topic Re: Duplicate WLANs with same SSID, one for WPA3/6Ghz one for WPA2 5Gh in Wireless

Duplicate WLANs with same SSID, one for WPA3/6Ghz one for WPA2 5Ghz?

tomab — Thu, 07 Dec 2023 15:11:09 GMT

Hi,

We're starting to deploy 9100 series APs. Of course 6GHz requires WPA2 to be disabled. I can't do that yet as we have a number of older laptops with Intel AC8265 adapters that don't support WPA3.

An idea that occurred to me was to leave the existing corporate SSID as is and create another WLAN with the same SSID having WPA3 and 6GHz enabled, but disabled on 2.4 & 5Ghz.

Has anyone done this, or is there an obvious reason why it won't work/shouldn't be tried?

thanks.

Re: Duplicate WLANs with same SSID, one for WPA3/6Ghz one for WPA2 5Gh

JPavonM — Thu, 07 Dec 2023 15:44:35 GMT

Yes that is something you can do, but whenever a device that support the 3 bands would connect to either AP and move to another area, it will decide which band to connect to, so expect uncontrolled disconnections.

Try to configure WPA3 AES-CCMP128 with both SAH1 and SHA256 and PMF optional, that should be allowed by AC8265 adapters as far as I remember. BUT don't setup WPA3 on Windows side, but WPA2-Enterprise. Basically WPA2 with those options and WPA3 are the same suites, but in the later case with all of them CCMP128, SHA256 and PMF mandatory.

Re: Duplicate WLANs with same SSID, one for WPA3/6Ghz one for WPA2 5Gh

Rich R — Fri, 08 Dec 2023 13:59:21 GMT

And remember the Intel drivers must be up to date.

You may also want to have a read through https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html

Re: Duplicate WLANs with same SSID, one for WPA3/6Ghz one for WPA2 5Gh

Rasika Nayanajith — Sat, 09 Dec 2023 23:41:25 GMT

"An idea that occurred to me was to leave the existing corporate SSID as is and create another WLAN with the same SSID having WPA3 and 6GHz enabled, but disabled on 2.4 & 5Ghz"

Prior to 17.12.x version, You can use the same SSID name, but SSID profile name should be unique. In that way still it is two different SSID profiles that use same "SSID name".

Starting from IOS-XE 17.12.x onward Cisco is supporting it using single profile and single SSID. Refer below WPA3 deployment guide
https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html
"Starting 17.12.1, this can be used with 1 SSID and 1 Profile and support 6GHz band"

"To support these deployments, the recommendation in pre-17.12.1 SW versions were to use WPA2+WPA3 transition mode with same WLAN with different profiles to support both legacy and latest 6GHz clients. The challenge with this design is roaming. The roaming between bands in this configuration is not supported and it is full roam always which is not preferred.

Starting from 17.12.1, we are supporting transition mode with pure WPA3 for 6GHz band, which allows users to enable WPA2+WPA3 in the same WLAN with 6GHz. This mode eliminates the need to create two different profiles to accommodate legacy and latest 6GHz devices. In this mode, WPA2+WPA3 transition mode can be used in 2.4GHz/5GHz and only WPA3 relevant configs will be pushed on the 6GHz band when wlan has both WPA2 and WPA3 configs"

Specific configuration you can find within the same document
https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html#WPA2WPA3Enterprisetransitionmodewith6GHzGUIConfiguration

HTH
Rasika
*** Pls rate all useful responses ***

Re: Duplicate WLANs with same SSID, one for WPA3/6Ghz one for WPA2 5Gh

Ambuj M — Sun, 10 Dec 2023 03:28:49 GMT

Not a good idea to use the same name, create a different SSID. May be user number "6" on new SSID, so people know if they have compatible devices then connect to the one ending with "6", at-least until all your devices are 6Ghz compatible. One of my customer tried that it was not a pleasant experience for their help desk.

Re: Duplicate WLANs with same SSID, one for WPA3/6Ghz one for WPA2 5Gh

MHM Cisco World — Sun, 10 Dec 2023 04:23:28 GMT

WPA3 can backward compatibilty with WPA2

But

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9166-series-access-points/220526-configure-and-verify-wi-fi-6e-band-opera.html

Mention below

Wi-Fi 6E uplevels security with Wi-Fi Protected Access 3 (WPA3) and Opportunistic Wireless Encryption (OWE) and there is no backward compatibility with Open and WPA2 security.

So you have only option try two SSID (two wlan wpa2 and other wpa3 6ghz) with one vlan.

MHM

Re: Duplicate WLANs with same SSID, one for WPA3/6Ghz one for WPA2 5Gh

Scott Fella — Sun, 10 Dec 2023 21:30:57 GMT

I think there are multiple ways to achieve this, but it comes down to what works well for you. What I have done, so I can have telemetry on migration to WPA3, is to create a new SSID, since its 6GHz only and keep the existing as is. GPO would be update to add the WPA3/6GHz as the primary. Your AD has to be up to date to have the WPA3 option. Depends on how your end devices are setup in AD/Intune as an example, you might be able to have separate GPO's for newer devices versus existing which helps as you really don't want to push both SSID's as that can cause issues also, but you would need to test that out.

Re: Duplicate WLANs with same SSID, one for WPA3/6Ghz one for WPA2 5Gh

JPavonM — Mon, 11 Dec 2023 07:20:07 GMT

What I'm doing to move forward to WPA3-only is to create a WLAN profile using WPA3-Transition mode and only publishing it on 5-GHz (I'm not a friend of using 2.4-GHz band for corporate devices as users complain about performance a lot).

I will have this setup for the next 10 months and will monitor conencted clients looking for non-sha256 clients connected (those that do not support WPA3 AKM) with this command:

show wireless client summary detail | exc SHA256

In parallel, using a Python script I'm checking all connected clients security features in use by them to validate they are connecting using SHA256 and PMF.

What we are looking at are for those laptops that do not support it to replace them (because they have a legacy wireless adapter not supporting it), or fix them (because and outdated driver).

Re: Duplicate WLANs with same SSID, one for WPA3/6Ghz one for WPA2 5Gh

tomab — Mon, 11 Dec 2023 09:46:33 GMT

Thanks everyone for the useful input. @Rasika Nayanajith suggestion of using 17.12.x (which I see supports our 2700 series APs) looks like the best option.

Re: Duplicate WLANs with same SSID, one for WPA3/6Ghz one for WPA2 5Gh

jasonm002 — Thu, 18 Jan 2024 17:44:42 GMT

Watch out for https://quickview.cloudapps.cisco.com/quickview/bug/CSCwh49406 though it's still affecting 17.12.2. I too want the feature to have WPA2/3 transition mode on a single WLAN profile but this bug is worse than it seems because I got my syslog server spammed with 700mbps of AP junk and you'd think that you could unconfigure a syslog target for the APs but the default on the 9800 is to use the broadcast address for syslog (which is a bad default, it should just disable syslog on APs) so then you're DDoSing your site with broadcast syslog traffic. You'd also think you could change the syslog filter level but this bypasses the syslog filter. Disabling cleanair on 2.4GHz and rebooting affected APs works around it (in my case it was just the 9130s as the bug indicates) , but then I have no cleanair on 2.4GHz which is annoying.

Supposedly an APSP being released soon for 17.12.2 but I've yet to see it and maybe it will just be fixed in 17.12.3 instead. Anyway wow, this is a very annoying bug.