*** UPDATE 3/23/23 ***
In order to address some of the issues and to give a better explanation to some of the below content, I created a new post Part 2 found at the link below:
In October 2022, I attended WirelessLAN Professionals Conference WLPC in Prague, Czech Republic. It was an excellent conference. Prior to the conference, a few members of the Higher Ed community in various European countries and from the United States got into a discussion on Twitter about eduroam and 6Ghz. Those in attendance at WLPC Prague had a special “Birds of a Feather” discussion to talk about eduroam.
One of the main focuses of the discussion was how to deploy eduroam in the 6Ghz band. Here’s the problem that arises with eduroam and Wifi 6e: WPA2-Enterprise vs WPA3-Enterprise. Wifi 6e requires WPA3, WPA3-Enterprise, or OWE. When enabled on an SSID, it requires WPA3/OWE across all the configured bands, 2.4/5/6Ghz; while, some non Wifi 6e clients do not support WPA3 on the 2.4/5Ghz bands.
Some clients do not support WPA3-Enterprise. What do we do when we can’t control the clients joining our network? Usually the answer is to create a different SSID, but that isn’t allowed with eduroam either. I finally got my hands on some more prosumer grade.. cough.. Ubiquiti.. cough.. U6 Enterprise APs that support everything needed to start testing eduroam and 6Ghz. Here are my findings.
WPA2-Enterprise vs WPA3-Enterprise
Industry feedback from various sources suggest that the best solution is to rip the bandaid off and move everything to WPA3, avoiding the transition mode. Many clients do not support transition mode. That isn’t an option with eduroam, where clients are often personal and come from other universities and organizations.
Although not the only difference, the biggest difference between WPA2-Enterprise and WPA3-Enterprise is the requirement of Protected Management Frames 802.11w support. For WPA2-Enterprise, 802.11w or PMF is optional, WPA3-Enterprise* requires it. Clients that do not support WPA3 often do not support PMF and it can cause them to avoid connecting to a network on the 2.4/5Ghz bands.
The Certified Wireless Security Professional: CWSP-206 Study and Reference Guide talks about WPA3-Enterprise vs WPA2-Enterprise in Chapter 10. It says:
“In the new WPA3-Enterprise certification, Protected Management Frames are added to WPA2-Enterprise. WPA3-Enterprise states that all WPA3 connections SHALL negotiate PMF. That statement, concerning WPA2 Enterprise clients, can get confusing. Simply put, if a WPA2-Enterprise client is attempting to connect to a WPA3-Enterprise network and they are capable of successfully negotiating the use of PMF, the client now becomes a WPA3-Enterprise certified client… With this, the only difference between WPA2-Enterprise and WPA3-Enterprise is mandating the use of PMF” (CWSP-206 pg. 381 emphasis added).
This makes supporting eduroam easier but doesn’t solve the problem. In eduroam, there still may be clients that don’t support PMF. That is where the whole issue lies with eduroam and Wifi 6e.
* As a quick aside, eduroam recommends that sites do NOT enable WPA3-Enterprise 192-bit. All my testing so far has only been done with regular WPA3-Enterprise. David Coleman goes into details about the differences.
*** UPDATE ***
After posting this to Twitter and LinkedIn, Wes Purvis responded to my post. This is still a solution for some vendors.. cough Ubiquiti cough.. Juniper are aware of this issue and have build into their product a partially resolution to this issue. He talks about what they have learned since WLPC Phoenix in a post on Juniper’s website.
He shared: “Basically for Mist APs specifically we can support transition mode within a single WLAN template now. This avoids issues with fast roaming, if you have it enabled. And avoids double reporting from having two templates.”
Mist’s approach doesn’t necessarily resolve all the worry about clients that connect to eduroam. Transition modes open a security hole as discussed in this presentation (at 9:48) at WLPC Prague, but this could cause the same issues. According to a few people, this approach may add some fast roaming and reporting issues. Wes specifically calls out the recommendations from eduroam in the Juniper considerations post. Those recommendations do not completely handle the rollout and protection of clients on other bands. We still don’t have a cross vendor foolproof way to ensure complete Wifi 6e and eduroam compatibility. I’m going to run some more tests and will share what I find.
*** UPDATE 2 ***
Jan Reister did some testing over night with Extreme Networks gear. Here are his results:
It’s looking more and more like the Multi-SSID option below is not a fully working solution for all vendors. There are some issues with vendor support, 802.11r, and reporting issues.
A friends said that an Aruba representative said that this might cause hard roams between bands. I didn’t seem to have a hard roam when switching bands, but need PCAPs to make sure. My test was within the same AP so keys would have not had to move, but I have yet to test Fast Transition. I have two U6 Enterprise AP, I just need to force the roam and see the result.
Ben Toner from nOversight suggested looking at the logs from the iPad Pro using his tools. I did a capture and need to dig into the results. I also want to do some packet captures to see how the roam is occurring. I’m going to continue to test this and will update as we discover more.
The OpenRoaming solution below is a tested and working solution in production at a few sites.
Industry Recommendations
A great explanation was given by Wes Purvis at WLPC Phoenix 2022 back in February at about 19:00 in the following video. He specifically calls out eduroam as being a problem at 22:40.
As Wes Purvis mentions, WPA2-Enterprise to WPA3-Enterprise roaming actually works between bands unlike other forms of WPA2 to WPA3 and OWE transition modes.. The roaming happens because of how close the two security standards are to each other. We do have that going for us since eduroam is a WPA2-Enterprise or WPA3-Enterprise only network.
He also briefly mentions one solution, that I missed the first 10 times that I’ve watch this video until now. I’ll get to that in a moment. So what are our options to deploy eduroam in 6Ghz?
OpenRoaming to the Rescue
Before I move on to solutions that Wes mentioned, let me bring up a solution we thought up at WLPC Prague. The last few years, OpenRoaming has been gaining more and more traction. It’s now available in some airports and at some organizations across the world.
Their goal is to bring the success of eduroam to a business model that anyone can use to authenticate to Wifi networks, often as a means to offload cellular networks. If configured properly for a client with the geteduroam app and eduroam CAT Tool, our eduroam users can roam onto an OpenRoaming network and use its resources automatically just like a regular eduroam service provider network.
The solution we came up with in Prague, was to implement OpenRoaming in the 6Ghz band and regular eduroam in the 2.4/5Ghz bands as we have been providing. This may limit who can access the OpenRoaming network. BUT it solves some of the problems because OpenRoaming isn’t SSID specific. It uses various Hotspot 2.0/Passpoint technologies to authenticate users.
The problem is there are a lot of redesigns and reconfigurations that come with the setup and migration over to OpenRoaming. Not all clients are going to support OpenRoaming or are going to be setup for eduroam and OpenRoaming by their parent university.
Personally, I have been researching OpenRoaming for a couple years, but a lot of the resources are behind paywalls that I don’t have budget to reach. I’m working to rollout RadSec and other requirements for OpenRoaming. This sounds like the direction eduroam is headed and maybe one day, we will rollout OpenRoaming across the board. Maybe OpenRoaming will get rid of eduroam specific SSIDs all together. That day is not here yet.
Separate eduroam and Organization SSIDs between bands
Another option, especially as Wifi 6e continues in its infancy, is to build a network and leave 6Ghz for specific use cases outside eduroam. Configure a University’s staff devices and IOT devices on 6Ghz and leave eduroam as a legacy technology in the 2.4 and 5Ghz bands for students and devices out of the control of the university.
This is a very valid option, and I believe some organizations will follow this model for the foreseeable future. I don’t believe this is a long term play, especially in a school or university where the most important assets are our students. It is a good stopgap until the industry figures these problems out.
Cut Off Legacy Devices
A third option is the draconian one. Cut off all legacy devices that don’t support WPA3 Enterprise from joining eduroam and using a separate Guest network for those unsupported devices. While a possible solution, in all reality this one has the least possibility of working out well in the long run. The eduroam community does not recommend this step. This concept goes against the foundations of why Universities decided to build a community eduroam network. This might be possible in a K12 school environment where you have more control, but at the end of the day this is a bad idea.
You Get eduroam and You Get eduroam: Multiple eduroam SSIDs
*** SEE UPDATES ABOVE THIS MAY NOT BE A VIABLE SOLUTION DUE TO VENDOR SUPPORT, 802.11r, AND REPORTING ISSUES ***
It was fitting that Wes Purvis shared all this about eduroam moments before Juniper’s Sudheer Matta pulled out his WLPC Oprah moment..
Now back to Wes Purvis’ remark during that presentation that I missed before and only recognized now that I’m doing this exact thing. He says:
“You can do two separate SSIDs and roaming should be okay” right after he mentions that you can’t have “eduroam-6” or “eduroam-fast”.. Almost contradictory or is it?
So how is it that we can use multiple eduroam SSIDs, but we can’t name the SSID anything other that plain old vanilla eduroam? Take a look at the following two screenshots.. first from Juniper Mist, then second from Ubiquiti Unifi..
Two eduroam networks both with the same SSID, eduroam.. how is this possible? Well lets look at the details.
Juniper Mist shows off right in that screenshot what is going on. Look at the Band and Security columns. One is applied to the 5Ghz Band, one is applied to the 6Ghz Band. The 5Ghz band one has WPA2-Enterprise enabled without support for WPA3-Enterprise. The 6Ghz band one has WPA3-Enterprise without support for WPA2-Enterprise.
Sadly, I still haven’t been able to get my hands on a Mist AP-45 that supports 6Ghz. So, I’m unable to test this on Mist. But if my understanding is correct of Wes Purvis’ comment in that video, this should work.
When I get access to additional Wifi 6e APs, I’ll try this on other vendors to see if you can do the same. I just have quick access to the configuration for these two for now. Next time I’m with Ferney Munoz in his man cave, I want to test this out with his Aruba 6Ghz AP.
Ubiquiti Unifi and 6Ghz eduroam
Unifi doesn’t show it very well in that screenshot with their generic “WPA Enterprise”. Setting it to 6Ghz grays out the options for anything other than WPA3 or OWE. The AP Groups column with “6Ghz Mobile” is a label I created. So let’s dig deeper into the Unifi configuration below.
As I mentioned before, I have been able to get my hands on a couple Unifi U6 Enterprise APs. So, this one I can test and verify that this works as you will see below.
First here is the full SSID configuration for the 2.4 and 5Ghz eduroam SSID. Notice it is configured for just WPA2-Enterprise and not WPA3-Enterprise. Also PMF is set to disabled, but could be set to optional if an organization feels confident enough to add that protection to an eduroam network. If set to optional, as the quote from the CWSP book mentions, a client would negotiate the PMF and would basically be upgraded to WPA3-Enterprise for that specific client. While, other clients would continue as just WPA2-Enterprise without PMF.
Next for the 6Ghz configuration, it is the exact same configuration other than changes to the “Wifi Band” checkboxes, “Security Protocol” set to WPA3-Enterprise, and PMF is required (although not shown as an option by Unifi). Everything else is the same.
Verifying 2.4/5/6Ghz Configuration
To show that my test AP is broadcasting eduroam in all three bands, here’s a look at the WLANs configured on this U6 Enterprise AP. The eduroam SSID is broadcast on channel 101 at 160Mhz wide* in the 6Ghz band, on channel 64 at 40Mhz wide in 5Ghz, and on channel 11 at 20Mhz wide in the 2.4Ghz band.
* A quick aside, I’m testing some other things for a different blog post. So, I’m currently using 160Mhz wide in 6Ghz. The recommendation is to use 80Mhz or 40Mhz channels in production environments.
Finally to show case that this is truly being broadcast, let’s use a WLAN Pi Pro and Wifi Explorer Pro 3 from Adrian Granados to verify it across all three bands. 6Ghz channel 101 at 160Mhz WPA3-Enterprise, 5Ghz channel 64 at 40Mhz WPA2-Enterprise, and 2.4Ghz channel 11 at 20Mhz WPA2-Enterprise. All the legacy Wifi versions, 802.11a/b/g/n/ac/ax are supported on their respective bands, with “ax” only on 6Ghz.
6Ghz Client Association
Finally, before I get into showing how a client connects to it, let me explain one more relevant item that Wes Purvis mentioned in his presentation. The discovery of networks operating in the 6Ghz band is tricky. The problem comes down to time. There are so many channels in 6Ghz that manually scanning each channel takes a lot of time. So, the standard came up with some ingenious ways for discovering the 6Ghz SSIDs.
From RNR elements to Multiple SSID Beacon out of band discovery tools as David Coleman talks about, clients are using different forms of discovery. Some clients aren’t working the greatest as we recently found out with Ferney Muñoz and others in our weekly Tes@s en Wifi working group in Spanish. Clients today are using these different ways but may support only one way or another.
Jiri Brejcha wrote a blog about how the iPad Pro 2022 is discovering 6Ghz networks.
So using a brand new iPad Pro 2022, I connected to the eduroam network. With this setup, it seems to connect to the 5Ghz eduroam network first. It’s the quickest network that it finds and gets me on the network.
After a few minutes, I look at the Apple Wifi Diagnostics Profile page again and see the following:
My iPad Pro has roamed form the 5Ghz eduroam over to the 6Ghz eduroam network (Channel 101, 160Mhz, and WPA3-Enterprise). The roam between WPA2-Enterprise and WPA3-Enterprise worked perfectly. I wouldn’t have even noticed if I wasn’t looking for it. I don’t need to use band steering; as my iPad Pro just moved over to the 6Ghz band on its own.
As others quickly discovered when they purchased the Apple iPad Pro 2022, Apple iPadOS complains about SSIDs being only in the 6Ghz band. To get the screenshot below, I had to cause that to happen by creating a separate 6Ghz Only SSID. This would happen on the iPad Pro if you created a 6Ghz only eduroam SSID.
Using this method of an SSID for 2.4/5Ghz and a SSID for 6Ghz with eduroam doesn’t cause that issue. The iPad Pro sees the same SSID name in both 5Ghz and 6Ghz, so it doesn’t complain as you can see in the screenshot below, as the error above would be at the top of the screenshot below. This is also a win!
To me this is an acceptable solution to the problem. I get online and while right off the bat, I don’t get the fastest band possible, I’m online. It leaves it up to my client to chose which band to use. But it can use eduroam in the 6Ghz band with few problem. With the limitations required by eduroam, this is the best possible solution without requiring the full switch to WPA3-Enterprise.
Additional 6Ghz eduroam Issue
Jiri Brejcha, additionally, in another blog post covered another problem that might arise here. Devices are going to prefer one band over another depending on a lot of factors. Jiri, through his testing, discovered how Apple choses which band to use based on different scenarios, one of which is the size of the channel width. Apple prefers 80Mhz over 40Mhz when it choses to connect to the 6Ghz band.
In networks that don’t or can’t use 80Mhz wide channels in 6Ghz, especially in Europe where eduroam is used extensively, there might not be a client preference to roam to the 6Ghz network. This is a problem that may be solved by the OpenRoaming initiative. So, going down that road might be best for universities and organizations in Europe and other countries that can’t use the full 80Mhz channels and have access to the full 1,200 Mhz of spectrum.
2.4/5Ghz Client Association
The best part about using multiple eduroam SSIDs in the different bands is that it doesn’t change our legacy 2.4 and 5Ghz bands. Our regular non Wifi 6e devices can continue to connect to those bands without issue. You don’t have to enable Protected Management Frames and things are status quo. But for devices that support the 6Ghz band, you’ve just opened up a whole new freeway for your users.
Below is a screenshot from my Macbook Pro connected to the WPA2-Enterprise 5Ghz eduroam SSID at the same time the 6Ghz one is being broadcast. It doesn’t know that a 6Ghz WPA3-Enterprise network exists because it doesn’t support it, but it doesn’t care either. Obviously, my Macbook Pro is new enough that there shouldn’t be issues whether I enabled 802.11w or WPA3-Enterprise as it supports those technologies. Clients, that I have no control over nor whether they support 802.11w or WPA3-Enterprise, are not an issue.
If I have a client configured for eduroam, that doesn’t support 6Ghz or PMF, it should connect to the 2.4/5Ghz bands as long as it supports WPA2-Enterprise. 6Ghz supported clients will connect to eduroam on any of the bands as it decides which is best with either WPA2-Enterprise OR WPA3-Enterprise. 6Ghz eduroam clients are better secured because of the PMF requirement in 6Ghz. Everything works!
All-in-all this is a win-win solution to this major issue, barring the band preference issue. Next week, I’ll be at a small local wireless education conference I’m helping to run. Most in attendance have eduroam accounts, and we are going to provide eduroam. I’m going to try standing up multiple 2.4/5 and 6Ghz eduroam SSIDs and see if there are issues for our users at the conference. Bring on that dedicated fast lane!
My next post in this series digs deeper into the solutions above with packet captures.