Wi-Fi 6E/7 Networks and WPA3 Strict Mode on 6GHz

Implementing Effective Security on SSIDs Across All Bands

We’re at a point where Wi-Fi 6E and Wi-Fi 7 offer significant advantages due to the inclusion of the 6GHz band. You get more spectrum, less interference, and higher performance than ever before. But, there’s a security-related caveat that everyone should be aware of before making the move. You must use WPA3, specifically in Strict mode, for any device that operates in the 6GHz band.

This highlights a key consideration for network IT teams: ensuring connectivity and security consistency across all bands (2.4GHz, 5GHz, and 6GHz). There are important nuances that could lead to connectivity issues for users, which should be avoided.

Let’s delve in and look at the challenges you may encounter across legacy bands with the use of WPA3 Strict mode in the 6GHz band.

WPA3 in Strict Mode

Implementing WPA3 Strict mode is required when enabling the 6GHz band to mitigate vulnerabilities like brute-force attacks and prevent unauthorized access. However, with WPA3 in Strict mode, note that there is no backward compatibility with devices that only support WPA2.

• WPA3 is designed to provide stronger encryption and more robust security compared to WPA2.

Let’s look at challenges with WPA3 when the 2.4GHz and 5GHz legacy bands are also being used. Although WPA3 Strict mode for 6GHz is mandated, your 2.4GHz and 5GHz bands may still see a mixture of endpoint devices, some of which may only support WPA2. This creates a problem when maintaining a uniform security approach across all bands.

If you enforce WPA3 Strict mode across the legacy bands, older WPA2-compatible devices will be unable to connect. This will potentially disrupt service for users with these devices and will cause help desk tickets that you obviously want to avoid. Conversely, by allowing WPA2 on the 2.4GHz and 5GHz bands, you risk introducing weaker security and potential vulnerabilities. You’re going to need a plan.

Strategies for Maintaining Uniform Security

Let’s look at your options as you transition to Wi-Fi 6E or Wi-Fi 7, with 6GHz enabled. Each option comes with its own pros and cons. Again, the goal is to try and maintain a consistent security posture across all bands.

Dual SSID Approach: You have the option to create two SSIDs.

• The first (SSID-1) can be dedicated to WPA3-only devices (including the 6GHz band).
• The second (SSID-2) can support WPA2 and legacy devices on the 2.4GHz and 5GHz bands. This allows the older devices that only support WPA2 to connect to the WPA2-based SSID and the 2.4GHz and 5GHz bands.

If users have Tri-band or even Dual-band capable devices that support WPA3 they can connect to SSID 1 if using 2.4GHz, 5GHz or the 6GHz bands.

• Pros: This approach allows you to maintain strong security where possible while providing backward compatibility where necessary.
• Cons: IT administrators must maintain two profiles for devices which may not be a desirable situation. Maintaining two SSIDs adds to IT overhead while also confusing users, especially the people with newer devices that support 6GHz. Having too many SSIDs also goes against WLAN best practices, as the idea is to keep SSIDs to a minimum to optimize channel utilization.

This option is not typically adopted due to these downsides.

2. One SSID with Transition Mode: Another option is to utilize WPA3 in Transition mode for the 2.4GHz and 5GHz bands. Transition mode allows WPA3-capable devices and older WPA2-capable devices to connect to the same SSID. While the same SSID will support WPA3 Strict mode for the 6Ghz devices, this compromise does not offer the full benefits of WPA3 Strict mode across all bands, especially in environments where maximum security is required.

Transition mode is realistically limited to PSK-based SSIDs if the goal is to maintain a single SSID across bands. It cannot be used with Enterprise-based SSIDs. The reasons for this are explained in the sections below.

PSK-based SSID: If using PSK on an SSID, you may have a better chance of successfully deploying one SSID across all three bands. Because, if SSID-1 is deployed using WPA3 with PSK in Transition mode on the 2.4 and 5GHz bands, the same SSID also supports the 6GHz band, but uses WPA3 PSK Strict mode.

This works well for environments that currently use PSK-based SSIDs and want to transition to 6GHz on Wi-Fi 6E or Wi-Fi 7 networks. The 6GHz-capable devices can connect to SSID-1 on this band, or if the device determines that the signal of 2.4GHz or 5GHz bands is better they can connect as WPA3 devices as needed.

• Pros: With a uniform model across bands using PSK described above, all devices can potentially use a single SSID. This eliminates using multiple SSIDs outlined previously in “Option 1”.
• Cons: Using a WPA3 SSID in Transition mode for the legacy bands may cause some interoperability issues when older devices try to connect. This is based on some problematic devices we’ve seen on existing Nile deployments. For e.g., where older Windows laptops with .11ac Wi-Fi could not connect to the WPA3 PSK SSID in Transition mode.

This typically happens when an SSID is set up to support WPA2 as well as WPA3. The issue is due to the SSID advertising additional elements in its beacons, and probe responses. Older devices have a hard time parsing the additional elements which results in not attempting to connect to these SSIDs.

Any vendor’s access points will have this problem. However, with a PSK SSID, there is a better chance of achieving single SSID uniformity across bands as endpoint device drivers are upgraded or customer environments see a newer mix of endpoint devices. As this happens, interoperability issues should dwindle.

PSK Authentication Tech Tip

Transition mode on legacy bands to accommodate older devices 

• Wi-Fi 6E mandates WPA3 Strict Mode for the 6GHz band
• 2.4 & 5GHz must use WPA3 Transition Mode (works with older WPA2 standard)
  • Older devices often have interoperability problems

It’s best to wait on Wi-Fi 6E or 7 until most devices support WPA3 Strict

Enterprise-based SSID: If using the Enterprise security op-mode, it is harder to maintain a single SSID across bands to ensure smooth connectivity. To better understand this section, I’ll explain Authentication and Key Management (AKM) and what its effects are.

In Wi-Fi, the term AKM refers to the method used by the network to authenticate clients and manage cryptographic keys for secure communication. AKM is a critical part of the security suite used in Wi-Fi networks, and it is advertised in the SSID beacon to inform clients of the security protocols supported by the access points (APs).

Again, the AKM information is part of the security capabilities field in the SSID beacon frame, which the APs periodically broadcast. When an endpoint device scans for available networks, it examines the beacon frames to determine which networks it can connect to and chooses based on the supported AKM method.

For example, if a network supports WPA3-Enterprise, the AKM field in the beacon frame will indicate this, and only clients that support WPA3 will be able to connect using that protocol. If a network supports multiple AKM suites (i.e., WPA2-Enterprise and WPA3-Enterprise), the beacon will advertise both supported methods, giving the client a choice based on its capabilities.

Examining SSID string names

Just because the SSID ‘string’ (name) looks the same across bands, it doesn’t mean the SSID will be seen as the ‘same SSID’ by endpoint devices. Again, what is advertised within the SSID beacon is what determines the uniqueness of an SSID.

So, if using the PSK-based SSID, if you want to maintain a uniform SSID across bands for WPA3 Enterprise, the outcome will not be the same.

If SSID-1 is set up with WPA3-Enterprise and Transition mode on the legacy bands, and SSID-1 also uses WPA3-Enterprise Strict on the 6GHz band – you just created two ‘unique looking’ SSIDs. One is seen on the 2.4GHz and 5GHz bands and another is seen on the 6GHz band. This is because of how AKM works.

Hence a Tri-band capable device will end up seeing the same SSID on legacy bands as a ‘different/separate’ SSID from its 6GHz counterpart. Keeping the SSID ‘name’ uniform across bands doesn’t mean the end devices see it that way.

Understanding Tri-band device-capable issues

You will not see issues with legacy Dual-band 2.4GHz and 5GHz WPA2- capable devices as they’ll only see SSID-1 as a WPA2 Enterprise connection. For legacy band WPA3 capable devices, they will see SSID-1 as WPA3 Enterprise capable and connect accordingly.

As noted above, the issue with Tri-band Wi-Fi 6E and Wi-Fi 7 capable devices is that when they scan for SSIDs across bands, they will detect SSID-1 on 2.4GHz and 5GHz as WPA3 Enterprise Transition capable. But, on the 6GHz band, SSID-1 will be seen as a totally separate and unique SSID.

Users will typically see the one SSID listed separately in their WLAN settings dropdown or listed on their devices as SSID-1 and SSID-1(1) with both providing unique capabilities. Again, the AKM advertisements play an important role in defining the uniqueness of the SSID, while the name of the SSID is just a string.

Enterprise Authentication Tech Tip

Transition mode is not realistic

• Requires different SSID names for 6 vs 2.4/5 bands
• If same SSID is used across all bands, devices see the 6 GHz SSID “differently” than 2.4/5.
  • Causes poor roaming if devices try to move across bands
• 2.4/5 devices use different Auth key mgmt. (AKM) for WPA transition vs. 6 GHz devices with WPA3 Strict
  • Causes suboptimal roaming if devices try to move across bands

It’s best to wait on Wi-Fi 6E or 7 until all endpoints support WPA3 Strict

The Implications

In the scenario above, Tri-band capable devices can get confused. This is especially concerning if they have to switch between bands for whatever reason, as it can turn into a terrible roaming experience. If a Tri-band capable device started its connection on a 2.4GHz or 5GHz WPA3 Enterprise SSID and now has to switch to the 6GHz equivalent SSID it will be a complete disconnect and reconnect.

This is very troublesome when running ‘eduroam’ on university and college campuses. This is due to an eduroam SSID using Enterprise security op-mode. If a school wants to offer an eduroam SSID on the 6GHz band, while also wanting to accommodate for possible older devices capable of only WPA2 in legacy bands, it will look like two unique Enterprise SSIDs if it is approached in the way it was described above.

It is important to set expectations on ‘inter-band’ roaming when going from a legacy band to 6Ghz or vice versa, and how it will not be a seamless experience. As long as the device roams within the same band group where it started its connection, seamless roaming should work based on the roaming mechanism in place from the access point and device side.

If customers choose to run WPA3 Enterprise for all three bands, the dual SSID strategy may have to be adopted. Keep in mind that there are the drawbacks and overhead previously outlined with running two separate SSIDs.

Choosing the Path Forward

After explaining your options, the intent is to empower you with the security implications you may encounter when adopting modern Wi-Fi standards. Another thing that I’d like to point out is that network admins should leverage analytics to check whether their environments are primarily seeing WPA3-capable devices or older ones. If you do see a majority of WPA3-capable devices, you should be able to successfully adopt a 6GHz band refresh strategy.

As more devices become 6GHz capable and support WPA3, it’ll be easier to enjoy the benefits of WPA3 robust security. Again, if you can’t wait, here are some tips to consider when rolling out 6Ghz and WPA3:

• Over time, consider phasing out or upgrading legacy devices that do not support WPA3. While this might be a longer-term strategy, it is the most effective way to ensure uniform security across all bands.

• Before rolling out WPA3 Strict mode, conduct thorough testing to find any legacy devices that might be impacted. This testing should include all device types that regularly connect to the network – IoT and user-carried devices.

• Users should be informed about the changes, especially if they have older devices that may no longer connect. Providing guidance on how to upgrade or why they have to replace these devices can ease the transition.

• After implementation, continuously monitor the network for any issues related to device connectivity or security. Be prepared to adjust your strategy based on real-world performance and user feedback.

Conclusion

With the introduction of the 6GHz band on Wi-Fi 6E and Wi-Fi 7 networks, and the mandatory use of WPA3 Strict mode in the 6GHz band, these are steps forward in terms of performance and security. However, maintaining a uniform SSID structure and security posture across all bands requires careful planning and consideration due to legacy devices.

By employing a well-thought-out strategy, network administrators can balance the need for strong security with the practical realities of supporting a diverse range of devices. By understanding the nuances of WPA3 Strict mode, they can take a proactive approach to network management. This allows them to ensure that their wireless network remains secure and user-friendly across all bands.