Solved: Duplicate WLANs with same SSID, one for WPA3/6Ghz one for WPA2 5Ghz?

tomab · ‎12-07-2023

Hi,

We're starting to deploy 9100 series APs. Of course 6GHz requires WPA2 to be disabled. I can't do that yet as we have a number of older laptops with Intel AC8265 adapters that don't support WPA3.

An idea that occurred to me was to leave the existing corporate SSID as is and create another WLAN with the same SSID having WPA3 and 6GHz enabled, but disabled on 2.4 & 5Ghz.

Has anyone done this, or is there an obvious reason why it won't work/shouldn't be tried?

thanks.

Rasika Nayanajith · ‎12-09-2023

"An idea that occurred to me was to leave the existing corporate SSID as is and create another WLAN with the same SSID having WPA3 and 6GHz enabled, but disabled on 2.4 & 5Ghz"

Prior to 17.12.x version, You can use the same SSID name, but SSID profile name should be unique. In that way still it is two different SSID profiles that use same "SSID name".

Starting from IOS-XE 17.12.x onward Cisco is supporting it using single profile and single SSID. Refer below WPA3 deployment guide
https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html
"Starting 17.12.1, this can be used with 1 SSID and 1 Profile and support 6GHz band"

"To support these deployments, the recommendation in pre-17.12.1 SW versions were to use WPA2+WPA3 transition mode with same WLAN with different profiles to support both legacy and latest 6GHz clients. The challenge with this design is roaming. The roaming between bands in this configuration is not supported and it is full roam always which is not preferred.

Starting from 17.12.1, we are supporting transition mode with pure WPA3 for 6GHz band, which allows users to enable WPA2+WPA3 in the same WLAN with 6GHz. This mode eliminates the need to create two different profiles to accommodate legacy and latest 6GHz devices. In this mode, WPA2+WPA3 transition mode can be used in 2.4GHz/5GHz and only WPA3 relevant configs will be pushed on the 6GHz band when wlan has both WPA2 and WPA3 configs"

Specific configuration you can find within the same document
https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html#WPA2WPA3Enterprisetransitionmodewith6GHzGUIConfiguration

HTH
Rasika
*** Pls rate all useful responses ***

View solution in original post

JPavonM · ‎12-07-2023

Yes that is something you can do, but whenever a device that support the 3 bands would connect to either AP and move to another area, it will decide which band to connect to, so expect uncontrolled disconnections.

Try to configure WPA3 AES-CCMP128 with both SAH1 and SHA256 and PMF optional, that should be allowed by AC8265 adapters as far as I remember. BUT don't setup WPA3 on Windows side, but WPA2-Enterprise. Basically WPA2 with those options and WPA3 are the same suites, but in the later case with all of them CCMP128, SHA256 and PMF mandatory.

Rich R · ‎12-08-2023

And remember the Intel drivers must be up to date.

You may also want to have a read through https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Rasika Nayanajith · ‎12-09-2023

"An idea that occurred to me was to leave the existing corporate SSID as is and create another WLAN with the same SSID having WPA3 and 6GHz enabled, but disabled on 2.4 & 5Ghz"

Prior to 17.12.x version, You can use the same SSID name, but SSID profile name should be unique. In that way still it is two different SSID profiles that use same "SSID name".

Starting from IOS-XE 17.12.x onward Cisco is supporting it using single profile and single SSID. Refer below WPA3 deployment guide
https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html
"Starting 17.12.1, this can be used with 1 SSID and 1 Profile and support 6GHz band"

"To support these deployments, the recommendation in pre-17.12.1 SW versions were to use WPA2+WPA3 transition mode with same WLAN with different profiles to support both legacy and latest 6GHz clients. The challenge with this design is roaming. The roaming between bands in this configuration is not supported and it is full roam always which is not preferred.

Starting from 17.12.1, we are supporting transition mode with pure WPA3 for 6GHz band, which allows users to enable WPA2+WPA3 in the same WLAN with 6GHz. This mode eliminates the need to create two different profiles to accommodate legacy and latest 6GHz devices. In this mode, WPA2+WPA3 transition mode can be used in 2.4GHz/5GHz and only WPA3 relevant configs will be pushed on the 6GHz band when wlan has both WPA2 and WPA3 configs"

Specific configuration you can find within the same document
https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html#WPA2WPA3Enterprisetransitionmodewith6GHzGUIConfiguration

HTH
Rasika
*** Pls rate all useful responses ***

jasonm002 · ‎01-18-2024

Watch out for https://quickview.cloudapps.cisco.com/quickview/bug/CSCwh49406 though it's still affecting 17.12.2. I too want the feature to have WPA2/3 transition mode on a single WLAN profile but this bug is worse than it seems because I got my syslog server spammed with 700mbps of AP junk and you'd think that you could unconfigure a syslog target for the APs but the default on the 9800 is to use the broadcast address for syslog (which is a bad default, it should just disable syslog on APs) so then you're DDoSing your site with broadcast syslog traffic. You'd also think you could change the syslog filter level but this bypasses the syslog filter. Disabling cleanair on 2.4GHz and rebooting affected APs works around it (in my case it was just the 9130s as the bug indicates) , but then I have no cleanair on 2.4GHz which is annoying.

Supposedly an APSP being released soon for 17.12.2 but I've yet to see it and maybe it will just be fixed in 17.12.3 instead. Anyway wow, this is a very annoying bug.

ammahend · ‎12-09-2023

Not a good idea to use the same name, create a different SSID. May be user number "6" on new SSID, so people know if they have compatible devices then connect to the one ending with "6", at-least until all your devices are 6Ghz compatible. One of my customer tried that it was not a pleasant experience for their help desk.

-hope this helps-

MHM Cisco World · ‎12-09-2023

WPA3 can backward compatibilty with WPA2

But

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9166-series-access-points/220526-configure-and-verify-wi-fi-6e-band-opera.html

Mention below

Wi-Fi 6E uplevels security with Wi-Fi Protected Access 3 (WPA3) and Opportunistic Wireless Encryption (OWE) and there is no backward compatibility with Open and WPA2 security.

So you have only option try two SSID (two wlan wpa2 and other wpa3 6ghz) with one vlan.

MHM

Scott Fella · ‎12-10-2023

I think there are multiple ways to achieve this, but it comes down to what works well for you. What I have done, so I can have telemetry on migration to WPA3, is to create a new SSID, since its 6GHz only and keep the existing as is. GPO would be update to add the WPA3/6GHz as the primary. Your AD has to be up to date to have the WPA3 option. Depends on how your end devices are setup in AD/Intune as an example, you might be able to have separate GPO's for newer devices versus existing which helps as you really don't want to push both SSID's as that can cause issues also, but you would need to test that out.

-Scott
*** Please rate helpful posts ***

JPavonM · ‎12-10-2023

What I'm doing to move forward to WPA3-only is to create a WLAN profile using WPA3-Transition mode and only publishing it on 5-GHz (I'm not a friend of using 2.4-GHz band for corporate devices as users complain about performance a lot).

I will have this setup for the next 10 months and will monitor conencted clients looking for non-sha256 clients connected (those that do not support WPA3 AKM) with this command:

show wireless client summary detail | exc SHA256

In parallel, using a Python script I'm checking all connected clients security features in use by them to validate they are connecting using SHA256 and PMF.

What we are looking at are for those laptops that do not support it to replace them (because they have a legacy wireless adapter not supporting it), or fix them (because and outdated driver).

tomab · ‎12-11-2023

Thanks everyone for the useful input. @Rasika Nayanajith suggestion of using 17.12.x (which I see supports our 2700 series APs) looks like the best option.