At Mobility Field Day 11, Cisco let us geek out a bit at the beginning with Nick Swiatecki. He came prepared not just because of his shirt covered in the Cisco logo. We got an excellent presentation on Wi-Fi 7 for Enterprise. Cisco treated us to a deep dive into Wi-Fi 7 nerdvana style. Cisco continues to do what they do best and why they are the networking leader. Most network engineers get their start with Cisco, so why not continue to purchase from the market leader? Let’s dig into what they offer and showed off at #MFD11.
There were many presentations about Wi-Fi 7 previously; that gave us great insights into what is coming, largely for the home. Nick talked about the details relevant to business and troubleshooting the next generation of Wi-Fi. In my rewatching of his presentation, I noticed a few details that will be affecting us as enterprises and want to highlight one such item.
Nick started things off with explaining Wi-Fi 7 in a concise and clear manner for all in attendance or watching. He talked about how POE++ does not always mean you are getting the expected power. He dug into the different kinds of MLO in Wi-Fi 7. And talked about Standard Power clients differences. Many people have discussed those in depth at WLPC and other Mobility Field Day sessions.
Wi-Fi 7 and MLO Security
I want to focus on one thing that Nick mentioned about Security with Wi-Fi 7 and MLO.
Nick showed this slide and taught me something new about Wi-Fi 7 that I didn’t know beforehand. Just like when we got Wi-Fi 6e, WPA3-SAE, WPA3-Enterprise, and OWE are still required.
The issue arises in that we have to use the same security rules across bands. This may mean that we can no longer use Transition Modes if we have an SSID that is using Wi-Fi 7 MLO. In his slide he said “Every band in the MLD must use the same AKM (!)”.
The Wi-Fi Alliance WPA3 Specification Version 3.3 shares the follow different AKMs. This includes two new AKMs that I’ll discuss in a moment. Only Personal modes numbers 1, 2, 3 and 4 and Enterprise modes number 1 and 2 are allowed when using Wi-Fi 7 MLO.
End of Transition Modes?
As many of my long time readers are aware, I wrote extensively over a year ago about the usage of Transition Modes with Wi-Fi 6e. Transition Modes broadcast two security AKMs at the same time. WPA3-Enterprise is super close to WPA2-Enterprise other than different AKMs. Transition Mode allows the super rare client that does not support WPA3-Enterprise to join the network on 2.4 and 5GHz while maintaining the WPA3-Enterprise AKM on 6GHz. Or the less rare clients that do not support WPA3-SAE or OWE to join.
You must have the same AKM across 2.4, 5, and 6GHz for Wi-Fi 7 MLO to work for WPA3-SAE, WPA3-Enterprise, and OWE. This is because the AKM sets up the encryption rules that the client uses to authenticate and when roaming between APs. Those rules have to be the same for a client to talk to both bands at the same time.
WPA3-SAE and OWE are where issues arise much quicker. Moving to WPA3-SAE and OWE has not been as simple compared to WPA3-Enterprise. The recommendation is to use new SSIDs that are the same across bands for clients you want to use Wi-Fi 7 MLO.
As I’ll explain in a moment, traditional Transition Modes as we’ve known them are no longer going to be possible with MLO. We are not getting rid of Transition Modes. We just have new Transition Modes for moving between old and new WPA3-SAE versions.
What About eduroam?
This is a big deal for many higher education organizations. As I wrote recently as a follow up to my eduroam series, after extensive testing, my recommendation is to use transition modes if you are risk adverse. Since WPA2-Enterprise can’t exist on 6GHz, you will then possibly have a client using the WPA2-Enterprise AKM on 2.4 or 5GHz and WPA3-Enterprise on 6GHz. Most clients should join with the highest supported AKM, but it’s not guaranteed.
That said, almost everyone I’ve talked to have yet to see one of these devices on their actual eduroam networks. So it is super safe to enable full WPA3-Enterprise on eduroam and move on.
My recommendation for higher education networks wanting to deploy Wi-Fi 7 MLO networks is to just pull of the bandaid and go full WPA3-Enterprise. Obviously you should test and have a plan for the case of one of these super rare devices showing up, as I discussed in my previous posts.
New WPA3-SAE AKMs
With Wi-Fi 7 MLO comes some new Security AKMs for WPA3-SAE.
The Wi-Fi Alliance WPA3 Specification version 3.3 show the follow when it comes to WPA3-Personal.
A couple points of emphasis are where it says, “Wi-Fi 7 AP’s BSS Configuration shall enable AKM suite selector 00-0F-AC:24.”
Nick talked about this new AKM and said there may be interoperability issues for clients with these AKMs being broadcast at the same time. The WPA3 Specification calls this out when it says this:
“When AKM suite selector 00-0F-AC:24 is allowed to be selected, the STA should also allow AKM suite selector 00-0F-AC:8 to be selected for interoperability.”
This is the usage of a Transition Mode, so they are not completely gone. The difference is this Transition Mode is between versions of WPA3 (such as Wi-Fi 6e to Wi-Fi 7) and NOT between older versions such as WPA2-PSK and WPA3-SAE. This new Transition Mode is allowed, where the older Transition Modes are no longer allowed.
Nick doesn’t mention it, but there is also a Fast Transition mode of this new AKM as well, AKM 00-0F-AC:25.
OWE and MLO Testing
Lastly, Nick shared a good table that is useful when deploying OWE with Wi-Fi 7 MLO. He conducted some testing with a few Wi-Fi 7 Clients that actually support MLO. This is new data points that will hopefully change with new driver updates. Transition Modes continue to exist for OWE because of the limited support amongst clients. You can only use OWE with Wifi 7 MLO.
Moving Forward
I highly recommend anyone interested in the security types that are introduced with Wi-Fi 7 MLO to watch the session from Nick Swiatecki at Mobility Field Day 11 as well as all the sessions from Cisco at MFD11.
Wi-Fi continues to get more and more complex with each new version. Wi-Fi 7 and MLO are bringing some new things that Wi-Fi Engineers will need to understand. We thought we finally understood the new rules for Wi-Fi 6e and they are changing again with Wi-Fi 7.
