In my third follow up post, I’m going to dig into how to handle eduroam and 6GHz with different vendors. Two vendors currently stand out as being more eduroam friendly. I’ll explain more in a bit, but first.
My previous posts covered:
This post will cover:
- Options for deploying eduroam in 6GHz from different vendors
My final post will cover:
As quick recap of my previous post, I highly recommend you read my previous before proceeding with this post. With some vendors when you enable a single SSID on the 6GHz radio, will require you to enable Full WPA3-Enterprise across the 2.4/5GHz bands as well. This is an issue with eduroam when you can’t use a different SSID on different bands and we don’t have control over the clients. There are clients that are not going to connect to a full WPA3-Enterprise SSID even though WPA3-Enterprise is just WPA2-Enterprise with Protected Management Frames being required.
How are Vendors Handling This?
Let’s dig into how the different vendors are providing solutions if any.
Any other vendor reading this, PLEASE consider implementing a similar solutions as Juniper and Aruba do, as I explain below, for your products!! This isn’t standard but solves a big migration issue!
Without further ado, below are my testing results with Juniper Mist, Aruba, Cisco, Ruckus, and Ubiquiti looking for the greatest compatibility with clients on eduroam.
Juniper Mist – THE BEST SOLUTION
In my first blog post, I threw out using Juniper Mist as one of the examples to show my flawed Dual SSID Profiles solution. Wes Purvis approached me afterwards and said they had a better solution. Juniper has built a working solution, for providing eduroam to the widest number of devices, into their product!
When you configure a SSID with WPA3 and 6GHz in Mist, they have a checkbox called “Enable WPA3+WPA2 Transition” that does a similar solution to my work around while removing the flaws! Basically, it will advertise the appropriate RSN Information Element AKM to a device based on how the device associates. Juniper enables Transition Mode in the 2.4/5GHz bands and full WPA3-Enterprise only in the 6GHz band.
All devices that support 6GHz are going to support Full WPA3-Enterprise so they will join with Full WPA3-Enterprise. Devices that do not support 6GHz but support WPA3-Enterprise are going to join the more secure transition mode in 2.4/5GHz. Devices that do not support Transition Mode generally will join 2.4/5GHz with WPA2-Enterprise without PMF. This is as close of a solution as we are going to get to ensure the highest level of compatibility.
A quick side note, when you enable WPA3 you receive the following notification. You need firmware v0.9.x or higher to use WPA3-Enterprise and have the Enable WPA3+WPA2 Transition option.
The PCAP I shared in my previous post showing all 3 AKMs in the beacon was captured using this feature from Juniper Mist in the 5GHz band. That difference solves the flaws. That difference comes because the AKMs are included in a single beacon instead of being separated into two different beacons across bands. That sets up the same keys for a single network so 802.11r works; while, separating them into different Profiles creates different keys.
At this point, if you wanted to provide the widest support to as many clients as possible, Juniper is one of only two vendors that I would even consider using eduroam in the 6GHz band because of this option. Wes Purvis talked more about what they are finding in his presentation at WLPC Phoenix 2023.
Juniper’s solution isn’t a silver bullet. There may be issues with a very very small number of clients. It DOES provides the widest backwards compatibility out there of any of the vendors I’ve looked at. They are one of only two vendors providing the ability to have Transition Mode on the legacy bands while using WPA3 in 6GHz without a Dual SSID Profile hack.
Wes Purvis and Peter Mackenzie talked recently about how Juniper is handling eduroam specifically during their latest webinar below. Wes has been leading the pack in helping to provide guidance in regard to eduroam. Even if you are not using Juniper Mist, I recommend you watch at least the beginning of this webinar to see them explain how Juniper is handling these issues.
UPDATE: I shared this post to Twitter and had a few people ask about the how Juniper Mist is handling things on the backend. Wes Purvis responded with the above tweet.
Another aside, Rowell Dionicio from Clear to Send did a test using Juniper’s OWE Transition Mode. It’s similar to how Juniper is handling the WPA3-Enterprise Transition Mode above. I recommend checking it out as well over on the Clear to Send Community pages if you have access to that.
Aruba – ANOTHER BEST SOLUTION
Back in January, I attended a small wireless conference retreat a couple miles from the beautiful Bryce Canyon National Park here in the United States. We did some testing of Wifi 6e and eduroam. Ferney Munoz and another friend at one of my schools brought their Aruba AP-635 6GHz APs to the retreat.
At the retreat, we only tested the Dual SSID Profiles, that I talk about in my previous posts, and found the same flaws in that model. DO NOT DO a Dual SSID Profile on Aruba, there is a better way!!
Aruba is the second vendor with solutions to these issues, next to Mist, that I would recommend running eduroam in 6GHz for the most compatibility.
After a discussion on the Wifi Pros Slack channel, Twitter, and testing by a friend, I discovered that Aruba also supports Transition Mode. If you install 8.11 Firmware, Aruba handles the Transition Mode on 2.4/5GHz side similar to how Juniper does it, if using wpa3-aes-ccm-128 with full WPA3-Enterprise mode on 6GHz.
Scott Lester on the Wifi Pros Slack said the following: “in 8.11 we can use 1 VAP across 2.4/5/6 with transition mode enabled, the 6GHz radio will know to change AKM so the single VAP can be used. it will also know to change the MFPC/MFPR both to 1. it’s being ported to Instant 8.10 and 10.4 as well.”
Since I don’t have access to Aruba gear myself, my buddy, Doug Hales, tested it out on his Aruba gear and sent me these screenshots. He said that in 8.10 there is not a Transition Mode available when you select “wpa3-aes-ccm-128” encryption.
When you are running the 8.11 code, Aruba then has a Checkbox called “Enable backward compatibility” that turns on Transition Mode in the 2.4/5GHz band with full WPA3 on 6GHz. Doug says from initial testing there might be some bugs, but it seems to be working.
From Aruba’s 8.11.0.0 release notes found here:
“Opmode-transition Support for WPA3
“ArubaOS allows users to disable the opmode-transition parameter for virtual APs to be deployed on 6
GHz bands using MFP.“
Then on Twitter Kees P brought all of this to my attention in his tweets below:
From the discussion and testings from Doug Hales, Twitter, Slack, and Aruba’s Release Notes, if using firmware 8.11 you can do Transition Mode in the 2.4/5GHz side and Full WPA3-Enterprise on the 6GHz side. This makes Aruba another viable solution to handle transition mode with eduroam and adds them to my list of supported vendors that I recommend using with 6GHz eduroam. This will provide the biggest backwards client compatibility possible.
Cisco
At the Bryce Canyon Retreat, I mentioned above, we also tested some Cisco 6GHz APs using the Dual SSID Profile. Like other tests, the Dual SSID Profile model is flawed. Unlike Juniper and Aruba above, Cisco does not allow using Transition Mode in the 2.4/5GHz side with full WPA3-Enterprise on the 6GHz side. When you enable a single SSID on 6GHz, it turns full WPA3-Enterprise on the 2.4/5GHz sides.
Luke Jenkins brought 20 Cisco 6GHz APs to the retreat. He configured them with the flawed Dual SSID Profiles solution, and we tested it out using several users at the retreat. We didn’t have any compatibility issues with everyone that connected to it on the 2.4/5GHz bands, but only a few of us had 6GHz capable clients. We didn’t have major issues, BUT we didn’t enable 802.11r FT.
He did some testing and showed that it has to Associate with BOTH Profiles, as I explained in my previous post, then a client will do a slow PMK Caching roam between the different bands. Dual SSID Profiles worked about the same as my other testing, as long as 802.11r FT wasn’t enabled.
Luke later sent me the following documentation from Cisco that showed off how Cisco handles WPA3-Enterprise when configured on a 6GHz SSID. They currently do not have a transition mode for the legacy bands and full WPA3-Enterprise when used with the same SSID on 6GHz. If you enable eduroam in 6GHz, you have to have full WPA3-Enterprise in the 2.4/5 bands with Cisco.
As mentioned in their documentation and shown below, “Disable the 6 GHz Radio Policy, as it is not supported” when configuring WPA3-Enterprise Transition Mode.
These screenshots below come from this Cisco documentation.
I also asked Eddie Forero through twitter what he was seeing and this was his response. As he mentions, splitting the WPA3-Enterprise Transition Mode between 2.4/5GHz and 6GHz is not standardized.
Extreme Networks
At WLPC Phoenix, I won an Extreme AP4000 AP during their evening presentation. Thankful to them for the AP, I’m able to test their solution at home.
Selecting “WPA3-802.1X” sets the Encryption Method to “CCMP (AES)”. There isn’t any way to provide a Transition Mode in the 2.4/5GHz side.
I’m glad to have just discovered that the issue below is fixed!!! Previously, there was a UI bug that only showed “AES 192-bit” on that Encryption Method dropdown as shown below. Through packet captures and verification as a bug from David Coleman, I discovered the bug was actually using CCMP (AES) although labeled with 192-bit. As I explained in my previous post, eduroam says to NOT USE 192-BIT.
Knowing now that it is not using WPA3-Enterprise 192-Bit and the bug is fixed, then let’s look at how they handle WPA3-Enterprise with and without 6GHz radios.
First here is how they handle WPA3-Enterprise when only using the 2.4/5GHz radios. Notice there is a slider that appears called “Transition Mode If Applicable“. It also says “Note: For WiFi 6E APs, if WiFi2 is selected, transition mode will not be enabled“.
Next here is how their configuration looks when you enable the 6GHz radio checkbox. Notice the slider for “Transition Mode if applicable” disappears when you select WiFi 2 Radio (6GHz only).
There is one more nuance when it comes to Extreme Networks. This could be construed as either a good or bad thing. You get this error when you attempt to set up Dual SSID Profiles.
As was discovered by Jan Reister, Extreme doesn’t allow you to create Dual SSID Profiles with the same name and broadcast name. That means the flawed Dual SSID Profile solution does not work with Extreme Networks. This isn’t necessarily a bad thing because of the flaws with this solution. If Extreme Networks would provide the option to handle WPA3-Enterprise Transition Mode on the 2.4/5GHz side when 6GHz in enabled, all would be good with eduroam. That isn’t the case at the time of writing. Hopefully this changes.
The only option with Extreme if you want to use eduroam in 6GHz is to go all in with full WPA3-Enterprise. You’ll have to provide a separate Guest SSID for any clients that won’t connect to eduroam because of the WPA3-Enterprise and the Required Protected Management Frames.
Ruckus
I don’t have any Ruckus 6GHz gear to play with. I have access to a SmartZone and can only guess at the configuration. This may change for newer firmware on the SmartZone or if using their Cloud Controllers. If someone has access to 6GHz Ruckus Radios and a SmartZone and discovers anything different, let me know and I’ll update this section.
Ruckus blocks the “WPA2/WPA3-Mixed” button, greyed out as below, because I have 802.1X EAP selected in the Authentication Type. It appears that Ruckus doesn’t allow you to use Transition Mode if you select 802.1X EAP. That is telling about the configuration if we were to connect a 6GHz AP and try to use it with eduroam. That alludes that they do not support WPA3-Transition Mode on the 2.4/5GHz side and Full WPA3-Enterprise on the 6GHz side. I cannot say for certain, but it appears to be this way, especially since it is not standard.
I also attempted to configure the Dual SSID Profile model even though I don’t have 6GHz radios. There is one issue but you can work around it with Ruckus. You cannot have a WLAN Configuration with the same name. You will get the following error when you attempt to save it. There is a way around this.
You just have to change the Name field to be unique as below. Make sure the SSID field is still set to eduroam as it tries to change it when you change the name field. It will let you save it. Then you can apply the different configurations to the appropriate radios.
As I said before, should you be doing this? That is questionable because of the issues with 802.11r FT or others as I explained in my previous part 2 blog post. This may be a valid solution, when you disable 802.11r, if you are worried about compatibility. Another solution is to have a separate Guest Network that you put devices that can’t connect to WPA3-Enterprise. Whichever you chose, just be aware of the issues with each that I talked about previously.
Note, since I only have 802.11ac Wave-1 APs at this site, it gives me the above error when I select WPA3. That may be solved with a newer firmware on the APs or the SmartZone.
Ubiquiti
The last vendor that I have to test, I purchased a couple Ubiquiti Unifi U6-Enterprise APs because they were cheap. I wanted to build a 6Ghz network at home. These were my original test lab for my original post and the testing gear for the flawed Dual SSID Profiles solution. They do not have a Transition Mode available when configuring any network with WPA3-Enterprise. Transition Mode is only available for WPA3-SAE networks when it comes to Ubiquiti. There is the option to set PMF to Optional if you select WPA2-Enterprise which is very similar to Transition Mode. That’s how I have been configuring it, with PMF set to Optional. Like everyone else, using the flawed solution works okay without FT and fails with FT enabled with full disassociation and association when roaming between bands. I dug into those details in my previous blog post part 2.
Conclusion, What About Clients?
I know there are other vendors like Cambium and EnGenius. I do not have access to them for testing. If you find another vendor that can do Transition Mode in the 2.4/5GHz radios and Full WPA3-Enterprise on the 6Ghz side let me know and I’ll add them.
My last post in this series is going to dig into clients. Testing of clients is far from incomplete, but I’ll talk about some of the testing that is being conducted. Ultimately, the reasons we are using Transition Mode is because some clients MAY not connect to a WPA3-Enterprise network. Also, I’ve had people approach me about possible issues with Downgrade Protection Mechanisms. I’ll dig into those details next.
