WPA3-Enterprise

Here is the 5th & final post of our WPA3 series. We will cover WPA3-Enterprise in this post which is going to be the replacement for WPA2-Enterprise. WiFi Alliance lists WPA3-Enterprise mode requirements in WPA3 Specification 2.0 (Dec 2019) document. There are 3 modes of operation in WPA3-Enterprise

WPA3-Enterprise only mode
– When a BSS is configured in WPA3-Enterprise only mode, PMF shall be set to required (MFPR bit in the RSN Capabilities field shall be set to 1 in the RSNE transmitted by the AP)
– A WPA3-Enterprise STA shall negotiate PMF when associating to an AP using WPA3-Enterprise only mode

WPA3-Enterprise transition mode
– When WPA2-Enterprise and WPA3-Enterprise transition Mode are configured on the same BSS (mixed mode), PMF shall be set to capable (MFPC bit shall be set to 1, and MFPR bit is by default set to 0 in the RSN Capabilities field in the RSNE transmitted by the AP)
– A WPA3-Enterprise STA shall negotiate PMF when associating to an AP using WPA3-Enterprise transition mode
WPA3-Enterprise 192-bit mode

– When WPA3-Enterprise 192-bit Mode is used by an AP, PMF shall be set to required (MFPR bit in the RSN Capabilities field shall be set to 1 in the RSNE transmitted by the AP).
– When WPA3-Enterprise 192-bit Mode is used by a STA, PMF shall be set to required (MFPR bit in the RSN Capabilities field shall be set to 1 in the RSNE transmitted by the STA).
– Permitted EAP cipher suites for use with WPA3-Enterprise 192-bit Mode are: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE and ECDSA using the 384-bit prime modulus curve P-384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDHE using the 384-bit prime modulus curve P-384
RSA ≥ 3072-bit modulus TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
RSA ≥ 3072-bit modulus
DHE ≥ 3072-bit modulus
When you configure FT (Fast BSS Transition or 802.11r) in WPA3-Enterprise only or WPA3-Enterprise transition mode ( 1 & 2 modes listed previously), STA shall select the AKM on a BSS in priority order given below
1. FT Authentication using IEEE Std 802.1X (SHA 256) 00-0F-AC:3
2. Authentication using IEEE Std 802.1X (SHA256) 00-0F-AC:5
3. Authentication using IEEE Std 802.1X 00-0F-AC:1
Below shows the different AKM values defined in IEEE-802.11 REVmd ( Revision of 802.11-2016 standard which is going to be 802.11-2020). Note that AKM 8 & 9 used with SAE (WPA3- Personal use AKM 8), AKM 1,3,5,11 (WPA3-Enterprise only or WPA3-Enterprise transition), AKM 12,13 (WPA3-Enterprise 192-bit) & AKM 18 for Enhanced Open (OWE).

You notice some AKM refer “ Suite B ” a set of cryptographic algorithms (to provide 128 bit and 192 bit security strength) defined by NSA (National Secuirty Agency) in 2005. NSA replaced Suite B with CNSA (Commercial National Security Algorithm Suite – to provide min 192 bit security) in 2018....