Solved: WPA3-Enterprise in GPO

sandeepsingh3200 · ‎11-13-2023

Hello,

I am trying to set a new SSID to use WPA3-Enterprise. The issue is the when I use Microsoft GPO it’s only giving me the option for WPA3-Enterprise192 bit. That force me to setup the new SSID with WPA3-Enterprise (GCP256) and I need to use (AES-CCMP128) for older devices. Anyone has any suggestions or recommendations.

JPavonM · ‎11-13-2023

I've been creating an internal wireless security document for my company during the last 2 months and I've been reading a lot about limitations, supported and unsupported features in multiple platforms, specially on Windows, and your guessing is true https://support.microsoft.com/en-us/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09#WindowsVersion=Windows_10). since Windows 11 22H2 only supports WPA3-Enterprise wireless profile creation, the same way there is no option to create any WPA3-Enterprise profile for a Windows 10 22H2 as it always returns error, even when those are completely supported by both OS'es as of MS.

However, if you configure a WPA2-Enterprise profile in Win10/Win11, but then you configure WPA3-Enterprise strict in the WLAN Infrastructure, using AES-CCMP128 and SHA256 AKM with PMF required, they connect properly with such features as they are also supported under WPA2 suite, so in reallity making your device to use WPA3-Enterprise.

This seems to be a defect in both Win10/Win11 in the options they show ion the frontend and the features they support in the backend, or maybe an intentional move from MS to force users to upgrade from Win10 to Win11 as the later is shown to the user as more secure using WPA3. Let's see if MS fix this in future releases (by the way, Win11 23H2 still have the same issue not showing WPA3-Ent with 128 bit).

By the way, Windows11 has also added support for TLS1.3 on EAP-TLS authentication (https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes), but the only way to provide that is deploying MS NPS on Windows Server 2022 which support TLS1.3. (https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-)

View solution in original post

Leo Laohoo · ‎11-13-2023

Please read this: Cisco Secure Client 5.1.0.136 New Features

Network Access Manager added support for WPA3 802.11 CCMP128 encryption and Protected Management Frames (PMF). However, WPA3 will not work until Microsoft releases a fix that relates to Integrity Group Temporal Key generation. The fix is not available in a production environment, but we anticipate the fix in an upcoming Windows 11 release and Windows 10 22H2 update. While PMF can be used in WPA2, it is required for WPA3 Enterprise. If you have a WPA2 network with PMF required or optional, your connection to Secure Client 5.1.0.136 will fail until the Microsoft fix.

JPavonM · ‎11-13-2023

I've been creating an internal wireless security document for my company during the last 2 months and I've been reading a lot about limitations, supported and unsupported features in multiple platforms, specially on Windows, and your guessing is true https://support.microsoft.com/en-us/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09#WindowsVersion=Windows_10). since Windows 11 22H2 only supports WPA3-Enterprise wireless profile creation, the same way there is no option to create any WPA3-Enterprise profile for a Windows 10 22H2 as it always returns error, even when those are completely supported by both OS'es as of MS.

However, if you configure a WPA2-Enterprise profile in Win10/Win11, but then you configure WPA3-Enterprise strict in the WLAN Infrastructure, using AES-CCMP128 and SHA256 AKM with PMF required, they connect properly with such features as they are also supported under WPA2 suite, so in reallity making your device to use WPA3-Enterprise.

This seems to be a defect in both Win10/Win11 in the options they show ion the frontend and the features they support in the backend, or maybe an intentional move from MS to force users to upgrade from Win10 to Win11 as the later is shown to the user as more secure using WPA3. Let's see if MS fix this in future releases (by the way, Win11 23H2 still have the same issue not showing WPA3-Ent with 128 bit).

By the way, Windows11 has also added support for TLS1.3 on EAP-TLS authentication (https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes), but the only way to provide that is deploying MS NPS on Windows Server 2022 which support TLS1.3. (https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-)