The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure Wi-Fi 6E WLAN Layer 2 security and what to expect on different clients.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
The key thing to know is that Wi-Fi 6E is not an entirely new standard, but an extension. At its base, Wi-Fi 6E is an extension of the Wi-Fi 6 (802.11ax) wireless standard into the 6-GHz radio-frequency band.
Wi-Fi 6E builds on Wi-Fi 6, which is the latest generation of the Wi-Fi standard, but only Wi-Fi 6E devices and applications can operate in the 6-GHz band.
Wi-Fi 6E uplevels security with Wi-Fi Protected Access 3 (WPA3) and Opportunistic Wireless Encryption (OWE) and there is no backward compatibility with Open and WPA2 security.
WPA3 and Enhanced Open Security are now mandatory for Wi-Fi 6E certification and Wi-Fi 6E also requires Protected Management Frame (PMF) in both AP and Clients.
When configuring a 6GHz SSID there are certain security requirements that must be met:
WPA3 is designed to improve Wi-Fi security by enabling better authentication over WPA2, providing expanded cryptographic strength and increasing the resiliency of critical networks.
Key features of WPA3 include:
WPA3 is about continuous security development and conformance as well as interoperability.
There is no Information Element that designates WPA3 (same as WPA2). WPA3 is defined by AKM/Cipher Suite/PMF combinations.
On the 9800 WLAN configuration, you have 4 different WPA3 encryption algorithms you can use.
They are based on Galois/Counter Mode Protocol (GCMP) and Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP): AES (CCMP128), CCMP256, GCMP128 and GCMP256:
PMF
PMF is activated on a WLAN when you enable PMF.
By default, 802.11 management frames are unauthenticated and hence not protected against spoofing. Infrastructure Management Protection Frame (MFP) and 802.11w protected management frames (PMF) provide protection against such attacks.
Authentication Key Management
These are the AKM options available in the 17.9.x version:
Note that there is no "FT + 802.1x-SHA256" in the GUI. This is because:
If you want to support only FT client, you can have a WPA3 SSID with only “FT+802.1x”. If you want to support both FT and non-FT clients you can have a WPA3 SSID with FT+802.1x and 802.1x-SHA256.
In summary, there is no different AKM for FT on 802.1x for WPA3 as the existing one was already WPA3 compliant.
Below table shows the different AKM values defined in IEEE Std 802.11™‐2020 document.
Please note that AKM 8 & 9 are used with SAE, AKM 1,3,5,11 are used for WPA3-Enterprise only or WPA3-Enterprise transition, AKM 12,13 are for WPA3-Enterprise using 192-bit, and AKM 18 for Enhanced Open (OWE).
OUI |
Suite Type |
Authentication Type |
Description |
00-0F-AC |
0 |
Reserved |
Reserved |
00-0F-AC |
1 |
Std 802.1x – SHA1 |
Authentication negotiated over IEEE Standard 802.1X supporting SHA1 |
00-0F-AC |
2 |
PSK – SHA-1 |
Pre-shared key supporting SHA1 |
00-0F-AC |
3 |
FT over 802.1x – SHA256 |
Fast Transition authentication negotiated over IEEE Std 802.1X supporting SHA256 |
00-0F-AC |
4 |
FT over PSK – SHA256 |
Fast Transition authentication using PSK supporting SHA-256 |
00-0F-AC |
5 |
Std 802.1x – SHA256 |
Authentication negotiated over IEEE Std 802.1X |
00-0F-AC |
6 |
PSK – SHA256 |
Pre-shared key supporting SHA256 |
00-0F-AC |
7 |
TDLS |
TPK Handshake supporting SHA256 |
00-0F-AC |
8 |
SAE – SHA256 |
Simultaneous Authentication of Equals using SHA256 |
00-0F-AC |
9 |
FT over SAE – SHA256 |
Fast Transition over Simultaneous Authentication of Equals using SHA256 |
00-0F-AC |
10 |
APPeerKey Authentication - SHA256 |
APPeerKey Authentication with SHA-256 |
00-0F-AC |
11 |
Std 802.1x SuiteB – SHA256 |
Authentication negotiated over IEEE Std 802.1X using a Suite B compliant EAP method supporting SHA-256 |
00-0F-AC |
12 |
Std 802.1x SuiteB – SHA384 |
Authentication negotiated over IEEE Std 802.1X using a CNSA Suite compliant EAP method supporting SHA384 |
00-0F-AC |
13 |
FT over 802.1x – SHA384 |
Fast Transition authentication negotiated over IEEE Std 802.1X supporting SHA384 |
00-0F-AC |
14 |
FILS with SHA256 & AES-SIV-256 |
Key management over FILS using SHA-256 and AES-SIV-256, or Authentication negotiated over IEEE Std 802.1X |
00-0F-AC |
15 |
FILS with SHA384 & AES-SIV-512 |
Key management over FILS using SHA-384 and AES-SIV-512, or Authentication negotiated over IEEE Std 802.1X |
00-0F-AC |
16 |
FT over FILS (SHA256) |
Fast Transition authentication over FILS with SHA-256 and AES-SIV-256 or authentication negotiated over IEEE Std 802.1X |
00-0F-AC |
17 |
FT over FILS (SHA384) |
Fast Transition authentication over FILS with SHA-384 and AES-SIV-512, or authentication negotiated over IEEE Std 802.1X |
00-0F-AC |
18 |
Reserved |
Used for OWE by WiFi Alliance |
00-0F-AC |
19 |
FT over PSK – SHA384 |
Fast Transition authentication using PSK with SHA384 |
00-0F-AC |
20 |
PSK-SHA384 |
Pre-shared key supporting SHA384 |
00-0F-AC |
21-255 |
Reserved |
Reserved |
00-0F-AC |
Any |
Vendor-specific |
Vendor-specific |
To note that some AKM refer “SuiteB” which is a set of cryptographic algorithms (to provide 128 bit and 192 bit security strength) defined by NSA (National Secuirty Agency) in 2005. NSA replaced Suite B with CNSA (Commercial National Security Algorithm Suite), to provide min 192 bit security, in 2018. WPA3-Enterprise 192-bit mode uses AES-256-GCMP encryption and use CNSA approved cipher suites listed below:
OWE
Opportunistic Wireless Encryption (OWE) is an extension to IEEE 802.11 that provides encryption of the wireless medium (IETF RFC 8110). The purpose of OWE based authentication is avoid open unsecured wireless connectivity between the AP’s and clients. The OWE uses the Diffie-Hellman algorithms based Cryptography to setup the wireless encryption. With OWE, the client and AP perform a Diffie-Hellman key exchange during the access procedure and use the resulting pairwise master key (PMK) secret with the 4-way handshake. The use of OWE enhances wireless network security for deployments where Open or shared PSK based networks are deployed.
SAE
WPA3 use a new authentication and key management mechanism called Simultaneous Authentication of Equals. This mechanism is further enhanced through the use of SAE Hash-to-Element (H2E).
SAE with H2E is mandatory for WPA3 and Wi-Fi 6E.
SAE employs a discrete logarithm cryptography to perform an efficient exchange in a way that performs mutual authentication using a password that is probably resistant to an offline dictionary attack.
An offline dictionary attack is where an adversary attempts to determine a network password by trying possible passwords without further network interaction.
When the client connects to the access point, they perform an SAE exchange. If successful, they create each a cryptographically strong key, from which the session key is derived. Basically a client and access point goes into phases of commit and then confirm.
Once there is a commitment, the client and access point can then go into the confirm states each time there is a session key to be generated. The method uses forward secrecy, where an intruder could crack a single key, but not all of the other keys.
Hash-to-Element (H2E)
Hash-to-Element (H2E) is a new SAE Password Element (PWE) method. In this method, the secret PWE used in the SAE protocol is generated from a password.
When a station (STA) that supports H2E initiates SAE with an AP, it checks whether AP supports H2E. If yes, the AP uses the H2E to derive the PWE by using a newly defined Status Code value in the SAE Commit message.
If STA uses Hunting-and-Pecking (HnP), the entire SAE exchange remains unchanged.
While using the H2E, the PWE derivation is divided into these components:
Derivation of a secret intermediary element (PT) from the password. This can be performed offline when the password is initially configured on the device for each supported group.
Derivation of the PWE from the stored PT. This depends on the negotiated group and MAC addresses of peers. This is performed in real-time during the SAE exchange.
Note: 6-GHz supports only Hash-to-Element SAE PWE method.
WPA-Enterprise aka 802.1x
WPA3-Enterprise is the most secure version of WPA3 and uses a username plus password combination with 802.1X for user authentication with a RADIUS server. By default, WPA3 uses 128-bit encryption, but it also introduces an optionally configurable 192-bit cryptographic strength encryption, which gives additional protection to any network transmitting sensitive data.
WPA3 192-bit security shall be exclusive for EAP-TLS, which shall require certificates on both the supplicant and RADIUS server.
To use WPA3 192-bit enterprise, the RADIUS servers must use one of the permitted EAP ciphers:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
To know more about detailed information about WPA3 implementation in Cisco WLANs, including client security compatibility matrix, please feel free to check the WPA3 Deployment Guide.
You can find which product support WPA3-Enterprise using WiFi Alliance webpage product finder.
On windows devices you can verify what are the security settings supported by the adapter using the command "netsh wlan show drivers".
Here you can see the output of Intel AX211:
Netgear A8000:
Android Pixel 6a:
Samsung S23:
Based on the previous outputs, we can conclude this table:
In this section, it is shown the basic WLAN configuration. The Policy Profile used is always the same using Central Association/Authentication/DHCP/Switching.
Later in the doc, it is shown how to configure each Wi-Fi 6E Layer 2 Security combination and how to verify the configuration and expected behavior.
Remember that Wi-Fi 6E requires WPA3, and these are the restrictions for WLAN Radio Policy:
WLAN is pushed to all the radios only if one of the configuration combination is used:
WPA3 + AES cipher + 802.1x-SHA256 (FT) AKM
WPA3 + AES cipher + OWE AKM
WPA3 + AES cipher + SAE (FT) AKM
WPA3 + CCMP256 cipher + SUITEB192-1X AKM
WPA3 + GCMP128 cipher + SUITEB-1X AKM
WPA3 + GCMP256 cipher + SUITEB192-1X AKM
The WLAN was configured with 6GHz only Radio Policy and UPR (Broadcast Probe Response) discovery method:
In this section it is presented the security configuration and client association phase using these WPA3 protocol combinations:
Note: Even though there are no clients supporting GCMP128 cipher + SUITEB-1X as of writting this document, it was tested to observe it being broadcasted and check the RSN info in the beacons.
This is the WLAN Security configuration:
View on WLC GUI of the WLAN Security settings:
Here we can observe Wi-Fi 6E clients connection process:
Intel AX211
Here we show the complete connection process of client Intel AX211.
OWE Discovery
Here you can see the beacons OTA. The AP advertises support for OWE using AKM suite selector for OWE under RSN information element.
You can see AKM suite type value 18 (00-0F-AC:18) that indicates OWE support.
If you look at RSN capabilities field, you can see AP is advertising both Management Frame Protection (MFP) capabilities and MFP required bit set to 1.
OWE Association
You can see the UPR sent in broadcast mode and then the association itself.
The OWE starts with the OPEN authentication request and response:
Then, a client that wants to do OWE must indicate OWE AKM in the RSN IE of Association Request frame and include Diffie Helman (DH) parameter element:
After the association response we can see the 4-way handshake and client moves to connected state.
Here you can see the client details on the WLC GUI:
NetGear A8000
Connection OTA with focus on the RSN information from client:
Client details in WLC:
Pixel 6a
Connection OTA with focus on the RSN information from client:
Client details in WLC:
Samsung S23
Connection OTA with focus on the RSN information from client:
Client details in WLC:
Detailed configuration and troubleshooting of OWE Transition Mode available in this document: Configure Enhanced Open SSID with Transition Mode - OWE.
WLAN Security configuration:
Note: Keep in mind that Hunting and Pecking is not allowed with 6 GHz radio policy. When you configure a 6GHz only WLAN, you must select H2E SAE Password Element.
View on WLC GUI of the WLAN Security settings:
Verification of beacons OTA:
Here we can observe Wi-Fi 6E clients associating:
Intel AX211
Connection OTA with focus on the RSN information from client:
Client details in WLC:
NetGear A8000
Connection OTA with focus on the RSN information from client:
Client details in WLC:
Pixel 6a
Connection OTA with focus on the RSN information from client:
Client details in WLC:
Samsung S23
Connection OTA with focus on the RSN information from client:
Client details in WLC:
WLAN Security configuration:
Caution: In the Authentication Key Management, the WLC allows to select FT+SAE without SAE enabled, however it was observed the clients were not able to connect. Always enable both check boxes SAE and FT+SAE if you want to use SAE with Fast Transition.
View on WLC GUI of the WLAN Security settings:
Verification of beacons OTA:
Here we can observe Wi-Fi 6E clients associating:
Intel AX211
Connection OTA with focus on the RSN information from client:
Roaming event where you can see the PMKID:
Client details in WLC:
NetGear A8000
Connection OTA with focus on the RSN information from client. Initial connection:
Client details in WLC:
Pixel 6a
Device was not able to roam when FT is enabled.
Samsung S23
Device was not able to roam when FT is enabled.
WLAN Security configuration:
View on WLC GUI of the WLAN Security settings:
Here we can see the ISE Live logs showing the authentications coming from each device:
Beacons OTA look like this:
Here we can observe Wi-Fi 6E clients associating:
Intel AX211
Connection OTA with focus on the RSN information from client on a roaming event:
An interesting behavior happens if you manually delete the client from the WLAN (from WLC GUI for example). The client receives a disassociation frame but tries to reconnect to the same AP and uses a re-association frame followed by a complete EAP exchange because the client details were deleted from the AP/WLC.
This is basically the same frame exchange as in a new Association process. Here you can see the frame exchange:
Client details in WLC:
This client was also tested using FT over the DS and was able to roam using 802.11r:
We can also see the FT roaming events:
And client ra trace from wlc:
NetGear A8000
WPA3-Enterprise is not supported on this client.
Pixel 6a
Connection OTA with focus on the RSN information from client:
Client details in WLC:
Focus on the roam type Over the Air where we can see the roam type 802.11R:
Samsung S23
Connection OTA with focus on the RSN information from client:
Client details in WLC:
Focus on the roam type Over the Air where we can see the roam type 802.11R:
This client was also tested using FT over the DS and was able to roam using 802.11r:
WLAN Security configuration:
Note: FT is not suported in SUITEB-1X
View on WLC GUI of the WLAN Security settings:
Verification of beacons OTA:
None of the tested clients were able to connect to the WLAN using SuiteB-1X confirming that none supports this security method.
WLAN Security configuration:
Note: FT is not supported with GCMP256+SUITEB192-1X.
WLAN on WLC GUI WLANs list:
Verification of beacons OTA:
Here we can observe Wi-Fi 6E clients associating:
Intel AX211
Connection OTA with focus on the RSN information from client:
And the EAP-TLS exchange:
Client details in WLC:
NetGear A8000
WPA3-Enterprise is not supported on this client.
Pixel 6a
At the date of writing this document, this client was not able to connect to WPA3 Enterprise using EAP-TLS.
This was a client side issue that is being worked on and as soon its resolved, this document shall be updated.
Samsung S23
At the date of writing this document, this client was not able to connect to WPA3 Enterprise using EAP-TLS.
This was a client side issue that is being worked on and as soon its resolved, this document shall be updated.
After all the previous tests, this is the resultant conclusions:
Protocol |
Encryption |
AKM |
AKM Cipher |
EAP Method |
FT-OverTA |
FT-OverDS |
Intel AX211 |
Samsung/Google Android |
NetGear A8000 |
OWE |
AES-CCMP128 |
OWE |
NA. |
NA. |
NA |
NA |
Supported |
Supported |
Supported |
SAE |
AES-CCMP128 |
SAE (H2E Only) |
SHA256 |
NA. |
Supported |
Supported |
Supported: H2E Only and FT-oTA |
Supported: H2E Only. |
Supported: |
Enterprise |
AES-CCMP128 |
802.1x-SHA256 |
SHA256 |
PEAP/FAST/TLS |
Supported |
Supported |
Supported: SHA256 and FT-oTA/oDS |
Supported: SHA256 and FT-oTA, FT-oDS (S23) |
Supported: SHA256 and FT-oTA |
Enterprise |
GCMP128 |
SuiteB-1x |
SHA256-SuiteB |
PEAP/FAST/TLS |
Not Supported |
Not Supported |
Not Supported |
Not Supported |
Not Supported |
Enterprise |
GCMP256 |
SuiteB-192 |
SHA384-SuiteB |
TLS |
Not Supported |
Not Supported |
NA/TBD |
NA/TBD |
Not Supported |
The troubleshooting used in this document was based on the online document:
The general guideline for troubleshooting is to collect RA trace in debug mode from the WLC using the client mac address making sure that the client is connecting using the device mac and not a randomized mac address.
For Over the Air troubleshooting, the recommendation is to use AP in sniffer mode capturing the traffic on the channel of the client serving AP.
Note: Refer to Important Information on Debug Commandsbefore you use debug commands.
Wi-Fi 6E: The Next Great Chapter in Wi-Fi White Paper
Cisco Live - Architecting Next Generation Wireless Network with Catalyst Wi-Fi 6E Access Points
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide 17.9.x
Revision | Publish Date | Comments |
---|---|---|
1.0 |
08-Aug-2023 |
Initial Release |