WPA3 Deployment Guide (2023)

Introduction to WPA3

WPA3 is the third and latest iteration of the Wi-Fi Protected Access standard developed by the Wi-Fi Alliance and replaces the previous standard, WPA2. The WPA standard was created by the Wi-Fi Alliance security technical task group, chaired by Cisco’s Stephen Orr, with the purpose of standardizing wireless security. WPA3 introduces new features on enterprise, personal, and open security networks through an increase in cryptographic strength, allowing for a more secure authentication process for all WPA3-supported endpoints.

Over the next few years, Cisco expects the industry to see an exponential increase in WPA3 adoption, especially in government and financial institutions. With the number of internet-connected devices forecasted to reach 41.6 billion in four years, there is an implicit need for better security, and WPA3 is the answer.

WPA3 Deployment Guide (1)

Figure 1.

Wi-Fi security standards timeline

Supported WPA3 modes

WPA3-Enterprise, for 802.1X security networks. This leverages IEEE 802.1X with SHA-256 as the Authentication and Key Management (AKM).

WPA3-Personal, which uses the Simultaneous Authentication of Equals (SAE) method for personal security networks.

WPA3 Transition Mode (WPA2+WPA3 security-based WLANs for both personal and enterprise).

Opportunistic Wireless Encryption (OWE) for open security networks.

WPA3-Personal SAE hash-to-element method for password element generation (min. software version 17.7.1).

WPA3-Enterprise and WPA3-Personal Transition disabled (min. software version 17.7.1).

WPA3-Personal with SAE as AKM + Fast Transition (FT) (min. software version 17.9.1).

Road-mapped WPA3 features

WPA3-Enterprise 192-bit FT.

Cisco device compatibility

Table 1. Cisco® Catalyst® 9800 Series Wireless Controller WPA3 support matrix

9800-L-F

9800-L-C

9800-L

9800-40

9800-80

Yes, starting

with16.12.1s

Yes, starting with

16.12.1s

Yes, starting with

16.12.1s

Yes, starting with

16.12.1s

Yes, starting with

16.12.1s

Table 2. Catalyst 9100 Access Points WPA3 support matrix

9105AX

9115AX

9117AX

9120AX

9130AX

9124AXE

9136AX

9166/9164

Yes*

Yes*

Yes*

Yes*

Yes

Yes

Yes

Yes

*Does not support 192-bit encryption.

The purpose of this deployment guide is to provide details of the different WPA3 modes and steps to configure them on the Catalyst 9800 Series controller, using either the GUI or the Command-Line Interface (CLI).

WPA3-Enterprise

WPA3-Enterprise is the most secure version of WPA3 and uses a username plus password combination with 802.1X for user authentication with a RADIUS server. By default, WPA3 uses 128-bit encryption, but it also introduces an optionally configurable 192-bit cryptographic strength encryption, which gives additional protection to any network transmitting sensitive data. This newly introduced 192-bit encryption is in line with recommendations from the Commercial National Security Algorithm (CNSA) suite. It enables WPA3-Enterprise to be commonly used in enterprises, financial institutions, government, and other market sectors where network security is most critical.

WPA3 Deployment Guide (2)

Figure 2.

WPA3-Enterprise endpoint and network handshake process

WPA3-Enterprise GUI configuration

The following steps will create a WLAN with WPA3-Enterprise security:

1. Navigate to Configuration > Tags and Profiles > WLANs.

2. Click Add.

3. In the General tab, enter the Profile Name (friendly identifier). Both the SSID and WLAN ID will be populated automatically.

4. Enable the Status and Broadcast SSID toggle buttons to have Access Points (APs) associated with this profile begin broadcasting this configured WLAN.

WPA3 Deployment Guide (3)

Figure 3.

Radio/Slot configuration

5. Click the Security tab > Layer 2 tab. Choose WPA3 in the Layer 2 Security Mode drop-down list.

6. Ensure that PMF is set to Required.

WPA3 Deployment Guide (4)

Figure 4.

WLAN Security configurations

7. Select the WPA3 Policy, AES, and 802.1x-SHA256 checkboxes, then unselect any other selected parameters.

8. Navigate to the Security tab > AAA tab and choose the preconfigured RADIUS Server Authentication List from the Authentication List drop-down list.

WPA3 Deployment Guide (5)

Figure 5.

WLAN AAA configuration

9. Click Apply to Device to save and finish the WLAN creation process.

WPA3-Enterprise CLI configuration

The following steps will create a WLAN with WPA3-Enterprise security:

Table 3. WPA3-Enterprise CLI configuration

Command

Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

wlan wlan-name wlan-id SSID-name

Example:

Device(config)# wlan wl-dot1x 4 wl-dot1x

Enters the WLAN configuration sub-mode.

Step 3

no security wpa akm dot1x

Disables security Autonomous Key Management (AKM) for 802.1X.

Step 4

no security wpa wpa2

Disables WPA2 security.

Step 5

security wpa akm dot1x-sha256

Configures 802.1X support.

Step 6

security wpa wpa3

Enables WPA3 support.

Step 7

security dot1x authentication-list list-name

Example:

Device(config-wlan)# security dot1x authentication-list dot1x

Configures security authentication list for 802.1X security.

Step 8

no shutdown

Enables the WLAN.

Step 9

end

Returns to the privileged EXEC mode.

WPA3-Enterprise 192-bit GUI configuration (optional)

For endpoints that support 192-bit encryption, refer to the client interoperability matrix section below, or reach out to the device vendor.

The following steps will create a WLAN with 192-bit WPA3-Enterprise security:

1. Navigate to Configuration > Tags and Profiles > WLANs.

2. Click Add.

3. In the General tab, enter the Profile Name (friendly identifier). Both the SSID and WLAN ID will be populated automatically.

4. Enable the Status and Broadcast SSID toggle buttons to have APs associated with this profile begin broadcasting this configured WLAN.

WPA3 Deployment Guide (6)

Figure 6.

Radio/Slot configuration

5. Choose the Security > Layer 2 tab. Choose WPA3 in the Layer 2 Security Mode drop-down list.

6. Ensure that PMF is set to Optional.

7. Disable the Fast Transition

8. Check the WPA3 Policy, GCMP256, and SUITEB192-1X checkboxes then unselect any other selected parameters.

WPA3 Deployment Guide (7)

Figure 7.

WLAN Security, Encryption and AKM configuration

9. Choose the Security > AAA tab, and choose the preconfigured RADIUS Server Authentication List from the Authentication List drop-down list.

WPA3 Deployment Guide (8)

Figure 8.

Security AAA Method list configuration

10. Click Apply to Device to save and finish the WLAN creation process.

WPA3-Enterprise 192-bit CLI configuration (optional)

The following steps will create a WLAN with 192-bit WPA3-Enterprise security:

Table 4. WPA3-Enterprise 192-bit encryption CLI configuration

Command or action

Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

wlan <wlan-name> wlan-id <SSID-name>

Example:

Device(config)# wlan wl-dot1x 4 wl-dot1x

Enters the WLAN configuration sub-mode.

Step 3

no security ft adaptive

Disables Fast Transition Adaptive support.

Step 4

no security wpa wpa2

Disables WPA2 security.

Step 5

no security wpa wpa2 ciphers aes

Disables WPA2/CCMP128 support.

Step 6

security wpa wpa2 ciphers gcmp256

Enables GCMP256 support

Step 7

no security wpa akm dot1x

Disables security AKM for 802.1X support.

Step 8

security wpa wpa3

Enables WPA3 support.

Step 9

security dot1x authentication-list list-name

Example:

Device(config-wlan)# security dot1x authentication-list dot1x

Configures security authentication list for 802.1X security.

Step 10

no shutdown

Enables the WLAN.

Step 11

end

Returns to the privileged EXEC mode.

WPA3-Enterprise transition mode

The WPA3-Enterprise Transition Mode, aka WPA3+WPA2-Enterprise mixed-mode configuration, is used when some clients are capable of supporting only up to WPA2 and some clients are capable of supporting up to WPA3. The WPA3-capable clients will use WPA3-Enterprise’s 802.1X-SHA256 AKM, while the WPA2-capable clients can use WPA2-Enterprise’s 802.1X SHA1 or 802.1X-SHA256.

Note: This mode should be used only when necessary. For maximum security, the recommended mode is to use only WPA3 and not a mix of WPA3 and WPA2.

The following steps will create a WLAN with WPA3+WPA2-Enterprise mixed-mode-level security:

1. Navigate to Configuration > Tags and Profiles > WLANs.

2. Click Add.

3. In the General tab, enter the Profile Name (friendly identifier). The SSID and WLAN ID will be populated automatically.

4. Enable the Status and Broadcast SSID toggle buttons to have APs associated with this profile begin broadcasting this configured WLAN.

5. Disable the 6 GHz Radio Policy, as it is not supported.

WPA3 Deployment Guide (9)

Figure 9.

Radio/Slot Policy configuration

6. Choose the Security > Layer 2 tab. Choose WPA2 + WPA3 in the Layer 2 Security Mode drop-down list.

7. Ensure that PMF is set to Optional.

8. Disable Fast Transition.

WPA3 Deployment Guide (10)

Figure 10.

Security, encryption and AKM configuration

9. Scroll down to the WPA Parameters. Check the WPA2 Policy, WPA3 Policy, and Encryption AES, and enable the 802.1x and 802.1x-SHA256 checkboxes.

10. Click Apply to Device to save and finish the WLAN creation process.

WPA3-Enterprise transition mode CLI configuration

The following steps will create a WLAN with WPA3+WPA2-Enterprise mixed-mode-level security:

Table 5. WPA3-Enterprise transition mode CLI configuration

Command

Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

wlan wlan-name wlan-id SSID-name

Example:

Device (config)# wlan WPA3+WPA2-Enterprise 1 WPA3+WPA2-Enterprise

Enters the WLAN configuration submode.

Step 3

security wpa wpa3

Enables WPA3.

Step 4

Security wpa wpa2

Enables WPA2.

Step 5

no security ft

Disables 802.11r Fast Transition on the WLAN.

Step 6

security wpa akm dot1x-sha256

Enables the SHA2 AKM.

Step 7

radio policy dot11 24ghz

Enables the 2.4-GHz band.

Step 8

radio policy dot11 5ghz

Enables the 5-GHz band

Step 9

no shutdown

Step 10

end

WPA3-Enterprise transition disable mode

Transition Disable is an indication from an AP to a station (STA), that the STA is to disable certain transition modes for subsequent connections to the AP's network.

A STA implementation might enable certain transition modes (and possibly other legacy security algorithms) in a network profile.

For example, a WPA3-Personal STA might by default enable WPA3-Personal transition mode in a network profile, which enables a PSK algorithm. However, when a network (fully) supports the most secure algorithm defined in a transition mode, it can use the Transition Disable indication to disable transition modes for that network on a STA, and therefore provide protection against downgrade attacks.

Note: A network administrator might, in order to mitigate risk of downgrade attack, use a Transition Disable indication even when only a subset of APs in the corresponding network support the most secure algorithm. In such case, the STA would connect only to the APs in the network that support the most secure algorithm. Since some multisite network deployments might be independently managed at each site, the configuration of a Transition Disable indication at one site needs to take into account the potential impact on STAs that might subsequently attempt to connect to APs with the same SSID at other sites.

Note: An AP that uses Transition Disable indication is not required to disable the corresponding transition mode(s) on its own BSS. For example, the APs in a WPA3-Personal network might use a Transition Disable indication to ensure that all STAs that support WPA3-Personal are protected against downgrade attacks, while still enabling WPA3-Personal transition mode on its BSS so that legacy STAs can connect.

The below section explains how to enable Transition Disable in the WLAN.

WPA3-Enterprise transition mode disable GUI configuration

The following steps will create a WLAN with WPA3-Enterprise security with Transition Disable:

1. Navigate to Configuration > Tags and Profiles > WLANs.

2. Click Add.

3. In the General tab, enter the Profile Name (friendly identifier). The SSID and WLAN ID will be populated automatically.

4. Enable the Status and Broadcast SSID toggle buttons to have APs associated with this profile begin broadcasting this configured WLAN.

WPA3 Deployment Guide (11)

Figure 11.

Radio Policy Configuration

5. Disable the 6 GHz policy, as it is not supported.

6. Enable the WPA2 + WPA3 option under the Security tab.

7. Disable Fast Transition.

8. Scroll down to the WPA Parameters. Check the WPA2 and WPA3 Policy, AES, and 802.1x and 802.1x-SHA256 checkboxes as AKM.

9. Let the PMF be Optional.

10. Enable Transition Disable under WPA Parameters.

WPA3 Deployment Guide (12)

Figure 12.

Security, encryption and AKM configurations

WPA3-Enterprise transition mode disable CLI configuration

Table 6. WPA3-Enterprise transition mode disable CLI configuration

Command

Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

wlan wlan-name wlan-id SSID-name

Example:

Device(config)# wlan WPA3-Enterprise-TMD 1 WPA3-Enterprise-TMD

Enters the WLAN configuration submode.

Step 3

security wpa wpa3

Enables WPA3.

Step 4

no security ft

Disables 802.11r Fast Transition on the WLAN.

Step 5

security wpa wpa2

Enables WPA2 security. PMF is optional now.

Step 6

security wpa wpa2 ciphers aes

Enables Advanced Encryption Standard (AES)/CCMP128 ciphers.

Step 7

security wpa akm dot1x-sha256

Enables AKM 802.1x-SHA256.

Step 8

transition-disable

Enables Transition Disable.

Step 9

radio policy dot11 5ghz

Enables the 5-GHz band.

Step 10

radio policy dot11 24ghz

Enables the 2.4-GHz band.

Step 11

no shutdown

Enables the WLAN.

Step 12

end

Returns to the privileged EXEC mode.

WPA3-Personal

WPA3-Personal uses 128-bit cryptographic-strength encryption with a password-based authentication method through SAE for user authentication purposes. In addition, unlike WPA2-Personal, WPA3-Personal heightens network security against offline dictionary attacks by limiting password guesses and requiring users to interact with a live network every time they do so. This requirement makes hacking into a network much more time-consuming and dissuades attempts at a brute force attack.

WPA3-Personal provides the following key advantages:

Creates a shared secret that is different for each SAE authentication.

Protects against brute force “dictionary” attacks and passive attacks.

Provides forward secrecy.

WPA3 Deployment Guide (13)

Figure 13.

WPA3-Personal endpoint and network handshake process

WPA3-Personal GUI configuration

The following steps will create a WLAN with WPA3-Personal-level security:

1. Navigate to Configuration > Tags and Profiles > WLANs.

2. Click Add.

3. In the General tab, enter the Profile Name (friendly identifier). The SSID and WLAN ID will be populated automatically.

4. Enable the Status and Broadcast SSID toggle buttons to have APs associated with this profile begin broadcasting this configured WLAN.

WPA3 Deployment Guide (14)

Figure 14.

WPA3 Personal Radio/Slot configuration

5. Choose the Security > Layer 2 tab. Choose WPA3 in the Layer 2 Security Mode drop-down list.

6. Ensure that PMF is set to Required.

7. Disable Fast Transition.

8. Scroll down to the WPA Parameters. Check the WPA3 Policy, AES, and SAE checkboxes.

9. Enter the Pre-Shared Key and choose the PSK format from the PSK Format drop-down list and the PSK type from the PSK Type drop-down list.

WPA3 Deployment Guide (15)

Figure 15.

WPA3 SAE AKM configuration

10. Click Apply to Device to save and finish the WLAN creation process.

Note: If only the 6-GHz band is used, the SAE Password Element supported is Hash to Element (H2E). Hunting and Pecking (HnP) cannot be used in a 6-GHz-only network. If both 5 GHz and 2.4 GHz are used, H2E and HnP can be used as the SAE Password Element.

WPA3-Personal CLI configuration

The following steps will create a WLAN with WPA3-Personal-level security:

Table 7. WPA3-Personal CLI configuration

Command

Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

wlan wlan-name wlan-id SSID-name

Example:

Device(config)# wlan WPA3 1 WPA3

Enters the WLAN configuration sub-mode.

Step 3

no security wpa akm dot1x

Disables security AKM for 802.1X.

Step 4

no security ft over-the-ds

Disables Fast Transition over the data source on the WLAN.

Step 5

no security ft

Disables 802.11r Fast Transition on the WLAN.

Step 6

no security wpa wpa2

Disables WPA2 security. PMF is disabled now.

Step 7

security wpa wpa2 ciphers aes

Enables Advanced Encryption Standard (AES)/CCMP128 ciphers.

Step 8

security wpa psk set-key ascii value preshared-key

Example:

Device(config-wlan)# security wpa psk set-key ascii 0 Cisco123

Specifies a preshared key.

Step 9

security wpa wpa3

Enables WPA3 support.

Note: If both WPA2 and WPA3 are supported (SAE and PSK together), it is optional to configure PMF. However, you cannot disable PMF. For WPA3, PMF is mandatory.

Step 10

security wpa akm sae

Enables AKM SAE support.

Step 11

security wpa akm sae pwe h2e/hnp/both

Chooses the Password Element.

Step 12

no shutdown

Enables the WLAN.

Step 13

End

Returns to the privileged EXEC mode.

WPA3-Personal SAE hash-to-element method for password element generation

The following steps will create a WLAN with WPA3-Personal-level security with H2E for password element generation:

1. Navigate to Configuration > Tags and Profiles > WLANs.

2. Click Add.

3. In the General tab, enter the Profile Name (friendly identifier). The SSID and WLAN ID will be populated automatically.

4. Enable the Status and Broadcast SSID toggle buttons to have APs associated with this profile begin broadcasting this configured WLAN.

5. Choose the Security > Layer 2 tab. Choose WPA3 in the Layer 2 Security Mode drop-down list.

WPA3 Deployment Guide (16)

Figure 16.

Radio/Slot Policy configuration

6. Ensure that PMF is set to Required.

7. Disable Fast Transition.

8. Scroll down to the WPA Parameters. Check the WPA3 Policy, AES, and SAE checkboxes.

9. Enter the Pre-Shared Key and choose the PSK format from the PSK Format drop-down list and the PSK type from the PSK Type drop-down list.

10. Enable Hash to Element Only from the SAE Password Element drop-down.

WPA3 Deployment Guide (17)

Figure 17.

Security and AKM Password Element configuration

Note: If only the 6-GHz band is used, the SAE Password Element supported is H2E. HnP cannot be used in a 6-GHz-only network. If both 5 GHz and 2.4 GHz are used, H2E and HnP can be used as the SAE Password Element.

WPA3-Personal SAE hash-to-element method for password element generation CLI configuration

The following steps will create a WLAN with WPA3-Personal-level security with H2E for password element generation:

Table 8. WPA3-Personal SAE hash-to-element CLI configuration

Command

Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

wlan wlan-name wlan-id SSID-name

Example:

Device(config)# wlan WPA3 1 WPA3

Enters the WLAN configuration submode.

Step 3

no security wpa akm dot1x

Disables security AKM for 802.1X.

Step 4

security wpa wpa3

Enables WPA3.

Step 5

no security ft

Disables 802.11r Fast Transition on the WLAN.

Step 6

no security wpa wpa2

Disables WPA2 security. PMF is disabled now.

Step 7

security wpa wpa2 ciphers aes

Enables AES/CCMP128 ciphers.

Step 8

security wpa psk set-key ascii value preshared-key

Example:

Device(config-wlan)# security wpa psk set-key ascii 0 Cisco123

Specifies a preshared key.

Step 9

security wpa akm sae

Enables AKM SAE support.

Step 10

security wpa akm sae pwe h2e

Enables H2E for password element generation.

Step 11

no shutdown

Enables the WLAN.

Step 12

End

Returns to the privileged EXEC mode.

WPA3-Personal SAE with fast transition enabled

Starting from Cisco IOS® XE version 17.9.1, WPA3-Personal SAE with Fast Transition (SAE-FT) is supported. Follow the instructions below to configure the WLAN for WPA3 SAE-FT.

The following steps will create a WLAN with WPA3-Personal-level SAE security with Fast Transition enabled:

1. Navigate to Configuration > Tags and Profiles > WLANs.

2. Click Add.

3. In the General tab, enter the Profile Name (friendly identifier). The SSID and WLAN ID will be populated automatically.

4. Enable the Status and Broadcast SSID toggle buttons to have APs associated with this profile begin broadcasting this configured WLAN.

5. Choose the Security > Layer 2 tab. Choose WPA3 in the Layer 2 Security Mode drop-down list.

WPA3 Deployment Guide (18)

Figure 18.

Radio Policy configuration

6. Ensure that PMF is set to Required.

7. Enable Fast Transition.

8. Scroll down to the WPA Parameters. Check the WPA3 Policy, AES, and SAE checkboxes.

9. Enter the Pre-Shared Key and choose the PSK format from the PSK Format drop-down list and the PSK type from the PSK Type drop-down list.

10. Enable Hash to Element Only or HnP or both from the SAE Password Element drop-down.

WPA3 Deployment Guide (19)

Figure 19.

WPA3 SAE with FT Enabled

WPA3-Personal SAE with fast transition enabled CLI configuration

The following steps will create a WLAN with WPA3-Personal-level security with Fast Transition enabled:

Table 9. WPA3-Personal SAE FT CLI configuration

Command

Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

wlan wlan-name wlan-id SSID-name

Example:

Device(config)# wlan WPA3 1 WPA3

Enters the WLAN configuration sub-mode.

Step 3

no security wpa akm dot1x

Disables security AKM for 802.1X.

Step 4

security wpa wpa3

Enables WPA3.

Step 5

security ft

Enables 802.11r Fast Transition on the WLAN.

Step 6

no security wpa wpa2

Disables WPA2 security. PMF is disabled now.

Step 7

security wpa wpa2 ciphers aes

Enables AES/CCMP128 ciphers.

Step 8

security wpa psk set-key ascii value preshared-key

Example:

Device(config-wlan)# security wpa psk set-key ascii 0 Cisco123

Specifies a preshared key.

Step 9

security wpa akm sae

Enables AKM SAE support.

Step 10

security wpa akm sae pwe h2e

Enables H2E for password element generation.

Step 11

no shutdown

Enables the WLAN.

Step 12

End

Returns to the privileged EXEC mode.

WPA3-Personal transition mode

The WPA3-Personal Transition Mode, aka WPA3+WPA2-Personal mixed-mode configuration, is used when some clients are capable of supporting only WPA2 and some clients are capable of supporting up to WPA3. The WPA3-capable clients will use WPA3-Personal’s SAE, while the WPA2-capable clients will use WPA2-Personal’s PSK.

Note: This mode should be used only when necessary. For maximum security, the recommended mode is to use only WPA3 and not a mix of WPA3 and WPA2.

The following steps will create a WLAN with WPA3+WPA2-Personal mixed-mode-level security:

1. Navigate to Configuration > Tags and Profiles > WLANs.

2. Click Add.

3. In the General tab, enter the Profile Name (friendly identifier). The SSID and WLAN ID will be populated automatically.

4. Enable the Status and Broadcast SSID toggle buttons to have APs associated with this profile begin broadcasting this configured WLAN.

5. Disable the 6 GHz band

WPA3 Deployment Guide (20)

Figure 20.

Radio configuration for Transition Mode

6. Choose the Security > Layer 2 tab. Choose WPA2 + WPA3 in the Layer 2 Security Mode drop-down list.

7. Ensure that PMF is set to Optional.

8. Disable Fast Transition.

WPA3 Deployment Guide (21)

Figure 21.

Security, Encryption and AKM configuration

9. Scroll down to the WPA Parameters. Check the WPA2 Policy, WPA3 Policy, AES, PSK, and SAE checkboxes.

10. Enter the Pre-Shared Key and choose the PSK format from the PSK Format drop-down list and the PSK type from the PSK Type drop-down list.

11. Click Apply to Device to save and finish the WLAN creation process.

WPA3 Personal transition mode CLI configuration

The following steps will create a WLAN with WPA3+WPA2-Personal mixed-mode-level security:

Table 10. WPA3 Personal transition mode CLI configuration

Command

Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

wlan wlan-name wlan-id SSID-name

Example:

Device(config)# wlan WPA3 1 WPA3

Enters the WLAN configuration submode.

Step 3

no security wpa akm dot1x

Disables security AKM for 802.1X.

Step 4

no security ft

Disables 802.11r Fast Transition on the WLAN.

Step 5

security wpa wpa2 ciphers aes

Configures the WPA2 cipher.

Note: You can check whether the cipher is configured by using the no security wpa wpa2 ciphers aes command. If the cipher is not reset, configure the cipher.

Step 6

security wpa psk set-key ascii 0 Cisco123

Specifies a preshared key.

Step 7

security wpa wpa3

Enables WPA3 support.

Note: If both WPA2 and WPA3 are supported (SAE and PSK together), it is optional to configure PMF. However, you cannot disable PMF. For WPA3, PMF is mandatory.

Step 8

security wpa akm sae

Enables AKM SAE support.

Step 9

security wpa akm psk

Enables AKM PSK support.

Step 10

radio policy dot11 24ghz

Enables the 2.4-GHz band

Step 11

radio policy dot11 5ghz

Enables the 5-GHz band

Step 12

no shutdown

Enables the WLAN.

Step 13

end

Returns to the privileged EXEC mode.

WPA3-Personal transition mode disable

Transition Disable is an indication from an AP to a STA, that the STA is to disable certain transition modes for subsequent connections to the AP's network.

A STA implementation might enable certain transition modes (and possibly other legacy security algorithms) in a network profile. For example, a WPA3-Personal STA might by default enable WPA3-Personal transition mode in a network profile, which enables a PSK algorithm. However, when a network (fully) supports the most secure algorithm defined in a transition mode, it can use the Transition Disable indication to disable transition modes for that network on a STA, and therefore provide protection against downgrade attacks.

Note: A network administrator might, in order to mitigate risk of downgrade attack, use Transition Disable indication even when only a subset of APs in the corresponding network support the most secure algorithm. In such case, the STA would only connect to the APs in the network that support the most secure algorithm. Since some multi-site network deployments might be independently managed at each site, the configuration of Transition Disable indication at one site needs to take into account the potential impact on STAs that might subsequently attempt to connect to APs with the same SSID at other sites.

Note: An AP that uses Transition Disable indication is not required to disable the corresponding transition mode(s) on its own BSS. For example, the APs in a WPA3-Personal network might use Transition Disable indication to ensure that all STAs that support WPA3-Personal are protected against downgrade attack, but while still enabling WPA3-Personal transition mode on its BSS so that legacy STAs can connect.

WPA3-Personal transition mode disable GUI configuration

The following steps will create a WLAN with WPA3-Personal-level security with Transition Disable:

1. Navigate to Configuration > Tags and Profiles > WLANs.

2. Click Add.

3. In the General tab, enter the Profile Name (friendly identifier). The SSID and WLAN ID will be populated automatically.

4. Enable the Status and Broadcast SSID toggle buttons to have APs associated with this profile begin broadcasting this configured WLAN.

WPA3 Deployment Guide (22)

Figure 22.

Radio/Slot configuration for Transition disable mode

5. Disable the 6-GHz band

6. Enable the WPA2+WPA3 option under the Security tab.

7. Disable Fast Transition.

8. Scroll down to the WPA Parameters. Check the WPA2 and WPA3 Policy, AES, and SAE and PSK checkboxes as AKM.

9. Enter the Pre-Shared Key and choose the PSK format from the PSK Format drop-down list and the PSK type from the PSK Type drop-down list.

10. Let the PMF be Optional.

11. Enable the Transition Disable option in WPA Parameters.

WPA3 Deployment Guide (23)

Figure 23.

Security and AKM configuration for Transition Disable mode

WPA3-Personal transition mode disable CLI configuration

Table 11. WPA3-Personal transition mode disable CLI configuration

Command

Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

wlan wlan-name wlan-id SSID-name

Example:

Device(config)# wlan WPA3-Personal-TMD 1 WPA3-Personal-TMD

Enters the WLAN configuration sub-mode.

Step 3

no security wpa akm dot1x

Disables security AKM for 802.1X.

Step 4

security wpa wpa3

Enables WPA3.

Step 5

no security ft

Disables 802.11r Fast Transition on the WLAN.

Step 6

security wpa wpa2

Enables WPA2 security. PMF is optional now.

Step 7

security wpa wpa2 ciphers aes

Enables AES/CCMP128 ciphers.

Step 8

security wpa psk set-key ascii value preshared-key

Example:

Device(config-wlan)# security wpa psk set-key ascii 0 Cisco123

Specifies a preshared key.

Step 9

security wpa akm sae

Enables AKM SAE support.

Step 10

security wpa akm psk

Enables AKM PSK.

Step 11

transition-disable

Enables Transition Disable.

Step 11

radio policy dot11 24ghz

Enables 2.4-GHz.

Step 12

radio policy dot11 5ghz

Enables 5 GHz

Step 13

no shutdown

Enables the WLAN.

Step 14

End

Returns to the privileged EXEC mode.

OWE

OWE is a security method paired with an open-security wireless network to provide it with encryption to protect the network from eavesdroppers. With OWE, the client and AP perform a Diffie-Hellman key exchange during the endpoint association packet exchange and use the resulting PMK to conduct the 4-way handshake. Being associated with open-security wireless networks, OWE can be used with regular open networks as well as those associated with captive portals.

WPA3 Deployment Guide (24)

Figure 24.

OWE endpoint and network handshake process

WPA3 OWE GUI configuration

The following steps will create a WLAN with WPA3 OWE security:

1. Navigate to Configuration > Tags and Profiles > WLANs.

2. Click Add.

3. In the General tab, enter the Profile Name (friendly identifier). The SSID and the WLAN ID will be populated automatically.

4. Enable the Status and Broadcast SSID toggle buttons.

WPA3 Deployment Guide (25)

Figure 25.

WPA3 OWE Radio/Slot configuration

5. Choose the Security > Layer 2 tab. Choose WPA3 in the Layer 2 Security Mode drop-down list.

6. Select Disabled from the Fast Transition drop-down list.

WPA3 Deployment Guide (26)

Figure 26.

OWE AKM configuration

7. Check the WPA3 Policy, AES (CCMP 128), and OWE checkboxes. Uncheck any other selected parameters.

8. Click Apply to Device to save and finish the WLAN creation process.

WPA3 OWE CLI configuration

The following steps will create a WLAN with WPA3 OWE security:

Table 12. WPA3 OWE CLI configuration

Command

Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan wlan-name wlan-id SSID-name

Example:

Device(config)# wlan WPA3 1 WPA3

Enters the WLAN configuration sub-mode.

Step 3

no security ft over-the-ds

Disables Fast Transition over the data source on the WLAN.

Step 4

no security ft

Disables 802.11e Fast Transition on the WLAN.

Step 5

no security wpa akm dot1x

Disables security AKM for 802.1X.

Step 6

no security wpa wpa2

Disables WPA2 security. PMF is disabled now.

Step 7

security wpa wpa2 ciphers aes

Enables WPA2 ciphers for AES.

Note: The ciphers for WPA2 and WPA3 are common.

Step 8

security wpa wpa3

Enables WPA3 support.

Step 9

security wpa akm owe

Enables WPA3 OWE support.

Step 10

no shutdown

Enables the WLAN.

Step 11

End

Returns to the privileged EXEC mode.

WPA3 OWE transition mode GUI configuration

The Transition mode was introduced to the public since not all devices support enhanced open capability (refer to the device interoperability matrix). Transition mode is designed to make the enhanced open OWE mode more adaptable. The Wi-Fi Alliance recommends using this strategy to implement an enhanced open wireless network in an environment where not all devices support this mode. The OWE Transition mode requires a separate open SSID configured with properties similar to those of the enhanced open OWE SSID. Both OWE and open WLAN have a corresponding Transition mode WLAN ID, which means that the OWE WLAN has a Transition mode ID set to the open WLAN ID, and the open WLAN has a Transition mode ID set to the OWE WLAN ID.

Part 1 - The following steps will create a hidden WLAN with WPA3 OWE security:

1. Navigate to Configuration > Tags and Profiles > WLANs.

2. Click Add.

3. In the General tab, enter the Profile Name (friendly identifier). The SSID and WLAN ID will be populated automatically.

4. Disable the Status and Broadcast SSID toggle buttons.

5. Note the WLAN ID of the WLAN.

WPA3 Deployment Guide (27)

Figure 27.

Radio policy for OWE

6. Choose the Security > Layer 2 tab. Choose WPA3 in the Layer 2 Security Mode drop-down list.

7. Ensure that PMF is set to Required.

8. Select Disabled from the Fast Transition drop-down list.

9. Check the WPA3 Policy, AES (CCMP 128), and OWE checkboxes. Uncheck any other selected parameters.

10. Enter the Transition mode WLAN ID, which will be the WLAN ID of the SSID that will be configured next.

WPA3 Deployment Guide (28)

Figure 28.

OWE with Transition Mode ID configuration

11. Click Apply to Device to save and finish the WLAN creation process.

Part 2 - The following steps will create a WLAN with open security:

12. Navigate to Configuration > Tags and Profiles > WLANs.

13. Click Add.

14. In the General tab, enter the Profile Name (friendly identifier).

15. The SSID must match the enhanced open SSID. The WLAN ID will be populated automatically.

16. Enable the Status and Broadcast SSID toggle buttons.

WPA3 Deployment Guide (29)

Figure 29.

WLAN Open Security configuration

17. Choose the Security > Layer 2 tab. Choose None in the Layer 2 Security Mode drop-down list.

WPA3 Deployment Guide (30)

Figure 30.

OWE Transition Mode configuration

18. For the Transition Mode WLAN ID, enter the WLAN ID that has Layer 2 security set to Enhanced Open to be mapped to the open WLAN.

19. Click Apply to Device to save and finish the WLAN creation process.

WPA3 OWE Transition mode CLI configuration

The following steps will create a hidden WLAN with WPA3 OWE security:

Table 13. WPA3 OWE transition mode CLI configuration

Command

Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

wlan wlan-name wlan-id SSID-name

Example:

Device(config)# wlan WPA3 1 WPA3

Enters the WLAN configuration sub-mode.

Step 3

no broadcast-ssid

Disables SSID broadcast.

Step 4

no security ft over-the-ds

Disables Fast Transition over the data source on the WLAN.

Step 5

no security ft

Disables 802.11e Fast Transition on the WLAN.

Step 6

no security wpa akm dot1x

Disables security AKM for 802.1X.

Step 7

no security wpa wpa2

Disables WPA2 security. PMF is disabled now.

Step 8

security wpa akm owe

Enables WPA3 OWE support.

Step 9

security wpa transition-mode-wlan-id 2

Enables Transition mode.

Step 10

security wpa wpa3

Enables WPA3 support.

Step 11

no shutdown

Enables the WLAN.

Step 12

End

Returns to the privileged EXEC mode.

Part 2 - The following steps will create a WLAN with open OWE security:

Command

Purpose

Step 13

configure terminal

Enters global configuration mode.

Step 14

wlan wlan-name wlan-id SSID-name

Example:

Device(config)# wlan WPA3-Open 2 WPA3

Enters the WLAN configuration sub-mode.

Note: The SSID of the hidden WLAN and the open WLAN must be the same.

Step 15

no security ft over-the-ds

Disables Fast Transition over the data source on the WLAN.

Step 16

no security ft

Disables 802.11e Fast Transition on the WLAN.

Step 17

no security wpa akm dot1x

Disables security AKM for 802.1X.

Step 18

no security wpa

Disables security.

Step 19

no security wpa2 ciphers aes

Disables WPA2 ciphers for AES.

Step 20

security wpa transition-mode-wlan-id 1

Enables Transition mode.

Step 21

no shutdown

Enables the WLAN.

Step 22

end

Returns to the privileged EXEC mode.

Client interoperability matrix

WPA3 supported AP modes and supported clients

Table 14. WPA3 supported AP modes and Clients

WPA3 support matrix

WPA3 protocol

AP mode Local

AP mode Flex(Central Auth)

AP mode Flex(Local Auth)

Apple (iOS 14.6)

Samsung S21

Intel

Windows OS

MacOS

Cisco IOS®

WPA3- Personal

WPA3-SAE AES CCMP128

Supported

Supported

Supported

Supported

FT-SAE: Supported in Iphone12

Supported

FT-SAE: Supported only in S21 Protos

Supported: H2E only

FT-SAE: Supported in Linux WPA Supplicant(AX210)

Starting in Windows 1903 (May 2019), with driver 21.10.x or later

FT-SAE : Not supported

Supported

FT-SAE : Not supported

Supported

FT-SAE : Not supported

WPA3-Enterprise

WPA3-802.1x-SHA256 AES CCMP 128

Supported

Supported

Supported

Supported

Supported

Supported: SHA256 and FT-OTA

Not supported: FT-ODS

SHA256 + PMF broken in recent Windows 10 versions (Microsoft) Ext_ID: 351413

Fixed in Windows 11 (Windows 21H2)

Supported

Not supported

WPA3-Enterprise GCMP128 SuiteB 1x

Supported

Not supported

Not supported

Not supported

Not supported

Not supported: GCMP128, FT-OTA, and FT-ODS

Not supported

Not supported

Not supported

WPA3-Enterprise GCMP256 SuiteB 192 bit

Supported

Not supported

Not supported

Supported

Supported

Supported: GCMP256

Not supported: FT (both FT-OTA and FT-ODS)

Starting in Windows 2004 (May 2020), with driver 21.90.3.x or later

SuiteB with FT – not supported on Windows

Supported only on M1

Supported

OWE

WPA3-OWE AES CCMP128

Supported

Supported

Supported

Not supported

Supported

Supported: OWE Auth

Starting in Windows 2004 (May 2020), with driver 21.90.3.x or later

Not supported

Not supported

Useful Catalyst WLC CLI commands

To view the system-level statistics for a client that has undergone successful SAE authentication, SAE authentication failures, SAE ongoing sessions, or SAE commits, and to confirm message exchanges, use the following show command:

show wireless stats client detail

To view the WLAN summary details, use the following command:

show wlan summary

To view the correct AKM for a client that has undergone SAE authentication, use the following command:

show wireless client mac-address <xxxx.xxxx.xxxx> detail

To view a list of the PMK cache stored locally:

show wireless pmk-cache

Useful Catalyst AP CLI commands

Configure debugging of WPA3 on a client by entering this command:

debug client client-mac-address

Configure debugging of SAE events and details by entering this command:

debug sae {events | details} {enable | disable}

References

Cisco Catalyst 9800 Series Wireless Controller 17.8.1 Configuration Guide https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-8/config-guide/b_wl_17_8_cg.html

Cisco Catalyst 9100 Access Points documentation https://www.cisco.com/c/en/us/support/wireless/catalyst-9100ax-access-points/series.html

Top Articles
Latest Posts
Article information

Author: Cheryll Lueilwitz

Last Updated: 03/05/2023

Views: 5976

Rating: 4.3 / 5 (74 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Cheryll Lueilwitz

Birthday: 1997-12-23

Address: 4653 O'Kon Hill, Lake Juanstad, AR 65469

Phone: +494124489301

Job: Marketing Representative

Hobby: Reading, Ice skating, Foraging, BASE jumping, Hiking, Skateboarding, Kayaking

Introduction: My name is Cheryll Lueilwitz, I am a sparkling, clean, super, lucky, joyous, outstanding, lucky person who loves writing and wants to share my knowledge and understanding with you.