Cisco ME 8.10

WPA3 on Cisco ME WLAN Controller

Last updated on June 6th, 2020 at 08:20 pm

In this post I will talk about how to configure WPA3 security in the Cisco ME controllers, recently incorporated with the AireOS 8.10 version.

Configuration

In my current configuration, I have a Cisco AP3800 with AireOS 8.5.161 code and Mobility Express controller. I use WPA2-Enterprise to connect to the WLAN, but there is also another SSID configured with WPA2-Personal for devices with more basic supplicants. This is why I am interested in testing the new options available with WPA3 and checking the support of each of the devices I usually work with.

The first step is to configure the SSID in WPA3 transition mode, in which the WPA2-PSK and WPA3-SAE suites are configured in mixed mode. To enable it, the configuration through the GUI is quite simple, it is enough to select Personal security type, which enables WPA2 by default, and then activate the slider corresponding to WPA3.

If you like to configure the SSID through the console, as in my case, the commands would be as follows:

config wlan create 1 _Transit-SSID _Transit-SSID
## disable some auto-configured wpa parameters
config wlan security wpa akm 802.1x disable 1
config wlan security ft disable 1
!
config wlan security wpa wpa2 ciphers aes enable 1
config wlan security wpa akm psk enable 1
config wlan security wpa akm sae enable 1
config wlan security wpa akm psk set-key ascii 12345678 1
config wlan security wpa wpa2 enable 1
config wlan security wpa wpa3 enable 1
config wlan security pmf optional 1

After this, the security options of the new SSID are as follows:

The next SSID to be configured is in WPA3-Personal mode. In the GUI configuration mode, it would be enough to disable WPA2 in the SSID Security configuration and save it. You will need the next comands in order to do it through the CLI:

config wlan create 1 _Transit-SSID _Transit-SSID
## disable some auto-configured wpa parameters
config wlan security wpa akm 802.1x disable 1
config wlan security ft disable 1
!
config wlan security wpa wpa2 ciphers aes enable 1
config wlan security wpa akm psk enable 1
config wlan security wpa akm sae enable 1
config wlan security wpa akm psk set-key ascii 12345678 1
config wlan security wpa wpa2 enable 1
config wlan security wpa wpa3 enable 1
config wlan security pmf optional 1

When it comes to configuring an SSID with WPA3-Enterprise security, the first thing we notice is that it is not possible to carry out such configuration in the GUI interface of the Cisco ME controller. However, through the CLI console, we have all the options available to configure that SSID. These would be the necessary commands:

config wlan create 3 _WPA3-E-SSID _WPA3-E-SSID
## disable some auto-configured wpa parameters
config wlan security wpa wpa2 disable 3
config wlan security wpa akm 802.1x disable 3
config wlan security ft disable 3
!
config wlan local-auth enable gbl_eap_profile 3
config wlan security wpa akm pmf 802.1x enable 3
config wlan security wpa wpa3 enable 3
config wlan security pmf required 3
config wlan enable 3
!

IMPORTANT:

Once the new SSID has been created with WPA3-Enterprise security, if the controller GUI is accessed, the security configuration shown is “Open”. This is because Cisco has not implemented support for WPA3-Enterprise in that GUI.

IMPORTANT:

Any modification made through the GUI in any parameter of this SSID with WPA3-Enterprise security (VLAN, Radios, QoS) will cause a strange result in its behavior and configuration. On one hand, the output of the command “show wlan ” in the CLI will tells us that the profile has no security, that it is an open SSID. Let’s try to fix this configuration without deleting it. After disabling the WLAN we try to re-enter the necessary commands again, but the system tells us that the WLAN already has those parameters defined and that it cannot be applied again, which is both true and false according to what we can see. If we look for that SSID with any device, we also see that the SSID appears as open, however, it is not possible to associate with it.

IMPORTANT:

When the adapter used on Windows 10 computers does not support the security suite of an SSID, it is identified as invalid and appears at the end of the list of available networks.

Testing Phase

The following devices have been used for the tests:

  • Windows 10 1909 laptop with:
    • Atheros AR9107 chipset with 802.11n support
    • Realtek 8812au chipset with 802.11ac support
    • Intel AX200 chipset with 802.11ax support
  • Samsung S9 running Android 10 (Exynos 9810 + Broadcom BCM43750 chipset)
  • Xiaomi Mi8 running Android 10 (Snapdragon 845 chipset)
  • Wiko U Feel Prime wunning Android 7.1 (Snapdragon 430 chipset)
  • iPad running iPadOS 13.4.1

Regarding WPA3 security suite support of the different operating system manufacturers:

  • Microsoft Windows supports WPA3 starting Windows 10 1903 (May 2019 Update)
    • Intel supports WPA3 starting PROSet/Wireless 21.10 drivers, and only for chipset families AC9xxx and AX2xx.
  • Google has added WPA3 support on Android.
    • Samsung only supports WPA3-Enterprise
    • Qualcomm added WPA3 support to 845 (pending integrator support)
    • Qualcomm Snapdragon 430 doesn’t support WPA3
  • Apple added WPA3 support on iOS 13, iPadOS 13 and macOS Catalina
  • Linux distributions support WPA3 after ‘wpa_supplicant’ version 2.7 (Feb 2019)

With the above data, it is to be expected that there would be some devices that won’t be able to use all the new SSIDs with WPA3 security.

The next picture shows the connected devices when using WPA2-Personal (NOTE: the use of PMF was not activated).

The previous test shows how the Xiaomi Mi8 with Android 10 is unable to join the network. This compatibility issue is treated in more detail in the next post.

The second test is with the SSID in WPA3 transition mode. Again, the Xiaomi Mi8 is unable to associate.

The following image shows the associated devices and their capabilities. As expected, only the W10 with Intel wNIC AX200 and the iPad are capable of using WPA3-SAE. The W10 with Atheros device and Wiko both use WPA2-PSK (SHA1) and the rest use SHA256 key manager. Although AireOS 8.10 displays the latter devices using the WPA3 security policy, this is not true, and this seems to be only a cosmetic defect when identifying the suite in use (TAC case open to investigate on this).

For the SSID configured with WPA3-SAE, only the W10 with Intel wNIC and the iPad with iOS 13.4 managed to connect. Neither the Mi8 nor the Samsung S9 connects, as this suite is not implemented by the manufacturers.

The next test is with the WPA3-Enterprise security SSID, to which the W10 with wNIC Realtek and Intel, the Samsung S9 and Mi8 with Android 10, and the iPAD with iOS 13.4 manage to connect.

And finally, the last test on the SSID configured with OWE. This time the results are quite disappointing, as only the Mi8 device with Android 10 is able to connect to that network.

While the Samsung S9 device does not show the SSID in the network list, the Wiko device with Android 7.1 does not even try to associate with the network. The W10 devices and the iPad show the SSID in the network list as secure, which indicates to the operating system the need to enter some kind of credential. This is confirmed when trying to associates, since after selecting it a window is displayed asking to provide the credentials to the SSID in both cases, which doesn’t exist.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.