Hi

As Wifi 6E requires WPA3 security (Protected Management Frame (PMF)) then part of clients may not support it.

With a single SSID in transition mode, you can expect that it will deal with both WPA2 and WPA3 clients but I'm not sure that you can really predict behavior of each type of devices except if you have a limited set of. As you mention, if it happens, switching between WPA2 and WPA3 might introduce a poor experience.

Even Cisco NOC guys prefer to separate WPA2 and WPA3 at Cisco Live

https://blogs.cisco.com/developer/wireless-and-the-ciscolive-network-operations-center

Regards

Subscribing. I don't have experience with this, just thoughts - maybe someone can correct me if I'm wrong. I can't think of why combining would be a problem if running strictly WPA3 encryption since WPA3 is WPA3 whether it's on 2.4, 5, or 6 GHz... and running 2.4 and 5 GHz with WPA2 is fine... right?

In my institution (large university) with BYOD and everything from 2700s to 9166s in the fleet, splitting would be troublesome in the following scenario: User connects to Employee_6. They move to another building with pre-6 GHz APs and must then connect to Employee. Then they return to the first building and their device has to choose on its own whether to connect to Employee or Employee_6. Regardless of what it chooses, at some point, due to a momentary drop in RSSI or other factor, it may choose to switch SSIDs and re-authenticate at a disruptive time.

Even if they don't move between buildings with or without 6 GHz, if they have trouble with one SSID for whatever reason, they'll try the other SSID, and again, the device is liable to switch SSIDs. This can be helped with communication (or group policy/device management/etc.) but in a university setting, we just can't get everyone to receive/read/obey the message. So, my thought is to combine 5/6 with WPA3 on one SSID and keep eduroam 2.4/5 with WPA2 - depending how this conversation goes!

Hi

Everything exposed here clearly :

https://blogs.cisco.com/networking/wlan-ssid-security-migration-into-6ghz-networks

Best option proposed : "Same SSID, two WLAN profiles, no transition". Just add 6Ghz support with WPA3. No change on 2.4/5Ghz security profile.

And the most important information is :

"WPA3 describes transition mode as a kind of hybrid WPA2/WPA3 scenario, with PMF set to optional, and the group key using legacy crypto, but this is not allowed in 6GHz, so we can’t just flip the existing WLAN from WPA2 to transition mode and get it done…it simply can’t be supported in the new band."

Option 4 sounds good to me as it gives the availability of 6Ghz enhancement without hitting your existing deployment.

Thanks for the info, Off the blog I think Option2 may be best. 4 seems plausible, but would a device show 2 different SSIDs with the same name causing confusion or not. 

We have a few SSIDs, but Employee and Guest are about the only 2 I would need to enable 6GHz as our other SSIDs are more legacy devices.

Based on the blog options, I would choose option 4.

So leaving security parameters as it on existing SSID as they are with on 2.4/5Ghz bands.

- Employee using WPA2 Enterprise (I guess)

- Guest with L2 open auth / L3 WebAuth (or I don't know, maybe WPA2 Private PSK on top of WebAuth)

Then add 6GHz band with:

- Employee using WPA3 Enterprise (no choice)

- Guest using enhanced open (OWE)

As it, new devices supporting 6Ghz should work and existing devices won't be impacted on band 2.4/5Ghz. You avoid to deal to transition to WPA3 and OWE on exiting networks but you do add 6Ghz support.

To my understanding, it is the same problem as choosing between 2.4 or 5Ghz band for the same SSID. It is just extended to a new band 6Ghz.

So you may implement same steering technique to make band selection more efficient :

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9166-series-access-points/220526-configure-and-verify-wi-fi-6e-band-opera.html#toc-hId--1145929845

If it is choosing between two different SSID then it is just a local policy on the client. It is no more an infrastructure choice (but I may be wrong). I suppose that OS or wireless client parameters may offer option to priorize a sequence of SSID or make 6hgz band preempt over 2.4/5Ghz. I don't know.

Regards

Clients may rely on the probes from 2.4/5Ghz to discover 6Ghz band SSID. So I guess, client would prefer 6Ghz if discovered.

This is an interesting point from this presentation "Architecting Next Generation Wireless Network with Catalyst Wi-Fi 6E Access Points" from Cisco Live (BRKEWN-2024) :

https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2023/pdf/BRKEWN-2024.pdf