WPA3 Security Enhancements for Access Points

WPA3 security enhancements for APs

WPA3 security enhancements for access points are wireless security features that

  • introduce advanced encryption methods such as GCMP-256 and SuiteB-192-1X AKM

  • strengthen authentication and data protection with features like SAE-EXT-KEY support and AP beacon protection, and

  • allow multiple cipher suites to be configured per WLAN, providing greater flexibility and security for wireless networks.

Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LANs. You must use a cipher suite when using Wi-Fi Protected Access (WPA), WPA2, WPA3, or Cisco Centralized Key Management (CCKM). Wired Equivalent Privacy, or WEP, is a form of wireless authentication used for associating to 802.11 wireless networks.

Feature Name

Release

Description

Wi-Fi 7 WPA3 Security Constraints

Cisco IOS XE 17.15.2

In this release, the Wi-Fi 7 standard dictates these security constraints, which are applicable for Wi-Fi 7–compliant APs.

The security standards listed are beaconed as Wi-Fi 7 clients, which is a deviation from the actual security constraint.

  • Open authentication as Wi-Fi 7 is not permitted to associate.

  • WPA1 as Wi-Fi 7 is not permitted to associate.

  • WPA2 as Wi-Fi 7 is not permitted to associate.

  • WPA3 is permitted with certain restrictions.

Restrictions to permit WPA3.

  • SAE (24/25) is permitted with GCMP-256.

  • SAE (8/9) is permitted. This is a deviation from the actual security constraint.

  • WPA2 PSK/802.1X with PMF is permitted. This is a deviation from the actual security constraint.

  • 802.1X-SHA256 with PMF is permitted.

  • Suite-B-192 with PMF is permitted.

Decoupled GCMP-256 and Suite-B-192-1X AKM Configuration

Cisco IOS XE 17.15.1

There is a strong dependency between the GCMP-256 cipher and the Suite-B-192-1X AKM. Until Cisco IOS XE 17.14.1, configuring the GCMP-256 cipher automatically enabled the Suite-B-192-1X AKM because it could not be enabled separately using commands.

In the Cisco IOS XE 17.15.1 release, this dependency is removed through new configuration options, allowing the GCMP-256 cipher to be used with other supported AKMs.

Suite-B-192-1X AKM is useful for enterprise networks, including federal government and health care deployments that require the highest level of security. Until Cisco IOS XE 17.14.1, Suite-B-192-1X AKM was tied to GCMP-256 and was implicitly enabled when GCMP-256 was configured at the WLAN level. From Cisco IOS XE 17.15.1 onward, a new AKM configuration allows Suite-B-192-1X AKM to be enabled separately, and GCMP-256 cipher configuration applies only to the cipher.

Wi-Fi Protected Access (WPA3) Security Enhancements for Access Points

Cisco IOS XE 17.15.1

 From Cisco IOS XE 17.15.1 onwards, OWE association is supported on both CCMP-128 and GCMP-256 ciphers. If you configure both ciphers, a client will select its desired cipher suite while connecting in the association request.

The security enhancements developed in Cisco IOS XE 17.15.1 for APs are:

The configuration commands introduced are:

  • security wpa akm sae ext-key

  • security wpa akm ft sae ext-key

  • security wpa akm suiteb-192

  • security wpa akm suiteb

  • security wpa wpa2 ciphers

  • security wpa wpa3 beacon-protection

Opportunistic Wireless Encryption (OWE) Support with GCMP-256 Cipher

Cisco IOS XE 17.14.1

Until Cisco IOS XE 17.14.1, OWE was supported with the CCMP-128 cipher.

Benefits of using GCMP-Based ciphers

  • Provides secure communication and data transmission.

  • Provides confidentiality and integrity protection.

  • Provides parallel processing and fast encryption.

Wireless Encryption Methods for Data Protection

Encryption protects data by making it unreadable to unauthorized users.

These are the encryption protocols are used in wireless authentication.

  • Temporal Key Integrity Protocol (TKIP): TKIP is the encryption method used by WPA and supports legacy WLAN equipment. TKIP addresses the original flaws associated with the 802.11 WEP encryption method. It makes use of WEP but encrypts the Layer 2 payload using TKIP and carries out a message integrity check (MIC) in encrypted packets to ensure that messages have not been altered.

  • Advanced Encryption Standard (AES): AES uses Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP), which allows destination hosts to recognize if the encrypted and non-encrypted bits have been altered.


    Attention

    AES is a preferred method because of its strong encryption.

    CCMP is the standard encryption protocol for use with Wi-Fi Protected Access 2 (WPA2) and is much more secure than the WEP protocol, and TKIP of WPA.

  • Galois or Counter Mode Protocol (GCMP): GCMP is more secure and efficient than CCMP.


Note

Choose the appropriate note type from the attributes.

Supported platforms

  • Cisco Catalyst 9800-CL Wireless Controller for Cloud

  • Cisco Catalyst 9800-L Wireless Controller

  • Cisco Catalyst 9800-40 Wireless Controller

  • Cisco Catalyst 9800-80 Wireless Controller

  • Cisco Catalyst 9300 Series Switches

  • Cisco Embedded Wireless Controller on Catalyst Access Points

Supported APs

  • Cisco Aironet 2800 Series Access Points

  • Cisco Aironet 3800 Series Access Points

  • Cisco Aironet 4800 Series Access Points

  • Cisco Catalyst 9117 Series Access Points

  • Cisco Catalyst 9124AX Series Access Points

  • Cisco Catalyst 9130AX Series Access Points

  • Cisco Catalyst 9136 Series Access Points

  • Cisco Catalyst 9162 Series Access Points

  • Cisco Catalyst 9164 Series Access Points

  • Cisco Catalyst 9166 Series Access Points

  • Cisco Aironet 1560 Series Outdoor Access Points

Restrictions

  • WPA3 is not supported on Cisco Wave 1 APs.

  • GCMP-256 is not supported on Cisco Catalyst 9105, 9110, 9115, 9120 APs and 802.11ac Wave2 QCA APs such as 1852.

  • Beacon Protection is only supported on QCA-based APs, such as 9130 , 9136, 9162, 9164, and 9166.

GCMP-256 Cipher and SuiteB-192-1X AKM

A GCMP-256 cipher and SuiteB-192-1X AKM are Wi-Fi security mechanisms that

  • provide strong encryption and authentication for wireless communications

  • help meet high-security requirements for environments such as government and healthcare, and

  • support flexible configuration in recent Cisco IOS XE releases.

Decoupled GCMP-256 and Suite-B-192-1X AKM configuration

There is a strong dependency between the GCMP-256 cipher with Suite-B-192-1X AKM. Therefore, until Cisco IOS XE 17.14.1, if you configure the GCMP-256 cipher, the Suite-B-192-1X AKM automatically gets enabled, as Suite-B-192-1X Authentication and Key Management (AKM) cannot be enabled separately using commands.

In the Cisco IOS XE 17.15.1 release, certain commands eliminate the dependency between Suite-B-192-1X AKM and the GCMP-256 cipher. CMP-256 cipher can be configured with other supported AKMs.

GCMP-256 cipher and Suite-B-192-1X AKM were previously strongly dependent features.

  • Until Cisco IOS XE 17.14.1, enabling GCMP-256 cipher also enabled Suite-B-192-1X AKM, and Suite-B-192-1X AKM could not be enabled separately.

  • From Cisco IOS XE 17.15.1 onwards, the dependency is removed and each can be configured independently.

Configure SuiteB-192-1X AKM (GUI)

Enable SuiteB-192-1X Authentication and Key Management (AKM) for a WLAN using the required cipher combinations.

Use this procedure to configure secure authentication and encryption for WLANs, ensuring compliance with SuiteB-192-1X standards.

Before you begin

Confirm the device supports SuiteB-192-1X AKM and required cipher options.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

The Add WLAN window is displayed.

Step 3

In the General tab, enter the Profile Name, SSID, and the WLAN ID.

Step 4

Choose Security > Layer2, select one of these options:

  • WPA + WPA2
  • WPA2 + WPA3
  • WPA3

The Auth Key Mgmt (AKM) section displays the AKMs supported by the cipher you select in the WPA2/WPA3 Encryption section. Valid cipher and AKM combinations are displayed in the Auth Key Mgmt (AKM) section.

For example, to enable SuiteB-192-1x AKM,

  • The valid security encryption and AKM combination for WPA + WPA2 and WPA2 + WPA3 is CCMP256 and/or GCMP256 cipher + SuiteB-192-1X AKM.

    Note

     
    CCMP256 cipher is not valid without the GCMP256 cipher for SuiteB-192-1X AKM.

  • The valid security encryption and AKM combination for WPA3 is GCMP256 cipher + SUITEB-192-1X or OWE or SAE-EXT-KEY or FT + SAE-EXT-KEY AKM.

    Note

     

    At least one AKM should be enabled. To enable SuiteB-192-1X, check the SUITEB 192-1X check box.

Step 5

In the WPA2 Encryption section, check the GCMP256 check box.

Valid cipher and AKM combinations are displayed in the Auth Key Mgmt (AKM) section.

Step 6

In the Fast Transition section, in the Status drop-down list, select Disabled.

Note

 
Disable Fast Transition when Suite-B cipher (GCMP256, CCMP256, GCMP128) is configured.

Step 7

In the Auth Key Mgmt (AKM) section, check the SUITEB192-1X check box.

Step 8

Click Apply to Device.

The WLAN is now configured with SuiteB-192-1X AKM and the required ciphers, enabling secure authentication and encryption.

Configure SuiteB-192-1X AKM (CLI)

Enable SuiteB-192-1X Authentication and Key Management (AKM) for a WLAN using the required cipher combinations.

Use this procedure to configure secure authentication and encryption for WLANs, ensuring compliance with SuiteB-192-1X standards.

Before you begin

Confirm the device supports SuiteB-192-1X AKM and required cipher options.

Procedure

Step 1

Enter global configuration mode.

Example:
Device# configure terminal

Step 2

Configure the WLAN profile and SSID. Enter the WLAN configuration mode.

Example:
Device(config)# wlan wlan-profile-name wlan-id ssid-name

Step 3

Disable adaptive 802.11r.

Example:
Device(config-wlan)# no security ft adaptive

Step 4

Disable security AKM for 802.1X.

Example:
Device(config-wlan)# no security wpa akm dot1x

Step 5

Configure the SuiteB-192-1X support.

Example:
Device(config-wlan)# security wpa akm suiteb-192

Step 6

Configure the GCMP256 support using the security wpa wpa2 ciphers {aes | ccmp256 | gcmp128 | gcmp256} command.

Example:
Device(config-wlan)# security wpa wpa2 ciphers gcmp256

The WLAN is now configured with SuiteB-192-1X AKM and the required ciphers, enabling secure authentication and encryption.

SAE-EXT-KEY support

The Cisco IOS XE 17.15.1 release introduces new SAE AKMs: SAE-EXT-KEY (24) and FT-SAE-EXT-KEY (25).

  • Devices can connect using the new SAE AKMs (24 and 25) and negotiate encryption with GCMP-256, CCMP-128, or both ciphers.


Note

Ensure that the WPA3 policy is enabled for the new AKMs to be displayed.

Configure SAE-EXT-KEY AKMs (GUI)

Set up SAE-EXT-KEY Authentication and Key Management (AKM) on a WLAN to enhance wireless security with advanced password-based authentication protocols.

Use this task when configuring a Wi-Fi network profile requiring the SAE-EXT-KEY or Fast Transition (FT) + SAE-EXT-KEY AKMs for WPA2 or WPA3-enabled WLANs. These settings enable secure password management and provide robust wireless security.

Before you begin

  • Ensure that the WLAN controller supports SAE-EXT-KEY and FT + SAE-EXT-KEY AKMs.

  • Verify that WPA3 security policies are enabled.

  • Gather values for anti-clogging threshold, maximum retries, retransmit timeout, and the required pre-shared key (PSK).

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

The Add WLAN window is displayed.

Step 3

In the General tab, enter the Profile Name, SSID, and the WLAN ID.

Step 4

Choose Security > Layer2 and select one of these options:

  • WPA2 + WPA3
  • WPA3
The Auth Key Mgmt (AKM) section will be populated with the possible AKMs that are supported by the cipher that is selected in the WPA2/WPA3 Encryption section. Valid AKMs are displayed in the Auth Key Mgmt (AKM) section.

Note

 

Ensure that the WPA3 policy is enabled for the new AKMs to be displayed.

Step 5

In the WPA2/WPA3 Encryption section, check the GCMP256 check box, or the AES(CCMP128) check box, or a combination of both these check boxes.

Note

 
The AES(CCMP128) cipher check box is selected by default.

The AKMs are displayed in the Auth Key Mgmt (AKM) section.

Step 6

In the Auth Key Mgmt (AKM) section, check either the SAE-EXT-KEY check box or the FT + SAE-EXT-KEY check box, or select both the AKMs.

Complete these steps:

  1. Enter the Anti Clogging Threshold value. Valid range is 0 to 3000; default value is 1500.

  2. Enter the number of allowed Max Retries. Valid range is 1 to 10; default value is five.

  3. Enter the Retransmit Timeout value in seconds. Valid range is 1 to 10000; default value is 400.

  4. From the drop-down lists, select the PSK Format and the PSK Type.

  5. Enter the Pre-Shared Key.

  6. From the SAE Password Element drop-down list, select one of these methods to generate the SAE password element:

    • Both H2E and HnP: The password element is generated from both Hash-to Element (H2E) and Hunting and Pecking methods (HnP). This is the default option.

    • Hash to Element only: In this method, the secret password element used in the SAE protocol is generated from a password. H2E is based on a noniterative algorithm that is more computationally efficient and provides robust resistance to side-channel attacks. If selected, HnP is disabled.

    • Hunting and Pecking only: This method uses the iterative looping algorithm to generate the password element. As this method is prone to attacks, we recommend that you use the other two methods. If you select the Hunting and Pecking only option, H2E is disabled.

    Note

     

    SAE-EXT-KEY and FT + SAE-EXT-KEY requires the password element mode to be Both H2E and HnP or Hash to Element only.

If you select an option with WPA2, configure MPSK by completing these steps:

  1. In the MPSK Configuration section, check the Enable MPSK check box.

  2. In the Auth Key Mgmt section, choose the PSK Format (default is ASCII), PSK Type (default is unencrypted), and enter the Pre-Shared Key.

  3. In the MPSK Configuration section, click Add.

    Ensure that there are no warnings or error messages in the Auth Key Mgmt section, related to encryption and cipher combination.

  4. Click Apply, and then click Apply to Device.

Step 7

Click Apply to Device.

The WLAN is now configured with enhanced SAE-EXT-KEY authentication key management, providing robust, standards-based password security for WPA2 or WPA3 wireless networks.

Configure SAE-EXT-KEY AKMs (GUI)

Set up SAE-EXT-KEY Authentication and Key Management (AKM) on a WLAN to enhance wireless security with advanced password-based authentication protocols.

Use this task when configuring a Wi-Fi network profile requiring the SAE-EXT-KEY or Fast Transition (FT) + SAE-EXT-KEY AKMs for WPA2 or WPA3-enabled WLANs. These settings enable secure password management and provide robust wireless security.

Before you begin

  • Ensure that the WLAN controller supports SAE-EXT-KEY and FT + SAE-EXT-KEY AKMs.

  • Verify that WPA3 security policies are enabled.

  • Gather values for anti-clogging threshold, maximum retries, retransmit timeout, and the required pre-shared key (PSK).

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the WLAN profile and SSID. Enter the WLAN configuration mode.

Example:

Device(config)# wlan wlan-profile-name wlan-id ssid-name

Step 3

Disable adaptive 802.11r.

Example:

Device(config-wlan)# no security ft adaptive

Step 4

Configure the pre-shared key (PSK) either in the ASCII format or the HEX format. with the security wpa psk set-key {ascii | hex} {0 | 8} pre-shared-key command.

Example:

Device(config-wlan)# security wpa psk set-key ascii 0 123456789

Step 5

Disable security Auth Key Management (AKM) for 802.1X.

Example:

Device(config-wlan)# no security wpa akm dot1x

Step 6

Configure the SAE-EXT-KEY AKM support.

Example:

Device(config-wlan)# security wpa akm sae ext-key

Step 7

Configure WPA3 support.

Example:

Device(config-wlan)# security wpa wpa3

Step 8

Configure WPA2 and GCMP-256 cipher support.

Example:

Device(config-wlan)# security wpa wpa2 ciphers gcmp256

The WLAN is now configured with enhanced SAE-EXT-KEY authentication key management, providing robust, standards-based password security for WPA2 or WPA3 wireless networks.

Configure FT-SAE-EXT-KEY AKMs (CLI)

Enable FT-SAE-EXT-KEY Authentication and Key Management (AKM) for a WLAN profile on your device using CLI.

Use this task when you want to support fast transition (FT) and SAE AKM with extended keys for secure wireless authentication.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the WLAN profile and SSID. Enter the WLAN configuration mode.

Example:

Device(config)# wlan wlan-profile-name wlan-id ssid-name

Step 3

Configure fast transition

Example:

Device(config-wlan)# security ft adaptive

Step 4

Configure the pre-shared key (PSK) either in the ASCII format or the HEX format using the security wpa psk set-key {ascii | hex} {0 | 8} pre-shared-key command.

Example:

Device(config-wlan)# security wpa psk set-key ascii 0 123456789

Step 5

Disable security Auth Key Management (AKM) for 802.1X.

Example:

Device(config-wlan)# no security wpa akm dot1x

Step 6

Configure the FT-SAE-EXT-KEY AKM support.

Example:

Device(config-wlan)# security wpa akm ft sae ext-key

Step 7

Configure WPA3 support.

Example:

Device(config-wlan)# security wpa wpa3

Step 8

Configure WPA2 and GCMP-256 cipher support.

Example:

Device(config-wlan)# security wpa wpa2 ciphers gcmp256

The WLAN profile is configured to use FT-SAE-EXT-KEY AKM for secure, fast wireless transitions supporting WPA3 and WPA2 or GCMP-256.

AP beacon protection

An AP beacon protection is a WLAN security feature that

  • prevents attackers from modifying AP beacons and their capabilities

  • uses a Beacon Integrity Key to generate a Message Integrity Code (MIC) in AP beacons, and

  • enables clients to validate beacon authenticity and reject APs sent by attackers.

Expanded explanation

AP beacon protection works by transmitting a Beacon Integrity Key during the WPA2 or WPA3 four-way handshake. Genuine APs use this key to produce a MIC in their beacon frames. Clients verify the MIC to ensure beacons are authentic. The system rejects any beacon that fails validation.

A client device receives a beacon from an AP and checks the MIC. If the MIC is valid, the client associates with the AP; if not, the client ignores the beacon, preventing rogue AP attack

Configure AP beacon protection (GUI)

You can perform this task to enable AP beacon protection on your WLAN using the CLI and WPA3 security.

Before you begin

  • Ensure that you are configuring a WLAN profile that supports WPA3 AKM (for example, SAE, FT-SAE, OWE, DOT1X-SHA256, and so on).

  • Replace the sample AKMs with the specific WPA3 AKM you want to use.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

The Add WLAN window is displayed.

Step 3

In the General tab, enter the Profile Name, SSID, and the WLAN ID.

Step 4

Choose Security > Layer 2, select either the WPA2 + WPA3 option or the WPA3 option.

The Beacon Protection check box appears in the WPA parameters section when you enable the WPA3 policy.

Step 5

Check the Beacon Protection check box.

Note

 

Protected Management Frame (PMF) is required for Beacon Protection to be enabled.

Step 6

Click Apply to Device.

You have enabled AP beacon protection on your WLAN. This provides enhanced protection against beacon frame attacks when WPA3 is used.

What to do next

=

Configure AP beacon protection (CLI)

You can perform this task to enable AP beacon protection on your WLAN using the CLI and WPA3 security.

Before you begin

  • Ensure that you are configuring a WLAN profile that supports WPA3 AKM (for example, SAE, FT-SAE, OWE, DOT1X-SHA256, and so on).

  • Replace the sample AKMs with the specific WPA3 AKM you want to use.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the WLAN profile and SSID. Enter the WLAN configuration mode.

Example:

Device(config)# wlan wlan-profile-name wlan-id ssid-name

Step 3

Disable adaptive 802.11r.

Example:

Device(config-wlan)# no security ft adaptive

Step 4

Configure the pre-shared key (PSK) either in the ASCII format or the HEX format using the security wpa psk set-key {ascii | hex} {0 | 8} pre-shared-key command.

Example:

Device(config-wlan)# security wpa psk set-key ascii 0 123456789

Step 5

Disable security Authentication and Key Management (AKM) for 802.1X.

Example:

Device(config-wlan)# no security wpa akm dot1x

Step 6

Configure SAE support.

Example:

Device(config-wlan)# security wpa akm sae

Step 7

Configure WPA3 support.

Example:

Device(config-wlan)# security wpa wpa3

Step 8

Configure AP beacon protection.

Example:

Device(config-wlan)# security wpa wpa3 beacon-protection

Step 9

Disable WPA2 security.

Example:

Device(config-wlan)# no security wpa wpa2

Step 10

Enable the WLAN.

Example:

Device(config-wlan)# no shutdown

You have enabled AP beacon protection on your WLAN. This provides enhanced protection against beacon frame attacks when WPA3 is used.

Multiple cipher support per WLAN

Multiple cipher support per WLAN is a WLAN security feature that

  • allows multiple encryption ciphers to operate on a single WLAN,

  • enables compatibility with various Authentication and Key Management (AKM)options, and

  • supports broader device interoperability by accommodating mixed device requirements.

Mapping of cipher suites

Until Cisco IOS XE 17.14.1, only a single cipher was allowed in a WLAN, limiting the supported AKMs combinations. Only CCMP-128 cipher was used with multiple AKMs, while GCMP-128 was tightly coupled with the Suite-B-1x AKM and CCMP-256 or GCMP-256 were tightly coupled with the Suite-B-192-1x AKM.

With Cisco IOS XE 17.15.1 and later, support for multiple AKMs and cipher combinations on a single WLAN is introduced. One WLAN can now serve devices requiring different ciphers, such as GCMP-256 and CCMP-128.

The configured cipher suite(s) for a WLAN is mapped to the Pairwise Cipher Suite, Group Cipher Suite, and Management Cipher Suite broadcasted in the Beacons or Probe Responses.

Table 1. Mapping of cipher suites

Configured Cipher Suite

Pairwise Cipher Suite

Group Cipher Suite

Management Cipher Suite

CCMP-128 only

CCMP-128

CCMP-128

BIP-CMAC-128

GCMP-256 only

GCMP-256

GCMP-256 management

BIP-GMAC-256

CCMP-128 + GCMP-256

CCMP-128 or GCMP-256 (client chooses)

CCMP-128

BIP-CMAC-128

Configure multiple ciphers (GUI)

Enable support for multiple security ciphers on a WLAN using CLI commands.

Use these steps to configure a wireless LAN for multiple WPA2 ciphers, allowing enhanced security and compatibility for connecting devices.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

The Add WLAN window is displayed.

Step 3

In the General tab, enter the Profile Name, SSID, and the WLAN ID.

Step 4

Choose Security > Layer2, select one of the following options:

  • WPA + WPA2
  • WPA2 + WPA3
  • WPA3

The AES(CCMP128) cipher is selected by default.

The Auth Key Mgmt (AKM) section will be populated with the possible AKMs that are supported by the cipher that is selected in the WPA2/WPA3 Encryption section. Valid cipher and AKM combinations are displayed in the Auth Key Mgmt (AKM) section.

Step 5

In the WPA2/WPA3 Encryption check the GCMP256 check box, or the AES(CCMP128) check box, or a combination of both these check boxes, to display the AKMs in the same WLAN.

Step 6

In the Auth Key Mgmt (AKM) section, check the AKM check boxes to enable the required AKMs. At least one AKM should be enabled.

Step 7

Click Apply to Device.

Multiple WPA2 ciphers are now configured for the WLAN. This enhances network security and allows flexibility for supported clients.

Configure multiple ciphers (CLI)

Enable support for multiple security ciphers on a WLAN using CLI commands.

Use these steps to configure a wireless LAN for multiple WPA2 ciphers, allowing enhanced security and compatibility for connecting devices.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the WLAN profile and SSID. Enter the WLAN configuration mode.

Example:

Device(config)# wlan wlan-profile-name wlan-id ssid-name

Step 3

Disable adaptive 802.11r.

Example:

Device(config-wlan)# no security ft adaptive

Step 4

Configure the pre-shared key (PSK) either in the ASCII format or the HEX format using the security wpa psk set-key {ascii | hex} {0 | 8} pre-shared-key command.

Example:

Device(config-wlan)# security wpa psk set-key ascii 0 123456789

Step 5

Disable security AKM for 802.1X.

Example:

Device(config-wlan)# no security wpa akm dot1x

Step 6

Configure SAE support.

Example:

Device(config-wlan)# security wpa akm sae

Step 7

Configure SAE-EXT-KEY AKM support.

Example:

Device(config-wlan)# security wpa akm sae ext-key

Step 8

Configure WPA3 support.

Example:

Device(config-wlan)# security wpa wpa3

Step 9

Configure WPA2 cipher support. In this example, CCMP-128 cipher is configured using the security wpa wpa2 ciphers {aes | ccmp256 | gcmp128 | gcmp256} command.

Example:

Device(config-wlan)# security wpa wpa2 ciphers aes

Step 10

Configure another WPA2 cipher (multiple cipher support). In this example, GCMP-256 cipher is configured using the security wpa wpa2 ciphers {aes | ccmp256 | gcmp128 | gcmp256} command.

Example:

Device(config-wlan)# security wpa wpa2 ciphers gcmp256

Multiple WPA2 ciphers are now configured for the WLAN. This enhances network security and allows flexibility for supported clients.

OWE support with GCMP-256 cipher

In Cisco IOS XE 17.14.1 and earlier, OWE is supported only with the CCMP-128 cipher. Starting with Cisco IOS XE 17.15.1, you can configure OWE with both CCMP-128 and GCMP-256. When you configure both, the client selects the cipher suite during association.

Configure OWE AKM (GUI)

Enable Opportunistic Wireless Encryption (OWE) for a WLAN to enhance wireless security by allowing encrypted connections without requiring pre-shared keys.

Use OWE to provide secure, open wireless access using the WLAN configuration interface, leveraging WPA3 security and modern encryption standards for wireless networks.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add.

The Add WLAN window is displayed.

Step 3

In the General tab, enter the Profile Name, SSID, and the WLAN ID.

Step 4

Choose Security > Layer 2 and click the WPA3 option.

Step 5

In the WPA2/WPA3 Encryption section, check the GCMP256 check box, or the AES(CCMP128) check box, or a combination of both these check boxes. The AES(CCMP128) check box is selected by default.

Step 6

In the Fast Transition section, from the Status drop-down list, select Disabled

Step 7

In the Auth Key Mgmt (AKM) section, check the OWE check box.

The Transition Mode WLAN ID field is displayed.

Step 8

Enter the Transition Mode WLAN ID. The transition-mode WLAN ID ranges are the same as the WLAN ID ranges, that is, the valid range is between 0 and 4096.

Step 9

Click Apply to Device.

OWE is enabled for the selected WLAN, allowing clients to connect securely without the need for a shared password.

Configure OWE AKM (CLI)

Enable Opportunistic Wireless Encryption (OWE), Authentication and Key Management (AKM), for a Wireless Local Area Network (WLAN) using the CLI.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the WLAN profile and SSID. Enters the WLAN configuration mode.

Example:

Device(config)# wlan wlan-profile-name wlan-id ssid-name

Step 3

Disable adaptive 802.11r.

Example:

Device(config-wlan)# no security ft adaptive

Step 4

Configure the OWE AKM.

Example:

Device(config-wlan)# security wpa akm owe

The WLAN profile is now configured to use Opportunistic Wireless Encryption AKM.

Verifying WPA3

Verify the SAE-EXT-KEY AKM support

Summary of SAE-EXT-KEY AKMs

To view the summary of the SAE-EXT-KEY AKMs, use this command:

Device# show wlan summary
Number of WLANs: 5

ID   Profile Name                     SSID                             Status 2.4GHz/5GHz Security                            6GHz Security
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1    wpa3-sae_profile                 wpa3-sae                         UP     [WPA3][SAE][AES]                                [WPA3][SAE][AES]
2    wpa3-sae-ext_profile             wpa3-sae-ext                     UP     [WPA3][SAE-EXT-KEY][GCMP256]                    [WPA3][SAE-EXT-KEY][GCMP256]
3    wpa3-sae-ext-mab_profile         wpa3-sae-ext-mab                 UP     [WPA3][MAB][SAE-EXT-KEY][GCMP256]               [WPA3][MAB][SAE-EXT-KEY][GCMP256]
4    wpa3-sae-ext-webauth_profile     wpa3-sae-ext-webauth_profile     UP     [WPA3][SAE-EXT-KEY][Webauth][GCMP256]           [WPA3][SAE-EXT-KEY][Webauth][GCMP256]
5    wpa3-sae-ext-mab-webauth_profile wpa3-sae-ext-mab-webauth_profile UP     [WPA3][MAB][SAE-EXT-KEY][Webauth][GCMP256]      [WPA3][MAB][SAE-EXT-KEY][Webauth][GCMP256]
6    wpa3-ft-sae_profile              wpa3-ft-sae                      UP     [WPA3][FT + SAE][AES]                           [WPA3][FT + SAE][AES]
7    wpa3-ft-sae-ext_profile          wpa3-ft-sae-ext                  UP     [WPA3][FT + SAE-EXT-KEY][GCMP256]               [WPA3][FT + SAE-EXT-KEY][GCMP256]
8    wpa3-ft-sae-ext-mab_profile      wpa3-ft-sae-ext-mab              UP     [WPA3][MAB][FT + SAE-EXT-KEY][GCMP256]          [WPA3][MAB][FT + SAE-EXT-KEY][GCMP256]
9    wpa3-ft-sae-ext-webauth_profile  wpa3-ft-sae-ext-webauth          UP     [WPA3][FT + SAE-EXT-KEY][Webauth][GCMP256]      [WPA3][FT + SAE-EXT-KEY][Webauth][GCMP256]
10   wpa3-ft-sae-ext-mab-webauth_pro  wpa3-ft-sae-ext-mab-webauth      UP     [WPA3][MAB][FT + SAE-EXT-KEY][Webauth][GCMP256] [WPA3][MAB][FT + SAE-EXT-KEY][Webauth][GCMP256]

SAE-EXT-KEY and FT-SAE-EXT-KEY AKM in WLAN Profiles

To view the details of the SAE-EXT-KEY and FT-SAE-EXT-KEY AKMs, use these commands:

Device# show wlan name wpa3-sae-ext-key-profile
WLAN Profile Name     : wpa3-sae-ext-key-profile
================================================
Identifier                                     : 2
Description                                    :
Network Name (SSID)                            : wpa3-sae-ext-key
<...>
Security
    802.11 Authentication                      : Open System
    Static WEP Keys                            : Disabled
    Wi-Fi Protected Access (WPA/WPA2/WPA3)     : Enabled
        WPA (SSN IE)                           : Disabled
        WPA2 (RSN IE)                          : Disabled
        WPA3 (WPA3 IE)                         : Enabled
            AES Cipher                         : Disabled
            CCMP256 Cipher                     : Disabled
            GCMP128 Cipher                     : Disabled
            GCMP-256 Cipher                     : Enabled
        Auth Key Management
            802.1x                             : Disabled
            PSK                                : Disabled
            CCKM                               : Disabled
            FT dot1x                           : Disabled
            FT PSK                             : Disabled
            FT SAE                             : Disabled
            FT SAE-EXT-KEY                     : Disabled
            Dot1x-SHA256                       : Disabled
            PSK-SHA256                         : Disabled
            SAE                                : Disabled
            SAE-EXT-KEY                        : Enabled
            OWE                                : Disabled
            SUITEB-1X                          : Disabled
            SUITEB192-1X                       : Disabled
    SAE PWE Method                             : Hash to Element, Hunting and Pecking(H2E-HNP)
.
.
.


Device# show wlan name wpa3-ft-sae-ext-key-profile
WLAN Profile Name     : wpa3-ft-sae-ext-key-profile
================================================
Identifier                                     : 7
Description                                    :
Network Name (SSID)                            : wpa3-ft-sae-ext-key
<...>
Security
    802.11 Authentication                      : Open System
    Static WEP Keys                            : Disabled
    Wi-Fi Protected Access (WPA/WPA2/WPA3)     : Enabled
        WPA (SSN IE)                           : Disabled
        WPA2 (RSN IE)                          : Disabled
        WPA3 (WPA3 IE)                         : Enabled
            AES Cipher                         : Disabled
            CCMP256 Cipher                     : Disabled
            GCMP128 Cipher                     : Disabled
            GCMP-256 Cipher                     : Enabled
        Auth Key Management
            802.1x                             : Disabled
            PSK                                : Disabled
            CCKM                               : Disabled
            FT dot1x                           : Disabled
            FT PSK                             : Disabled
            FT SAE                             : Disabled
            FT SAE-EXT-KEY                     : Enabled
            Dot1x-SHA256                       : Disabled
            PSK-SHA256                         : Disabled
            SAE                                : Disabled
            SAE-EXT-KEY                        : Disabled
            OWE                                : Disabled
            SUITEB-1X                          : Disabled
            SUITEB192-1X                       : Disabled
    SAE PWE Method                             : Hash to Element, Hunting and Pecking(H2E-HNP)
.
.
.

Cipher and AKMs based on client MAC address

To view the details of the cipher and AKMs based on the client MAC address, use this command:

Device# show wireless client mac-address 3089.4aXX.f0XX detail
Client MAC Address : 3089.4aXX.f0XX
.
.
.
Policy Type : WPA3
Encryption Cipher : GCMP-256
Authentication Key Management : SAE-EXT-KEY
.
.
.
Client MAC Address : 3089.4aXX.f0XX
.
.
.
Policy Type : WPA3
Encryption Cipher : GCMP-256
Authentication Key Management : FT-SAE-EXT-KEY
.
.
.

AKM support statistics report

To view the AKM support statistics report, use this command:
Device# show wireless stats client detail
Total WPA3 SAE attempts                          :71
Total WPA3 SAE successful authentications        : 9
  Total SAE-EXT-KEY successful authentications   : 3
Total WPA3 SAE authentication failures           : 22
  Total incomplete protocol failures             : 0
Total WPA3 SAE commit messages received          : 126
Total WPA3 SAE commit messages rejected                                 : 58
  Total unsupported group rejections                                    : 0
  Total PWE method mismatch for SAE Hash to Element commit received     : 0
  Total PWE method mismatch for SAE Hunting And Pecking commit received : 0
Total WPA3 SAE commit messages sent              : 175
Total WPA3 SAE confirm messages received         : 13
Total WPA3 SAE confirm messages rejected         : 4
  Total WPA3 SAE message confirm field mismatch  : 4
  Total WPA3 SAE confirm message invalid length  : 0
Total WPA3 SAE confirm messages sent             : 13
Total WPA3 SAE Open Sessions                     : 0
Total SAE Message drops due to throttling        : 0
Total WPA3 SAE Hash to Element commit received   : 111
Total WPA3 SAE Hunting and Pecking commit received : 15

Verify AP beacon protection

To view the AP beacon protection details, use this command:

Device# show wlan name wl-sae
WLAN Profile Name     : wl-sae 
================================================ 
Identifier                                     : 7 
Description                                    :  
Network Name (SSID)                            : wl-sae
<...>
Security
    Security-2.4GHz/5GHz
        <...>
        Beacon Protection                      : Enabled
    Security-6GHz
        <...>
        Beacon Protection                      : Enabled
<...>