WLAN/SSID Safety Migration into 6GHz Networks

With the introduction of Wi-Fi 6E/6GHz, there’s a large enhance in obtainable RF area, multiplying the general complete capability of any wi-fi community, and on the similar time, eradicating sources of interference and noise. This enhance in efficiency and high quality of the wi-fi connections will likely be actually thrilling and convey a number of alternatives, however this may include the worth of recent and higher safety necessities for our WLAN/SSID configuration migration.

The brand new customary didn’t go away safety out of the image and any new system supporting 6GHz, will likely be required to “solely” assist the next safety requirements whereas within the new band:

• WPA3: this enforces necessary Protected Administration Frames (PMF/802.11w)
• Opportunistic Key Encryption (OWE). This replaces the idea of “Open SSID”, and permits to have encryption throughout units, with none authentication
• Simultaneous Authentication of Equals (SAE). This takes the function of PSK (additionally known as “private”) authentication strategies however makes it proof against offline password assaults, with improved cryptographic algorithms

There are as nicely provisions for extra superior encryption strategies (WPA3 Enterprise-192), and several other necessary issues that should “not be supported“, for instance:  PMF disabled/optionally available, TKIP, WEP, and so forth.

What does this imply for 6GHz deployments?

Nicely… within the uncommon case of a greenfield 6GHz deployment, it could be simply “superior, we get new improved safety requirements by default”…

The issue is that nearly deployments is not going to be greenfield.  You’ll have to assist the coexistence of all present networks and units with the brand new customary and migrate present networks to incorporate the brand new 6GHz entry factors and purchasers.

What’s extra: with few honorable exceptions, many of the present WLAN/SSIDs configured on the market for two.4 and 5, will “not” work over 6GHz radios, as they don’t meet the brand new safety necessities.

Which means your SSID supporting WPA2 Enterprise (802.1x), can’t be broadcasted straight in 6GHz… similar for any present Webauth or WPA2-PSK SSIDs. All of them will have to be modified to evolve to the brand new customary. To be able to guarantee issues may be carried out correctly, this may want planning, and fairly probably, cautious testing.

Modifications additionally imply issues about backward compatibility, and any older units could not like or assist the brand new safety settings, so this isn’t only a matter of flipping a configuration swap and hoping it really works.

The great factor is that there are totally different choices on the way to deal with brownfield eventualities, with correct and pure coexistence of the brand new APs and purchasers supporting WPA3 and 6GHz, with older units nonetheless caught supporting WPA2 or older requirements. Every one has its advantages and implementation prices, so you will need to plan correctly.

Transition mode

Some folks could come again with “However transition mode is accessible, we should always be capable to set this WLAN with WPA2/WPA3 transition and get it carried out”, sadly,  issues should not so easy. This mode was created to introduce WPA3 into legacy bands, to not make it straightforward for 6GHz adoption.

WPA3 describes transition mode as a form of hybrid WPA2/WPA3 state of affairs, with PMF set to optionally available, and the group key utilizing legacy crypto, however this isn’t allowed in 6GHz, so we will’t simply flip the present WLAN from WPA2 to transition mode and get it carried out…it merely can’t be supported within the new band.

Transition mode is a superb approach to deal with a migration right into a safer customary within the legacy band. Older units can coexist on the identical SSID with new units supporting WPA3/PMF, permitting a smoother migration, however the value to pay is compatibility. A number of purchasers could behave erratically, or just, fail to hook up with a transition mode SSID, even when what they assist remains to be allowed, plus this alone can’t clear up the 6GHz  safety necessary necessities.

One phrase of warning: There’s a associated characteristic known as “< class=”label ng-binding”>Transition Disable”, which may be set within the WLAN Safety tab, within the WPA Parameters space.

This setting tells the consumer, that after it has linked efficiently to WPA3, it ought to migrate its SSID profile to assist “solely” WPA3, and never join again to WPA2 if that’s the solely possibility obtainable. On one aspect, that is good for safety, as it’ll migrate all consumer units to WPA3 solely, as they be a part of the transition mode WLAN, but when the community consists of a number of bodily places, for instance, some are set to WPA2, others to WPA3/WPA2 transition mode, this may trigger the migrated purchasers to fail when moved to a location with WPA2 solely.
This can be a potential state of affairs for some giant networks, with the identical SSID protecting totally different controllers/AP setups and with configurations not matching  100%.  The most important instance could be Eduroam, which shares the identical SSID identify worldwide. Setting this might have critical points for purchasers  shifting throughout totally different community suppliers, so please use this with care, and provided that you’ll be able to guarantee the identical safety setting is ready correctly throughout all community places

So, what choices do now we have?

Choice 1: All people Strikes

That is essentially the most radical answer. Right here we transfer all SSIDs to WPA3, SAE, or OWE, with a single SSID throughout all bands. Which means all legacy safety assist will likely be eliminated throughout all SSIDs.

That is solely possible for the Greenfield state of affairs, or when now we have absolute management of all purchasers’ system variations and configurations. It’s extremely possible that prospects won’t ever go this route.

Shopper assist

• Apple IOS: on 15.1, it does assist WPA3/PMF, and SAE, however it doesn’t assist OWE. SAE assist is just not appropriate with 6GHz necessities
• Android: Helps WPA3/PMF/SAE since model 10
• Home windows: supported in 11, however ought to work on model 10-2004

Cons

• There’s a giant listing of compatibility points concerning among the necessities, and implementing this selection will result in compatibility points as quickly as any older system tries to attach
• Migrating the SSID profile on purchasers could also be problematic, relying on working techniques. A number of units will use instantly the upper safety choices, others will have to be adjusted

Execs

• No want for extra SSIDs
• Removes any older low-security SSIDs

Choice 2: Tailor-made SSIDs

On this state of affairs,  the concept is to create new SSIDs, particularly targeted on performance, with assist on every band as wanted. New SSIDs could be created for 6GHz assist, optionally broadcasted in different bands.

This maximizes backward compatibility, because it leaves something present  “untouched”.

For instance, an organization could have an present SSID design as:

• Legacy SSID: mycompany, broadcasted in 5 GHz supporting WPA2 Enterprise
• Visitor SSID: mycompanyGuest, supporting webauth in 2.4 and 5 GHz
• IoT: mycompanyIOT, with WPA2-PSK, for restricted sensor/telemetry units in 2.4 GHz

What we’d add:

• Wi-Fi 6 particular SSID: mycompanyNG, broadcasted on 5 and 6GHz, utilizing WPA3 with 802.1x authentication and PMF

Cons

• A brand new SSID will have to be created and broadcasted
• Further profile configuration throughout units. Relying on consumer administration being obtainable, this is usually a daunting job
• SSID names are a delicate topic for purchasers. Deciding on a brand new identify will not be easy in some cases

Execs

• No influence on something already present
• You may have a gradual migration of units supporting the brand new safety requirements (WPA3) to the brand new SSID, with out having to do a dangerous forklift within the consumer profile configuration
• Quick roaming supported between bands for a similar WLAN

Choice 3:  Identical SSID, two WLAN profiles, utilizing transition mode

Protecting the identical SSID throughout bands, touches your present WLAN profile altering it to WPA3 transition mode and proscribing it to 2.4 and 5GHz. Plus provides a brand new profile, only for 6GHz, with the required safety settings.

Following on our earlier instance:

• Legacy SSID: mycompany, WLAN profile mycompany, broadcasted in 5 GHz. Modified now to supporting WPA2 Enterprise and WPA3 in transition mode
• Visitor SSID: mycompanyGuest, supporting webauth in 2.4 GHz
• IoT: mycompanyIOT, with WPA2-PSK, for restricted sensor/telemetry units in 2.4 GHz

What we’d add:

• Wi-Fi 6 particular WLAN profile: similar mycompany, SSID, with totally different profile identify, mycompanyNG  broadcasted on 6GHz, utilizing WPA3 with 802.1x authentication and PMF

Cons

• A number of consumer distributors have points dealing with WPA3 transition mode correctly
• Shoppers could not like the identical SSID with totally different safety settings throughout bands.
• Roaming is just not supported throughout WLANs. A consumer authenticated in 5 GHz, should do full authentication when shifting into 6

Execs

• No new SSIDs on the consumer aspect to be managed
• Gadgets supporting WPA3 will join in legacy bands with the upper safety customary. This can assist with safety migration
• As now we have the identical SSID identify throughout bands, purchasers will be capable to fallback from 6 to 2.4/5, in case of any protection drawback

Choice 4:  Identical SSID, two WLAN profiles, no transition

That is principally a small variation of possibility 3.  The present profile is left untouched, and we add a 6GHz particular WLAN profile:

• Legacy SSID: mycompany, WLAN profile mycompany, broadcasted in 5 GHz. WPA2-Enterprise
• Visitor SSID: mycompanyGuest, supporting webauth in 2.4 GHz
• IoT: mycompanyIOT, with WPA2-PSK, for restricted sensor/telemetry units in 2.4 GHz

What we’d add:

• Wi-Fi 6 particular WLAN profile: similar mycompany, SSID, with totally different profile identify, mycompanyNG  broadcasted on 6GHz, utilizing WPA3 with 802.1x authentication and PMF

Cons

• Shoppers could not like the identical SSID with totally different safety settings throughout bands. That is but to be confirmed, up to now, no points reported in testing
• Roaming throughout WLANs is just not supported. A consumer authenticated in 5 GHz, should do full authentication when shifting into 6
• Legacy bands will likely be caught on decrease safety protocols

Execs

• No new SSIDs to be managed on the consumer aspect
• As now we have the identical SSID identify throughout bands, purchasers will be capable to fallback from 6 to 2.4/5, in case of any protection drawback
• Avoids any consumer interoperability points with transition mode

Too many choices, however which is one of the best?

For many prospects, possibility 4 (new WLAN profile, similar identify, new safety), is what will likely be carried out more often than not, because it permits deployments, decreasing most dangers.

For patrons that need higher safety, possibility 2 (particular SSID), or possibility 3 (change to transition mode, add new profile for six), would be the finest suited.

And for certain, don’t transfer WPA2 networks to WPA2/WPA3 transition mode, with out validating along with your present purchasers, particularly if there are any legacy or customized units current.

For extra data on this topic

Share: