WLAN/SSID Safety Migration into 6GHz Networks

With the introduction of Wi-Fi 6E/6GHz, there’s a large enhance in obtainable RF area, multiplying the general complete capability of any wi-fi community, and on the identical time, eradicating sources of interference and noise. This enhance in efficiency and high quality of the wi-fi connections shall be actually thrilling and produce a number of alternatives, however this may include the worth of latest and higher safety necessities for our WLAN/SSID configuration migration.

The brand new customary didn’t go away safety out of the image and any new system supporting 6GHz, shall be required to “solely” assist the next safety requirements whereas within the new band:

• WPA3: this enforces necessary Protected Administration Frames (PMF/802.11w)
• Opportunistic Key Encryption (OWE). This replaces the idea of “Open SSID”, and permits to have encryption throughout units, with none authentication
• Simultaneous Authentication of Equals (SAE). This takes the position of PSK (additionally referred to as “private”) authentication strategies however makes it proof against offline password assaults, with improved cryptographic algorithms

There are as properly provisions for extra superior encryption strategies (WPA3 Enterprise-192), and several other necessary issues that should “not be supported“, for instance:  PMF disabled/non-obligatory, TKIP, WEP, and so on.

What does this imply for 6GHz deployments?

Properly… within the uncommon case of a greenfield 6GHz deployment, it might be simply “superior, we get new improved safety requirements by default”…

The issue is that just about deployments won’t be greenfield.  You’ll have to assist the coexistence of all present networks and units with the brand new customary and migrate present networks to incorporate the brand new 6GHz entry factors and shoppers.

What’s extra: with few honorable exceptions, many of the present WLAN/SSIDs configured on the market for two.4 and 5, will “not” work over 6GHz radios, as they don’t meet the brand new safety necessities.

Because of this your SSID supporting WPA2 Enterprise (802.1x), can’t be broadcasted straight in 6GHz… identical for any present Webauth or WPA2-PSK SSIDs. All of them will have to be modified to evolve to the brand new customary. As a way to guarantee issues may be executed correctly, this may want planning, and fairly presumably, cautious testing.

Adjustments additionally imply considerations about backward compatibility, and any older units might not like or assist the brand new safety settings, so this isn’t only a matter of flipping a configuration change and hoping it really works.

The great factor is that there are completely different choices on how one can deal with brownfield eventualities, with correct and pure coexistence of the brand new APs and shoppers supporting WPA3 and 6GHz, with older units nonetheless caught supporting WPA2 or older requirements. Each has its advantages and implementation prices, so you will need to plan correctly.

Transition mode

Some folks might come again with “However transition mode is on the market, we should always be capable of set this WLAN with WPA2/WPA3 transition and get it executed”, sadly,  issues are usually not so easy. This mode was created to introduce WPA3 into legacy bands, to not make it simple for 6GHz adoption.

WPA3 describes transition mode as a type of hybrid WPA2/WPA3 state of affairs, with PMF set to non-obligatory, and the group key utilizing legacy crypto, however this isn’t allowed in 6GHz, so we will’t simply flip the prevailing WLAN from WPA2 to transition mode and get it executed…it merely can’t be supported within the new band.

Transition mode is a superb approach to deal with a migration right into a safer customary within the legacy band. Older units can coexist on the identical SSID with new units supporting WPA3/PMF, permitting a smoother migration, however the value to pay is compatibility. A number of shoppers might behave erratically, or just, fail to connect with a transition mode SSID, even when what they assist remains to be allowed, plus this alone can’t remedy the 6GHz  safety necessary necessities.

One phrase of warning: There’s a associated function referred to as “< class=”label ng-binding”>Transition Disable”, which may be set within the WLAN Safety tab, within the WPA Parameters space.

This setting tells the consumer, that after it has linked efficiently to WPA3, it ought to migrate its SSID profile to assist “solely” WPA3, and never join again to WPA2 if that’s the solely possibility obtainable. On one aspect, that is good for safety, as it would migrate all consumer units to WPA3 solely, as they be part of the transition mode WLAN, but when the community consists of a number of bodily places, for instance, some are set to WPA2, others to WPA3/WPA2 transition mode, this may trigger the migrated shoppers to fail when moved to a location with WPA2 solely.
It is a doable state of affairs for some massive networks, with the identical SSID masking completely different controllers/AP setups and with configurations not matching  100%.  The most important instance can be Eduroam, which shares the identical SSID title worldwide. Setting this might have critical points for shoppers  transferring throughout completely different community suppliers, so please use this with care, and provided that you’ll be able to guarantee the identical safety setting is ready correctly throughout all community places

So, what choices do we’ve?

Choice 1: All people Strikes

That is essentially the most radical resolution. Right here we transfer all SSIDs to WPA3, SAE, or OWE, with a single SSID throughout all bands. Because of this all legacy safety assist shall be eliminated throughout all SSIDs.

That is solely possible for the Greenfield state of affairs, or when we’ve absolute management of all shoppers’ system variations and configurations. It’s extremely possible that clients won’t ever go this route.

Shopper assist

• Apple IOS: on 15.1, it does assist WPA3/PMF, and SAE, nevertheless it doesn’t assist OWE. SAE assist is just not suitable with 6GHz necessities
• Android: Helps WPA3/PMF/SAE since model 10
• Home windows: supported in 11, however ought to work on model 10-2004

Cons

• There’s a massive record of compatibility points concerning among the necessities, and implementing this feature will result in compatibility points as quickly as any older system tries to attach
• Migrating the SSID profile on shoppers could also be problematic, relying on working techniques. A number of units will use straight away the upper safety choices, others will have to be adjusted

Execs

• No want for extra SSIDs
• Removes any older low-security SSIDs

Choice 2: Tailor-made SSIDs

On this state of affairs,  the concept is to create new SSIDs, particularly centered on performance, with assist on every band as wanted. New SSIDs can be created for 6GHz assist, optionally broadcasted in different bands.

This maximizes backward compatibility, because it leaves something present  “untouched”.

For instance, an organization might have an present SSID design as:

• Legacy SSID: mycompany, broadcasted in 5 GHz supporting WPA2 Enterprise
• Visitor SSID: mycompanyGuest, supporting webauth in 2.4 and 5 GHz
• IoT: mycompanyIOT, with WPA2-PSK, for restricted sensor/telemetry units in 2.4 GHz

What we’d add:

• Wi-Fi 6 particular SSID: mycompanyNG, broadcasted on 5 and 6GHz, utilizing WPA3 with 802.1x authentication and PMF

Cons

• A brand new SSID will have to be created and broadcasted
• Further profile configuration throughout units. Relying on consumer administration being obtainable, this could be a daunting activity
• SSID names are a delicate topic for purchasers. Deciding on a brand new title will not be easy in some cases

Execs

• No impression on something already present
• You possibly can have a gradual migration of units supporting the brand new safety requirements (WPA3) to the brand new SSID, with out having to do a dangerous forklift within the consumer profile configuration
• Quick roaming supported between bands for a similar WLAN

Choice 3:  Similar SSID, two WLAN profiles, utilizing transition mode

Maintaining the identical SSID throughout bands, touches your present WLAN profile altering it to WPA3 transition mode and proscribing it to 2.4 and 5GHz. Plus provides a brand new profile, only for 6GHz, with the required safety settings.

Following on our earlier instance:

• Legacy SSID: mycompany, WLAN profile mycompany, broadcasted in 5 GHz. Modified now to supporting WPA2 Enterprise and WPA3 in transition mode
• Visitor SSID: mycompanyGuest, supporting webauth in 2.4 GHz
• IoT: mycompanyIOT, with WPA2-PSK, for restricted sensor/telemetry units in 2.4 GHz

What we’d add:

• Wi-Fi 6 particular WLAN profile: identical mycompany, SSID, with completely different profile title, mycompanyNG  broadcasted on 6GHz, utilizing WPA3 with 802.1x authentication and PMF

Cons

• A number of consumer distributors have points dealing with WPA3 transition mode correctly
• Shoppers might not like the identical SSID with completely different safety settings throughout bands.
• Roaming is just not supported throughout WLANs. A consumer authenticated in 5 GHz, should do full authentication when transferring into 6

Execs

• No new SSIDs on the consumer aspect to be managed
• Gadgets supporting WPA3 will join in legacy bands with the upper safety customary. This can assist with safety migration
• As we’ve the identical SSID title throughout bands, shoppers will be capable of fallback from 6 to 2.4/5, in case of any protection downside

Choice 4:  Similar SSID, two WLAN profiles, no transition

That is mainly a small variation of possibility 3.  The present profile is left untouched, and we add a 6GHz particular WLAN profile:

• Legacy SSID: mycompany, WLAN profile mycompany, broadcasted in 5 GHz. WPA2-Enterprise
• Visitor SSID: mycompanyGuest, supporting webauth in 2.4 GHz
• IoT: mycompanyIOT, with WPA2-PSK, for restricted sensor/telemetry units in 2.4 GHz

What we’d add:

• Wi-Fi 6 particular WLAN profile: identical mycompany, SSID, with completely different profile title, mycompanyNG  broadcasted on 6GHz, utilizing WPA3 with 802.1x authentication and PMF

Cons

• Shoppers might not like the identical SSID with completely different safety settings throughout bands. That is but to be confirmed, thus far, no points reported in testing
• Roaming throughout WLANs is just not supported. A consumer authenticated in 5 GHz, should do full authentication when transferring into 6
• Legacy bands shall be caught on decrease safety protocols

Execs

• No new SSIDs to be managed on the consumer aspect
• As we’ve the identical SSID title throughout bands, shoppers will be capable of fallback from 6 to 2.4/5, in case of any protection downside
• Avoids any consumer interoperability points with transition mode

Too many choices, however which is the perfect?

For many clients, possibility 4 (new WLAN profile, identical title, new safety), is what shall be carried out more often than not, because it permits deployments, lowering most dangers.

For patrons that need higher safety, possibility 2 (particular SSID), or possibility 3 (change to transition mode, add new profile for six), would be the greatest suited.

And for certain, don’t transfer WPA2 networks to WPA2/WPA3 transition mode, with out validating together with your present shoppers, particularly if there are any legacy or customized units current.

For extra data on this topic

Share: