Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10776
Views
25
Helpful
10
Replies

iPSK without Radius not compatible with 6ghz?

Go to solution
nerdherd
Community Member

‎01-05-2023 09:32 AM

Hi All, finally got some MR57s for testing.

Unfortunately I missed the memo (and still cant find it)...Apparently iPSK without radius is not compatible with 6 ghz?

Regular PSK doesnt give any issue, but iPSK says "This SSID will not be broadcast on the 6 GHz band. Use OWE to enable this band." (WPA3 is also not available as an option when iPSK selected)

Seems weird since I thought iPSK from a client perspective is just PSK.

Is this a limitation right now because it's still in development? or is iPSK never going to work with 6ghz?

I cant find any documentation that says either way

Thanks for any help!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎01-05-2023 02:40 PM

The way the actual WPA3-SAE implementation is done, MPSK (or iPSK without RADIUS) can not work. The AP had to try multiple PSKs until the right one is matched. But this was prohibited by design in WPA3. On each connect, only one PSK can be checked. iPSK with RADIUS could work, but probably needs to be implemented.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

10 Replies 10

Go to solution
Nolan H.
Level 11
Level 11

‎01-05-2023 09:49 AM

I can't speak for Meraki, but 6GHz (Wi-Fi 6E) requires WPA3 or better. Meraki's current implementation of iPSK does not support WPA3, so that is why you are running into that.

Go to solution
Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star

‎01-05-2023 11:56 AM

I've had terrible compatibility issues with clients when using WPA3 (last tested about a month ago). IMHO, WPA3 is not ready for production deployment.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎01-05-2023 02:40 PM

The way the actual WPA3-SAE implementation is done, MPSK (or iPSK without RADIUS) can not work. The AP had to try multiple PSKs until the right one is matched. But this was prohibited by design in WPA3. On each connect, only one PSK can be checked. iPSK with RADIUS could work, but probably needs to be implemented.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Go to solution
nerdherd
Community Member
In response to Karsten Iwen

‎01-11-2023 05:31 AM

Thank you! Didnt know that's how iPSK worked under the hood.

0 Helpful

Go to solution
EthanIsenberg75263
Frequent Visitor
Frequent Visitor
In response to Karsten Iwen

‎03-12-2024 12:58 PM

Are you saying that IPSK without RADIUS will never be able to support WPA3 ?

0 Helpful

Go to solution
Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star
In response to EthanIsenberg75263

‎03-12-2024 01:05 PM

@Karsten Iwen is right (iPSK with WPA3 can not work - any vendor - fundamental WPA3 design decision).

This is more @Karsten Iwen's area than mine, but I am sceptical that iPSK with RADIUS can be made to work with WPA3 - for the same reason.

Go to solution
Karsten Iwen
VIP
VIP
In response to EthanIsenberg75263

‎03-12-2024 01:57 PM

Let's get a little deeper:

image.jpeg

This is the Authentication step before the association. In message 1, the client starts the authentication by sending cryptographic material based on the passphrase.

The AP sends back its cryptographic material, which is also based on the passphrase. At this step, the AP needs to know the passphrase. For iPSK with RADIUS, the AP could have queried the RADIUS server after the client's message, as the client MAC is known after this first packet.

But without RADIUS, the AP only has a list of possible passphrases and must choose one. The AP doesn't know which, so this will never work.

The following is what is done with WPA2 and iPSK without RADIUS. Basically the AP does a dictionary attack on the PSK based on a small list of possible passphrases:

image.jpeg

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Go to solution
Thomas Obbekaer Thomsen
Level 10
Level 10

‎12-13-2023 05:38 AM

Perhaps somewhat off-topic. Do anyone know if Meraki will support WPA3 iPSK with Radius ?

Its possible to do on the 9800 WLC, as far as I can tell.

Go to solution
Karsten Iwen
VIP
VIP
In response to Thomas Obbekaer Thomsen

‎12-13-2023 06:11 AM

As of 30.5 it is not available. I also hope for this feature.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Go to solution
tyshawn76
Level 7
Level 7
In response to Thomas Obbekaer Thomsen

‎03-14-2024 03:43 PM

This needs to be an option at some point.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card