Wi-Fi Protected Access 3

Simultaneous Authentication of Equals

A simultaneous authentication of equals (SAE) is a protocol used in WPA3 that

  • provides stronger password protection from guessing attacks by third parties

  • employs discrete logarithm cryptography to perform an efficient exchange that enables mutual authentication using a password, and

  • resists offline dictionary attacks.

An offline dictionary attack is where an adversary attempts to determine a network password by trying possible passwords without further network interaction

WPA3 and SAE in Wi-Fi Security

WPA3 is the latest version of Wi-Fi Protected Access (WPA), which is a suite of protocols and technologies that provide authentication and encryption for Wi-Fi networks.

WPA3 leverages SAE to provide stronger protections for users against password guessing attempts by third parties.

  • WPA3-Personal protects users through robust password-based authentication, making brute-force dictionary attacks more difficult.

  • WPA3-Enterprise provides higher-grade security protocols for sensitive data networks.

When the client connects to the AP, they perform an SAE exchange. If the exchange is successful, both parties create a cryptographically strong key, which is used to derive the session key. The client and AP complete commit and confirm phases. After commitment, the devices transition to confirm states whenever a new session key is generated. This method uses forward secrecy so that if an intruder cracks one key, the other session keys remain secure.

Opportunistic Wireless Encryption

Opportunistic Wireless Encryption (OWE) is an extension to IEEE 802.11 that provides encryption of the wireless medium. The purpose of OWE based authentication is avoid open unsecured wireless connectivity between the AP’s and clients. The OWE uses the Diffie-Hellman algorithms based Cryptography to setup the wireless encryption. With OWE, the client and AP perform a Diffie-Hellman key exchange during the access procedure and use the resulting pairwise secret with the 4-way handshake. The use of OWE enhances wireless network security for deployments where Open or shared PSK based networks are deployed.

Configure SAE (WPA3+WPA2 mixed mode)

Enable secure Wi-Fi connectivity using both WPA3 and WPA2 protocols in a mixed mode for SAE on the device.

Performing this task configures a WLAN to support both legacy WPA2 and newer WPA3 authentication using SAE, enhancing security and compatibility for a range of client devices.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enter the WLAN configuration sub-mode.

Example:

Device(config)# wlan wlan-name wlan-id SSID-name

Example:

Device(config)# wlan WPA3 1 WPA3

Step 3

Disable security AKM for 802.1X.

Example:

Device(config-wlan)# no security wpa akm dot1x

Step 4

Disable fast transition over the data source on the WLAN.

Example:

Device(config-wlan)# no security ft over-the-ds

Step 5

Disable 802.11r fast transition on the WLAN.

Example:

Device(config-wlan)# no security ft

Step 6

Configure WPA2 cipher.

Example:

Device(config-wlan)# security wpa wpa2 ciphers aes

Note

 

You can check whether cipher is configured using no security wpa wpa2 ciphers aes command. If cipher is not reset, configure the cipher.

Step 7

Specify a preshared key.

Example:

Device(config-wlan)# security wpa psk set-key ascii value preshared-key

Example:

Device(config-wlan)# security wpa psk set-key ascii 0 Cisco123

Step 8

Enable WPA3 support.

Example:

Device(config-wlan)# security wpa wpa3

Note

 

If both WPA2 and WPA3 are supported (SAE and PSK together), it is optional to configure PMF. However, you cannot disable PMF. For WPA3, PMF is mandatory.

Step 9

Enable AKM SAE support.

Example:

Device(config-wlan)# security wpa akm sae

Step 10

Enable AKM PSK support.

Example:

Device(config-wlan)# security wpa akm psk

Step 11

Enable the WLAN.

Example:

Device(config-wlan)# no shutdown

Step 12

Return to the privileged EXEC mode.

Example:

Device(config-wlan)# end
The WLAN is configured to support both WPA3 (with SAE) and WPA2 authentication modes for client connectivity.

Configure WPA3 enterprise (GUI)

Enable WPA3 enterprise authentication on your WLAN to secure wireless communications.

Use this task when you need to enable WPA3 enterprise security for a WLAN profile on your wireless controller using the GUI.

Before you begin

Ensure necessary RADIUS or AAA servers and authentication lists are configured.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

Step 3

In the General tab, enter the Profile Name, the SSID and the WLAN ID.

Step 4

Choose Security > Layer2 tab. Choose WPA2+WPA3 in Layer 2 Security Mode drop-down list.

Step 5

Uncheck the WPA2 Policy and 802.1x check boxes. Check the WPA3 Policy and 802.1x-SHA256 check boxes.

Step 6

Choose Security > AAA, and then choose the Authentication List from the Authentication List drop-down list.

Step 7

Click Apply to Device.

Your newly created WLAN uses WPA3 enterprise security for client authentication.

Configure WPA3 enterprise

Set up a secure wireless LAN (WLAN) that uses WPA3 Enterprise authentication to enhance network security for enterprise environments.

WPA3 Enterprise provides stronger data protection and improved security features compared to earlier WLAN authentication methods. You can enable WPA3 Enterprise on supported APs and controllers with this configuration.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enter the WLAN configuration sub-mode.

Example:

Device(config)# wlan wlan-name wlan-id SSID-name

Step 3

Disable security AKM for 802.1X.

Example:

Device(config-wlan)# no security wpa akm dot1x

Step 4

Disables WPA2 security.

Example:

Device(config-wlan)# no security wpa wpa2

Step 5

Configures 802.1x support.

Example:

Device(config-wlan)# security wpa akm dot1x-sha256

Step 6

Enables WPA3 support.

Example:

Device(config-wlan)# security wpa wpa3

Step 7

Configure security authentication list for dot1x security.

Example:

Device(config-wlan)# security dot1x authentication-list list-name

Step 8

no shutdown

Example:

Device(config-wlan)# no shutdown

Enables the WLAN.

Step 9

end

Example:

Device(config-wlan)# end

Return to the privileged EXEC mode.

Note

 

C9115 and C9120 access points do not support WLANs configured with WPA3 Enterprise (SUITEB192-1X).

The WPA3 enterprise WLAN is configured and enabled. Devices can now securely connect using WPA3 Enterprise authentication.

Configuring the WPA3 OWE

Follow the procedure given below to configure WPA3 OWE.

Before you begin

Configure PMF internally. The associated ciphers configuration can use the WPA2 ciphers.

Procedure

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan wlan-name wlan-id SSID-name

Example:

Device(config)# wlan WPA3 1 WPA3

Enters the WLAN configuration sub-mode.

Step 3

no security ft over-the-ds

Example:

Device(config-wlan)# no security ft over-the-ds

Disables fast transition over the data source on the WLAN.

Step 4

no security ft

Example:

Device(config-wlan)# no security ft

Disables 802.11r fast transition on the WLAN.

Step 5

no security wpa akm dot1x

Example:

Device(config-wlan)# no security wpa akm dot1x

Disables security AKM for dot1x.

Step 6

no security wpa wpa2

Example:

Device(config-wlan)# no security wpa wpa2

Disables WPA2 security. PMF is disabled now.

Step 7

security wpa wpa2 ciphers aes

Example:

Device(config-wlan)# security wpa wpa2 ciphers aes

Enables WPA2 ciphers for AES.

Note

 

The ciphers for WPA2 and WPA3 are common.

Step 8

security wpa wpa3

Example:

Device(config-wlan)# security wpa wpa3

Enables WPA3 support.

Step 9

security wpa akm owe

Example:

Device(config-wlan)# security wpa akm owe

Enables WPA3 OWE support.

Step 10

no shutdown

Example:

Device(config-wlan)# no shutdown

Enables the WLAN.

Step 11

end

Example:

Device(config-wlan)# end

Returns to the privileged EXEC mode.

Configuring WPA3 OWE Transition Mode (GUI)

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

Step 3

In the General tab, enter the Profile Name, the SSID and the WLAN ID.

Step 4

Choose Security > Layer2 tab. Choose WPA2+WPA3 in Layer 2 Security Mode drop-down list.

Step 5

Uncheck the WPA2 Policy, 802.1x, Over the DS, FT + 802.1x and FT + PSKcheck boxes.Check the WPA3 Policy, AES and OWE check boxes.

Step 6

Enter the Transition Mode WLAN ID.

Step 7

Click Apply to Device.

Configure WPA3 OWE transition mode

Configure a WLAN to support WPA3 OWE transition mode for secure wireless connectivity.
WPA3 Opportunistic Wireless Encryption (OWE) transition mode allows clients to connect using either open or secured (WPA3 OWE) methods during transition deployments.

Policy validation does not take place between the open WLAN and the OWE WLAN. You must configure both WLANs correctly.

Before you begin

Identify the WLAN ID and names for the open and OWE WLANs you will configure.

Procedure

  Command or Action Purpose

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enter the WLAN configuration sub-mode.

Example:

Device(config)# wlan wlan-name wlan-id SSID-name

Step 3

Disable security AKM for 802.1X.

Example:

Device(config-wlan)# no security wpa akm dot1x

Step 4

Disable fast transition over the data source on the WLAN.

Example:

Device(config-wlan)# no security ft over-the-ds

Step 5

Disable 802.11r fast transition on the WLAN.

Example:

Device(config-wlan)# no security ft

Step 6

Disable WPA2 security. PMF is disabled now.

Example:

Device(config-wlan)# no security wpa wpa2

Step 7

Enable WPA2 ciphers for AES.

Example:

Device(config-wlan)# security wpa wpa2 ciphers aes

Step 8

Enable WPA3 support.

Example:

Device(config-wlan)# security wpa wpa3

Step 9

Enable WPA3 OWE support.

Example:

Device(config-wlan)# security wpa akm owe

Step 10

Configure the open or OWE transition mode WLAN ID.

Example:

Device(config-wlan)# security wpa transition-mode-wlan-id wlan-id

Note

 

Validation is not performed on the transition mode WLAN. You must configure it correctly by assigning the open WLAN identifier to the OWE WLAN, and the OWE WLAN identifier to the open WLAN configuration.

Assign the OWE WLAN ID as the transition mode WLAN ID in the open WLAN configuration. Similarly, assign the open WLAN ID as the transition mode WLAN ID in the OWE WLAN configuration.

Step 11

Enable the WLAN.

Example:

Device(config-wlan)# no shutdown

Step 12

Return to the privileged EXEC mode.

Example:

Device(config-wlan)# end
The WLAN is configured in WPA3 OWE transition mode and is ready for client connections using the specified security settings.

Configure WPA3 SAE (GUI)

Set up a wireless LAN (WLAN) that uses WPA3 Simultaneous Authentication of Equals (SAE) security using GUI.

Perform this task to enable enhanced security for your WLAN with WPA3 SAE. Use this configuration to support WPA3 for client authentication and ensure optimal wireless security.

Before you begin

Ensure Protected Management Frames (PMF) are configured internally.

  • WPA2 ciphers can be used as associated ciphers.

  • Fast Transition Adaptive is not supported for WPA3 SAE.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

Step 3

In the General tab, enter the Profile Name, the SSID and the WLAN ID.

Step 4

Choose Security > Layer2 tab. Choose WPA2+WPA3 in Layer 2 Security Mode drop-down list.

Step 5

Uncheck the WPAPolicy, 802.1x, Over the DS, FT + 802.1x, and FT + PSK checkboxes. Check the WPA3 Policy, AES, and PSK checkboxes. Enter the Pre-Shared Key, and choose the PSK Format from the PSK Format drop-down list and the PSK Type from the PSK Type drop-down list.

Step 6

Click Apply to Device.

Your WLAN profile is now configured with WPA3 SAE security, and clients can connect using WPA3 authentication.

Configure WPA3 SAE

Enable WPA3 SAE authentication on a WLAN for enhanced Wi-Fi security.
Use this task to configure WPA3 SAE (Simultaneous Authentication of Equals) on a Cisco device. WPA3 SAE offers stronger security for wireless networks and is required for environments that need improved protection against offline dictionary attacks.

Before you begin

Configure PMF (Protected Management Frames) internally.

  • You can use WPA2 ciphers with this configuration.

  • Fast Transition Adaptive is not supported for WPA3 SAE.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enter the WLAN configuration sub-mode.

Example:

Device(config)# wlan wlan-name wlan-id SSID-name

Example:

Device(config)# wlan WPA3 1 WPA3

Step 3

Disable security AKM for dot1x.

Example:

Device(config-wlan)# no security wpa akm dot1x

Step 4

Disable fast transition over the data source on the WLAN.

Example:

Device(config-wlan)# no security ft over-the-ds

Step 5

Disable 802.11r fast transition on the WLAN.

Example:

Device(config-wlan)# no security ft

Step 6

Disable WPA2 security. PMF is disabled now.

Example:

Device(config-wlan)# no security wpa wpa2

Step 7

Configure WPA2 cipher.

Example:

Device(config-wlan)# security wpa wpa2 ciphers aes

Note

 

You can check whether cipher is configured using no security wpa wpa2 ciphers aes command. If cipher is not reset, configure the cipher.

Step 8

Specify a preshared key

Example:

Device(config-wlan)# security wpa psk set-key ascii value preshared-key

Example:

Device(config-wlan)# security wpa psk set-key ascii 0 Cisco123

Step 9

Enable WPA3 support.

Example:

Device(config-wlan)# security wpa wpa3

Note

 

If both WPA2 and WPA3 are supported (SAE and PSK together), it is optional to configure PMF. However, you cannot disable PMF. For WPA3, PMF is mandatory.

Step 10

Enable AKM SAE support.

Example:

Device(config-wlan)# security wpa akm sae

Step 11

Enable the WLAN.

Example:

Device(config-wlan)# no shutdown

Step 12

Return to the privileged EXEC mode.

Example:

Device(config-wlan)# end
The WLAN is configured using WPA3 SAE authentication, providing enhanced wireless security.

Configure anti-clogging and SAE retransmission (GUI)

Set up Anti-Clogging and SAE retransmission parameters for a WLAN profile using the graphical user interface.

Perform this task to enable stronger wireless security features. This task also optimizes retransmission settings for your SSID.

Before you begin

Gather necessary values for Profile Name, SSID, WLAN ID, anti-clogging threshold, maximum retries, and retransmit timeout.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

Step 3

In the General tab, enter the Profile Name, the SSID and the WLAN ID.

Step 4

Enable or disable Status and Broadcast SSID toggle buttons.

Step 5

From the Radio Policy drop-down list, choose a policy.

Step 6

Choose Security > Layer2 tab. Check the SAE check box.

Step 7

Enter the Anti Clogging Threshold, Max Retries and Retransmit Timeout.

Step 8

Click Apply to Device.

Anti-clogging and SAE retransmission settings are applied to the selected WLAN profile. Devices connecting to this SSID will now use the updated security and retransmission settings.

Configure anti-clogging and SAE retransmission (CLI)

Configure anti-clogging thresholds and SAE retransmission settings on a WLAN using CLI commands.

Anti-clogging and Secure Authentication of Equals (SAE) retransmission settings help prevent authentication floods and improve handshake reliability for your WLAN. Perform these steps after you configure the basic SAE WLAN settings.

Before you begin

Complete the SAE WLAN configuration

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enter the WLAN configuration sub-mode.

Example:

Device(config)# wlan wlan-name wlan-id SSID-name

Step 3

Disable the WLAN.

Example:

Device(config-wlan)# no shutdown

Step 4

Enable simultaneous authentication of equals as a security protocol.

Example:

Device(config-wlan)# security wpa akm sae

Step 5

Configure threshold on the number of open sessions to trigger the anti-clogging procedure for new sessions.

Example:

Device(config-wlan)# security wpa akm sae anti-clogging-threshold 2000

Step 6

Configure the maximum number of retransmissions.

Example:

Device(config-wlan)# security wpa akm sae max-retries retry-limit

Step 7

Configure SAE message retransmission timeout value.

Example:

Device(config-wlan)# security wpa akm sae retransmit-timeout retransmit-timeout-limit

Step 8

Enable the WLAN.

Example:

Device(config-wlan)# no shutdown

Step 9

Return to the privileged EXEC mode.

Example:

Device(config-wlan)# end
Anti-clogging and SAE retransmission settings are applied to the WLAN.

Verify WPA3 SAE and OWE

Verify WPA3 SAE and OWE.

To view the system level statistics for the client that has undergone successful SAE authentication, SAE authentication failures, SAE ongoing sessions, SAE commit and confirm message exchanges, use this show command: 

Device# show wireless stats client detail
        
        Total Number of Clients : 0
        
        client global statistics:
        -----------------------------------------------------------------------------
        Total association requests received              : 0
        Total association attempts                       : 0
        Total FT/LocalAuth requests                      : 0
        Total association failures                       : 0
        Total association response accepts               : 0
        Total association response rejects               : 0
        Total association response errors                : 0
        Total association failures due to blacklist      : 0
        Total association drops due to multicast mac     : 0
        Total association drops due to throttling        : 0
        Total association drops due to unknown bssid     : 0
        Total association drops due to parse failure     : 0
        Total association drops due to other reasons     : 0
        Total association requests wired clients         : 0
        Total association drops wired clients            : 0
        Total association success wired clients          : 0
        Total peer association requests wired clients    : 0
        Total peer association drops wired clients       : 0
        Total peer association success wired clients     : 0
        Total 11r ft authentication requests received    : 0
        Total 11r ft authentication response success     : 0
        Total 11r ft authentication response failure     : 0
        Total 11r ft action requests received            : 0
        Total 11r ft action response success             : 0
        Total 11r ft action response failure             : 0
        Total AID allocation failures                    : 0
        Total AID free failures                          : 0
        Total roam attempts                              : 0
        Total CCKM roam attempts                       : 0
        Total 11r roam attempts                        : 0
        Total 11i fast roam attempts                   : 0
        Total 11i slow roam attempts                   : 0
        Total other roam type attempts                 : 0
        Total roam failures in dot11                     : 0
        
        Total WPA3 SAE attempts                          : 0
        Total WPA3 SAE successful authentications        : 0
        Total WPA3 SAE authentication failures           : 0
        Total incomplete protocol failures             : 0
        Total WPA3 SAE commit messages received          : 0
        Total WPA3 SAE commit messages rejected          : 0
        Total unsupported group rejections             : 0
        Total WPA3 SAE commit messages sent              : 0
        Total WPA3 SAE confirm messages received         : 0
        Total WPA3 SAE confirm messages rejected         : 0
        Total WPA3 SAE confirm messgae field mismatch  : 0
        Total WPA3 SAE confirm message invalid length  : 0
        Total WPA3 SAE confirm messages sent             : 0
        Total WPA3 SAE Open Sessions                     : 0
        Total SAE Message drops due to throttling        : 0
        
        Total Flexconnect local-auth roam attempts       : 0
        Total AP 11i fast roam attempts                : 0
        Total 11i slow roam attempts                   : 0
        
        Total client state starts                        : 0
        Total client state associated                    : 0
        Total client state l2auth success                : 0
        Total client state l2auth failures               : 0
        Total blacklisted clients on dot1xauth failure   : 0
        Total client state mab attempts                  : 0
        Total client state mab failed                    : 0
        Total client state ip learn attempts             : 0
        Total client state ip learn failed               : 0
        Total client state l3 auth attempts              : 0
        Total client state l3 auth failed                : 0
        Total client state session push attempts         : 0
        Total client state session push failed           : 0
        Total client state run                           : 0
        Total client deleted                             : 0

To view the WLAN summary details, use this command.

Device# show wlan summary
        
        Number of WLANs: 3
        
        ID   Profile Name                     SSID                             Status Security                                                                                             
        ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
        1    wlan-demo                        ssid-demo                        DOWN   [WPA3][SAE][AES]                                                                                     
        3    CR1_SSID_mab-ext-radius          CR1_SSID_mab-ext-radius          DOWN   [WPA2][802.1x][AES]                                                                                  
        109  guest-wlan1                      docssid                          DOWN   [WPA2][802.1x][AES],[Web Auth]

To view the WLAN properties (WPA2 and WPA3 mode) based on the WLAN ID, use this command.

Device# show wlan id 1
        
        WLAN Profile Name     : wlan-demo
        ================================================
        Identifier                                     : 1
        
        !
        !
        !
        Security
        802.11 Authentication                      : Open System
        Static WEP Keys                            : Disabled
        Wi-Fi Protected Access (WPA/WPA2/WPA3)     : Enabled
        WPA (SSN IE)                           : Disabled
        WPA2 (RSN IE)                          : Disabled
        WPA3 (WPA3 IE)                         : Enabled
        AES Cipher                         : Enabled
        CCMP256 Cipher                     : Disabled
        GCMP128 Cipher                     : Disabled
        GCMP256 Cipher                     : Disabled
        Auth Key Management
        802.1x                             : Disabled
        PSK                                : Disabled
        CCKM                               : Disabled
        FT dot1x                           : Disabled
        FT PSK                             : Disabled
        Dot1x-SHA256                       : Disabled
        PSK-SHA256                         : Disabled
        SAE                                : Enabled
        OWE                                : Disabled
        SUITEB-1X