Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1207
Views
2
Helpful
6
Replies

Windows 10/11 older security standard with WPA3 on 9800-CL

Bradley Fox
Level 1
Level 1

‎08-04-2023 10:59 AM - edited ‎08-04-2023 11:00 AM

Hardware:

WLC 9800-CL on Hyper-V - 17.9.3 Cuppertino

c9210i AP

I'm trying to setup an SSID with WPA3 Personal security only but I'm running into a weird issue with both Windows 10 and Windows 11 (My Pixel5 doesn't seem to care)

If I configure the SSID with WPA3, SAE, AES Windows complains that I'm using an older security standard and I can't even get connected to the WiFi.

If I add WPA2, PSK, AES the security warning goes away but I get a generic "cannot connect to wifi" message.

If I set the security to WPA2, PSK, AES only with no WPA3 option, the security warning is gone, and I can successfully connect.

Does anyone have any idea what's going on here?

0 Helpful
6 Replies 6

Rasika Nayanajith
VIP
VIP

‎08-04-2023 03:28 PM

I would check the driver version of those Windows machines ("netsh wlan show driver" in the command prompt). Then upgrade your intel driver to the latest.

What you have to configure is WPA3 Transition mode (WPA2 + WPA3) on the same SSID. Read below post for more details
https://mrncciew.com/2019/11/29/wpa3-sae-transition-mode/ 

HTH
Rasika
*** Pls rate all useful responses ***

Bradley Fox
Level 1
Level 1
In response to Rasika Nayanajith

‎08-04-2023 03:38 PM

Thanks but the drivers are already at the latest version and this is happening on 3 separate Windows machines with both Broadcom and Intel NICs.

My goal isn't to configure SAE transition with WPA2 + WPA3, I want SAE with WPA3 only.

0 Helpful

Rich R
VIP
VIP

‎08-05-2023 07:40 AM

If you're sure the drivers are 100% up to date https://www.intel.com/content/www/us/en/download/19351/windows-10-and-windows-11-wi-fi-drivers-for-intel-wireless-adapters.html then presume Windows is also fully updated?  WPA3 support in Windows 10 was only introduced from 2004 version.
See https://support.microsoft.com/en-us/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09#WindowsVersion=Windows_10

You can also use netsh wlan sh networks mode="bssid" to see what Windows is seeing.  Note the list of SSIDs only gets populated when you browse the WiFi networks on the GUI so run that straight after trying to join when it's just been refreshed.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Bradley Fox
Level 1
Level 1
In response to Rich R

‎08-13-2023 05:32 PM - edited ‎08-13-2023 05:33 PM

This is happening in Windows 11 22H2 as well.  When I show the wlans from netsh it's showing my network as static WEP open which makes no sense because I have it configured for WPA3 CCMP SAE+FT (also tried disabling fast transition).  Any idea what's going on here?

I have a lot of experience with the 9800-40 in an enterprise environment, but I'm not 100% sure I'm setting up the WPA3-Personal security correctly or if I'm running into some type of bug.

 

Preview file
108 KB
0 Helpful

Rich R
VIP
VIP
In response to Bradley Fox

‎08-14-2023 01:16 AM

And what does "show wireless client mac <mac> detail" show for the same client at the same time on the WLC?

Might be better to see the WLAN and policy profile config from CLI rather than screen-shots.
Also "show wlan summ" and "show wlan id <wlan id>"

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

thiland
Level 3
Level 3
In response to Bradley Fox

‎09-16-2023 03:47 PM

I am running into an almost identical issue:

  1. 9800-CL on ESXi 17.9.4
  2. WPA3 Personal
    1. FT Enabled, WPA3 only, PMF Requred, FT+SAE
  3. Intel AX210 NIC with latest drivers

Windows 11 showing Open/WEP on the SSID.  It does seem FT-related.  After experimenting with a few knobs, it seems Win11 only would see it as WPA3 and connect if I also enabled SAE (No-FT).

So keep FT Enabled, but check SAE and FT-SAE.

 

 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card