AP to STA

    • This packet is an 802.11 authentication frame.

    • Commit will include SAE authentication Seq Number 1 with a scalar and an element not related to the password to be used.

    • This is used to generate the PMK on the AP.

  5. Authentication (Confirm) from STA to AP

    • This packet is an 802.11 authentication frame.

    • Confirm includes Seq Number 2 with confirm message with key generated for AP to validate.

  6. Authentication (Confirm) from AP to STA

    • This packet is an 802.11 authentication frame.

    • Confirm includes Seq Number 2 with confirm message with key generated letting STA know the key is correct or rejecting the authentication.

  7. Regular Association Request

  8. Regular Association Response

  9. 4-way handshake utilizing PMK generated with SAE method. After this step regular data can be transmitted

Configuration

To enable WPA3-SAE, navigate to Wireless > Configure > Access control > Security and change the WPA encryption selection to WPA3 only.

wpa3 only.PNG

WPA3 Transition Mode

WPA3 SAE has a transition mode (sometimes called mixed mode) created to allow WPA2 clients to co-exist on the same SSID used for WPA3. Although WPA3 needs to have Management Frame Protection (MFP/802.11w) set to Required, Dashboard allows MFP to also be set to Enabled, so that the STA which are not compliant with either WPA3 or MFP can still connect seamlessly.

802.11w can be set to Required, however WPA2 clients which do not support MFP will not be able to associate.

Configuration

To enable WPA3 Transition Mode, navigate to Wireless > Configure > Access Control > Security and set the WPA encryption selection to WPA3 Transition Mode.

wpa3 transition mode.PNG

Client Behavior Chart for WPA3 Personal

The following chart delineates the different connection behaviors of STA based on the dashboard configuration:

Dashboard Configuration Client behavior
WPA3 802.11w PMF WPA2 STA WPA2 STA PMF WPA3 STA
Only Required Cannot Connect Cannot Connect Connects

Transition

 Required Cannot Connect Connects Connects
Enabled Connects Connects Connects

WPA3-Enterprise

WPA3 Enterprise builds upon WPA2 and is meant to replace it in the future.

Modes of operation

WPA3 Enterprise has two modes of operation available on dashboard to meet the network requirements as needed.

Prior to March 13th, 2023, dashboard offered a single mode of operation "WPA3 Only" that enforced WPA3 192-bit security.

 

WPA3 Only 

This mode uses the same ciphers as WPA2, but requires 802.11w (PMF) to be enabled.

WPA3 192-bit  

This mode utilizes 192-bit security while still using the 802.1X standard to provide a secure wireless network for enterprise use. This provides a superior encryption method to better protect any kind of data. The security suite is aligned with the recommendations from the Commercial National Security Algorithm (CNSA) suite and is commonly placed in high-security Wi-Fi networks such as in government, defense, finance, and other industries.

WPA3 192-bit security will be exclusive for EAP-TLS, which will require certificates on both the supplicant and RADIUS server. Also, to use WPA3 192-bit enterprise, the RADIUS servers must use one of the permitted EAP ciphers:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

WPA3-Enterprise 192-bit follows a similar process as the one in WPA2, however, it is enhanced due to the aforementioned ciphers.

The WPA3 192-bit process is the following:

 

Screen_Shot_2020-02-13_at_4.38.40_PM.png

  1. Regular Probe Request from STA to AP
  2. Probe Response will include RSN SHA384 Suite-b stating this is WPA3 enterprise with 192-bit security
  3. Regular 802.11 Authentication with SEQ 1 from STA to AP
  4. Regular 802.11 Authentication with SEQ 2 from AP to STA
  5. Association Request including RSN capabilities from STA to AP
  6. Association Response from AP to STA
  7. EAP process that will include Identity Request/Response and exchange of credentials with RADIUS server using EAP-TLS protocol
  8. If authentication is complete with RADIUS server it will send an Access-Accept message which will be transmitted to the STA from the AP as a "Success" message
  9. Finally, based on EAP process a PMK will be created and 4-way handshake will generate valid keys to ensure encryption. After this step, regular data can be transmitted

Configuration

To enable this on the dashboard, follow these steps:

  1. Navigate to Wireless > Access control > Security
  2. Select Enterprise with my RADIUS server
  3. Set the WPA encryption selection as WPA3 Only or WPA3 192-bit security as required.
  4. Configure the RADIUS server.

 

 

WPA3 192-bit is not supported with Meraki Cloud Authentication.

WPA3 Transition Mode is available with MR31.1.x firmware version.

Opportunistic wireless encryption (OWE)

Opportunistic wireless encryption (OWE) provides a secure integration for clients without requesting the user to input credentials or a password.

Detailed in RFC 8110, OWE offers clients protection similar to SAE.

In order to configure it go to:

Wireless > Configure > Access control > Security and select Opportunistic Wireless Encryption (OWE)

OWE.PNG

OWE is presented in the new Access Control page from MR 27.1 and up.

Clients that do not support OWE will fail when trying to join the SSID.

OWE Transition Mode

The Opportunistic Wireless Encryption (OWE) transition mode enables OWE and non-OWE STAs to connect to the same SSID simultaneously.
OWE transition mode enables a seamless transition from Open unencrypted WLANs to OWE WLANs without impacting the wireless connection.

  • Both the open WLAN and the OWE WLAN transmit beacon frames. Beacon and probe response frames from the OWE WLAN include the Wi-Fi Alliance vendor IE to encapsulate the BSSID and SSID of the open WLAN, and similarly, the open WLAN also includes for OWE WLAN.
  • An OWE STA only displays to the user in the list of available networks the SSID of the Open BSS of an OWE AP operating in OWE Transition Mode, and hides the OWE BSSID of that OWE AP.
  • WPA3-capable clients associate with the OWE SSID via the Open SSID.
  • Non-WPA3 clients associate directly with the Open SSID.

 

Firmware: MR 32.1.x

Hardware: Wi-Fi 6, Wi-Fi 6E , Wi-Fi 7

Configuration:

1. To enable OWE Transition Mode, navigate to Wireless > Configure > Access control > Security

2. Set the Sign-on method as Opportunistic Wireless Encryption (OWE) and change the WPA encryption method to WPA3 Transition Mode.

 

3. After selecting the WPA3 Transition Mode, select an SSID from the available dropdown to assign an unencrypted open SSID for OWE-incapable clients to associate with.

Note: This open SSID must be enabled first to populate the dropdown and must have the same network settings as the OWE transition mode SSID for them to pair. It is advised to configure both SSID settings to match before enabling OWE transition mode.

clipboard_e0e59b6923d7382dd4563b8d368fa3e4c.png

Limitations for OWE Transition Mode

 

2.4/ 5G

6G

Wi-Fi 7

OWE only

OWE only

Wi-Fi 6/6E

Allowed

OWE Only
  • Protected Management Frame (PMF) must be set to Required. This is set by default with WPA3 only Layer 2 Security.
  • Enhanced Open only works on end clients that run the newer versions that support Enhanced Open.
  • Transition mode doesn’t work on 6 GHz, as it requires WPA3.

WPA3 and 6 GHz

WPA3 SAE has a transition mode (sometimes called mixed mode) created to allow WPA2 clients to co-exist on the same SSID used for WPA3. Although WPA3 needs to have Management Frame Protection (MFP/802.11w) set to Required, the Dashboard can also be set to Enabled, so that the STA which are not compliant with either WPA3 or MFP can still connect seamlessly.

It is recommended to use different SSID names if encryptions will be mismatched (WPA2 on 2.4/5 GHz vs WPA3 on 6 GHz). 

Compatibility Configuration:

Security Type:

2.4/5 GHz

6 GHz

Open

ON

OFF

OWE*

ON

ON

OWE Transition***

ON

ON

WPA2 Personal

ON

OFF

WPA2 Enterprise

ON

OFF

WPA3 Personal

ON

ON

WPA3 Personal Transition***

ON

ON

WPA3 Enterprise

ON

ON
WPA3 Enterprise Transition** ON ON

WPA3 Enterprise 192-bit

ON

ON

*OWE is available on the new access control page.
** MR 31.1.X firmware is required
*** MR 32.1.X firmware is required

 

Below are the three most typical types of WLAN and the most popular choice of security protocol for each:

 

2.4/5 GHz

6 GHz

Corporate Access

WPA2-Enterprise

WPA3-Enterprise

SMB & Home Office 

WPA2-PSK

WPA3-SAE-H2E

Wi-Fi HotSpot

Open

OWE

Over time it is expected for newer client drivers to support WPA3-Enterprise and WPA3-SAE-H2E mode on both the 2.4 & 5 GHz bands as well as 6 GHz. This will then allow clients to seamlessly roam between 2.4/5 GHz and 6 GHz bands using WPA3-SAE-H2E.

Security requirements with Wi-Fi 7

Wi-Fi 7 (802.11be) standard mandates higher security requirements. This will allow network administrators to choose more granular security encryptions types and AKMs at a per SSID level. Open and WPA/WPA2 only SSIDs are not acceptable per the Wi-Fi 7 standard. Dashboard will enforce this requirement.

With Wi-Fi 7, the following security standards are required:

  • AKM SAE-EXT (24) and above

  • GCMP 256 

  • AP Beacon protection

Note: AP Beacon protection is enabled by default when you enable Wi-Fi 7 in Wireless > Configure > Radio Settings > RF profiles > Edit > General > 802.11be

Note: All the above security standards must be enforced at the same time.

 

Options to configure encryption and AKMs is now available in Dashboard at a per SSID level as shown below:

 

Security requirements with Wi-Fi 7

Network preparation before enabling Wi-Fi 7

Below is a quick snapshot on how existing SSIDs can be transitioned to ensure Wi-Fi 7 compliance:

 

Use Case

Security encryption today

Wi-Fi 7 compliant SSID

Guest access

Open

OWE

Corporate/Secure/RADIUS auth

WPA2 

WPA3 OR

WPA3 transition (Enterprise)

IoT/OT/Guest (PSK based)

WPA2

WPA3 OR

WPA3 transition (SAE)

Corporate/Secure

SuiteB 192 Bit

SuiteB 192 Bit*

* See Wi-Fi 7 with SuiteB 192Bit section below

Note: OWE Transition mode is not supported by Wi-Fi 7. OWE transition relies on a pair of SSIDs where one is an Open SSID. Open SSIDs are not compliant with Wi-Fi 7. This is not the case with PSK Transition and Enterprise Transition SSIDs.

 

Note: WPA3 Transition is supported on PSK/SAE and Enterprise SSID types starting MR 31.1.1 and above firmware versions

 

For WPA2 only SSID today, our recommendation is to migrate to WPA3 transition mode, as this will allow the SSID security to be Wi-Fi 7 compliant along with support for older/legacy client devices that may not support WPA3 today. Transition mode will allow legacy and newer clients to connect on the same SSID using different AKMs, thus allowing the least resistance path for Wi-Fi 7 compliance.

 

For MR 31.1.x implementation, all SSIDs on the Dashboard network must be Wi-Fi 7 compliant to enable Wi-Fi 7 via RF profiles. If any of the existing SSIDs are not compliant, Dashboard will show a warning while enabling Wi-Fi 7. If the network administrator chooses to save the configuration, Dashboard will save it, but Wi-Fi 7 will not be enabled as the network administrator will need to ensure Wi-Fi compliance on the flagged SSIDs.

 

Below is a screenshot of the warning message:

Network preparation before enabling Wi-Fi 7

Note: All SSIDs need to be compliant for Wi-Fi 7 to be enabled with MR 31.1.x and above firmware versions

 

If Dashboard detects a change is being made to existing SSIDs or a new SSID is being enabled that may not be Wi-Fi 7 compliant, Dashboard will show this warning message to the administrator:

 

Dashboard will show relevant warning when changing any existing SSID or creating new

 

If the configured SSIDs on the Wi-Fi 7 APs are not compliant, the AP will operate in Wi-Fi 6 (802.11ax) mode to prioritize client connectivity.

 

Note: Only Broadcasting and Enabled SSIDs are considered for Wi-Fi 7 compliance. Legacy SSIDs that are not broadcasting on Wi-Fi 7 APs, using SSID availability tags, will not be considered for Wi-Fi 7 compliance requirement in Dashboard.

Wi-Fi 7 with SuiteB - 192 Bit

SuiteB - 192 Bit SSID is compliant with Wi-Fi 7, so no changes are required within the SSID's configuration in Dashboard, but the SSID must be re-configured using higher number SSIDs.

When Wi-Fi 7 is enabled for All SSIDs sub tab it should be noted that SuiteB - 192 Bit SSID will only be supported on SSIDs #13 - #15. This is to ensure that the correct MBSSID grouping is enabled for all types of SSIDs on the network. If a network has SuiteB - 192 Bit SSID configured on a lower number SSID, Dashboard will show a warning message and this will need to be corrected for Wi-Fi 7 to be enabled

 

Note: If SuiteB - 192 Bit SSID is already configured between SSIDs #13 - #15. no changes are needed.

Note: If a network administrator requires more than 3 SSIDs to be SuiteB - 192 Bit with Wi-Fi 7 enabled, please contact Meraki Support team

New Behavior in MR 30.X Firmware

MR 30 firmware has added support for 802.11r (excluding 802.11r Adaptive mode) to work with most WPA3 encryption options. 

Network administrators can now configure fast roaming on the network by navigating to Wireless > Configure > Access control > WPA encryption

Screenshot 2023-09-19 at 17.08.10.png
Cisco Meraki supports Fast Transition with the following WPA3 modes:

  • WPA3 Personal
    • WPA3 only
  • WPA3 Transition Mode
    • WPA3 Enterprise
    • WPA3 only

Configuration for WPA3 PersonalEdit section

  1. Navigate to Wireless > Configure > Access control > Security
  2. Select Password
  3. Set the WPA encryption to WPA3 Only or WPA3 Transition Mode
  4. Enable 802.11r 

 

Configuration for WPA3 Enterprise

  1. Navigate to Wireless > Configure >  Access control > Security
  2. Select Enterprise with my RADIUS server
  3. Set the WPA encryption to WPA3 Only 
  4. Enable 802.11r
  5. Configure the RADIUS server.

WPA3 Transition Mode for RADIUS Authentication

Note: This feature is available from 31.1.x and above firmware versions. 

WPA3 Transition mode for 802.1X enables clients to connect to a single SSID with dynamic encryption. This is done by using WPA2 for 2.4 GHz and 5 GHz, while using WPA3 for 6 GHz radio. This allows Wi-Fi 5, 6 and 6E clients to connect to the same broadcasting SSID configured for RADIUS-based authentication. With WPA3 Transition Mode, clients can roam between WPA2 enterprise and WPA3 enterprise SSIDs. When a client roams from a WPA2 to WPA3 SSID reauthentication will take place, but with minimal disruption to connectivity.

Configuration

Within the Access Control page, WPA3 Transition Mode can be set for SSIDs using 802.1X-based authentication.

WPA3 Transition Mode for RADIUS Authentication

For further information about 802.11, please refer to the article 802.11k and 802.11r Overview.

For a list of MX and Z-series with integrated wireless that support select WPA3 features refer to the MX and Z-Series Wireless Settings article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
    Stage
    Final
  2. Tags
    1. wireless authentication
    2. wireless encryption