Friday, December 2, 2022
HomeCyber SecurityWLAN/SSID Safety Migration into 6GHz Networks

WLAN/SSID Safety Migration into 6GHz Networks


With the introduction of Wi-Fi 6E/6GHz, there’s a enormous improve in accessible RF house, multiplying the general whole capability of any wi-fi community, and on the identical time, eradicating sources of interference and noise. This improve in efficiency and high quality of the wi-fi connections can be actually thrilling and convey a number of alternatives, however this may include the worth of recent and higher safety necessities for our WLAN/SSID configuration migration.

The brand new normal didn’t go away safety out of the image and any new machine supporting 6GHz, can be required to “solely” help the next safety requirements whereas within the new band:

  • WPA3: this enforces necessary Protected Administration Frames (PMF/802.11w)
  • Opportunistic Key Encryption (OWE). This replaces the idea of “Open SSID”, and permits to have encryption throughout units, with none authentication
  • Simultaneous Authentication of Equals (SAE). This takes the function of PSK (additionally referred to as “private”) authentication strategies however makes it immune to offline password assaults, with improved cryptographic algorithms

There are as effectively provisions for extra superior encryption strategies (WPA3 Enterprise-192), and a number of other necessary issues that should “not be supported“, for instance:  PMF disabled/elective, TKIP, WEP, and many others.

What does this imply for 6GHz deployments?

Nicely… within the uncommon case of a greenfield 6GHz deployment, it will be simply “superior, we get new improved safety requirements by default”…

The issue is that nearly deployments won’t be greenfield.  You’ll have to help the coexistence of all present networks and units with the brand new normal and migrate present networks to incorporate the brand new 6GHz entry factors and shoppers.

What’s extra: with few honorable exceptions, many of the present WLAN/SSIDs configured on the market for two.4 and 5, will “not” work over 6GHz radios, as they don’t meet the brand new safety necessities.

Which means your SSID supporting WPA2 Enterprise (802.1x), can’t be broadcasted straight in 6GHz… identical for any present Webauth or WPA2-PSK SSIDs. All of them will have to be modified to adapt to the brand new normal. As a way to guarantee issues could be achieved correctly, this may want planning, and fairly probably, cautious testing.

Adjustments additionally imply issues about backward compatibility, and any older units could not like or help the brand new safety settings, so this isn’t only a matter of flipping a configuration swap and hoping it really works.

The great factor is that there are completely different choices on learn how to deal with brownfield eventualities, with correct and pure coexistence of the brand new APs and shoppers supporting WPA3 and 6GHz, with older units nonetheless caught supporting WPA2 or older requirements. Every one has its advantages and implementation prices, so you will need to plan correctly.

Radio Policy and 6GHz support
Determine 1. Radio Coverage and 6GHz help


Transition mode

Some folks could come again with “However transition mode is offered, we must always have the ability to set this WLAN with WPA2/WPA3 transition and get it achieved”, sadly,  issues are usually not so easy. This mode was created to introduce WPA3 into legacy bands, to not make it simple for 6GHz adoption.

WPA3 describes transition mode as a sort of hybrid WPA2/WPA3 situation, with PMF set to elective, and the group key utilizing legacy crypto, however this isn’t allowed in 6GHz, so we will’t simply flip the prevailing WLAN from WPA2 to transition mode and get it achieved…it merely can’t be supported within the new band.

Transition mode is a wonderful method to deal with a migration right into a safer normal within the legacy band. Older units can coexist on the identical SSID with new units supporting WPA3/PMF, permitting a smoother migration, however the worth to pay is compatibility. A number of shoppers could behave erratically, or just, fail to connect with a transition mode SSID, even when what they help remains to be allowed, plus this alone can’t remedy the 6GHz  safety necessary necessities.

One phrase of warning: There’s a associated function referred to as “< class=”label ng-binding”>Transition Disable”, which could be set within the WLAN Safety tab, within the WPA Parameters space.

Transition Disable location
Determine 2. Transition Disable location

This setting tells the shopper, that after it has related efficiently to WPA3, it ought to migrate its SSID profile to help “solely” WPA3, and never join again to WPA2 if that’s the solely possibility accessible. On one aspect, that is good for safety, as it would migrate all shopper units to WPA3 solely, as they be part of the transition mode WLAN, but when the community consists of a number of bodily places, for instance, some are set to WPA2, others to WPA3/WPA2 transition mode, this may trigger the migrated shoppers to fail when moved to a location with WPA2 solely.
It is a doable situation for some giant networks, with the identical SSID masking completely different controllers/AP setups and with configurations not matching  100%.  The biggest instance could be Eduroam, which shares the identical SSID title worldwide. Setting this might have severe points for shoppers  shifting throughout completely different community suppliers, so please use this with care, and provided that you may guarantee the identical safety setting is ready correctly throughout all community places

So, what choices do we now have?

Possibility 1: Everyone Strikes

That is probably the most radical resolution. Right here we transfer all SSIDs to WPA3, SAE, or OWE, with a single SSID throughout all bands. Which means all legacy safety help can be eliminated throughout all SSIDs.

That is solely possible for the Greenfield situation, or when we now have absolute management of all shoppers’ machine variations and configurations. It’s extremely possible that clients won’t ever go this route.

Shopper help

  • Apple IOS: on 15.1, it does help WPA3/PMF, and SAE, however it doesn’t help OWE. SAE help shouldn’t be appropriate with 6GHz necessities
  • Android: Helps WPA3/PMF/SAE since model 10
  • Home windows: supported in 11, however ought to work on model 10-2004

Cons

  • There’s a giant checklist of compatibility points relating to among the necessities, and implementing this selection will result in compatibility points as quickly as any older machine tries to attach
  • Migrating the SSID profile on shoppers could also be problematic, relying on working methods. A number of units will use straight away the upper safety choices, others will have to be adjusted

Execs

  • No want for added SSIDs
  • Removes any older low-security SSIDs

Possibility 2: Tailor-made SSIDs

On this situation,  the concept is to create new SSIDs, particularly centered on performance, with help on every band as wanted. New SSIDs could be created for 6GHz help, optionally broadcasted in different bands.

This maximizes backward compatibility, because it leaves something present  “untouched”.

For instance, an organization could have an present SSID design as:

  • Legacy SSID: mycompany, broadcasted in 5 GHz supporting WPA2 Enterprise
  • Visitor SSID: mycompanyGuest, supporting webauth in 2.4 and 5 GHz
  • IoT: mycompanyIOT, with WPA2-PSK, for restricted sensor/telemetry units in 2.4 GHz

What we might add:

  • Wi-Fi 6 particular SSID: mycompanyNG, broadcasted on 5 and 6GHz, utilizing WPA3 with 802.1x authentication and PMF

Cons

  • A brand new SSID will have to be created and broadcasted
  • Further profile configuration throughout units. Relying on shopper administration being accessible, this generally is a daunting process
  • SSID names are a delicate topic for patrons. Choosing a brand new title might not be easy in some situations

Execs

  • No impression on something already present
  • You’ll be able to have a gradual migration of units supporting the brand new safety requirements (WPA3) to the brand new SSID, with out having to do a dangerous forklift within the shopper profile configuration
  • Quick roaming supported between bands for a similar WLAN

Possibility 3:  Identical SSID, two WLAN profiles, utilizing transition mode

Protecting the identical SSID throughout bands, touches your present WLAN profile altering it to WPA3 transition mode and proscribing it to 2.4 and 5GHz. Plus provides a brand new profile, only for 6GHz, with the required safety settings.

Following on our earlier instance:

  • Legacy SSID: mycompany, WLAN profile mycompany, broadcasted in 5 GHz. Modified now to supporting WPA2 Enterprise and WPA3 in transition mode
  • Visitor SSID: mycompanyGuest, supporting webauth in 2.4 GHz
  • IoT: mycompanyIOT, with WPA2-PSK, for restricted sensor/telemetry units in 2.4 GHz

What we might add:

  • Wi-Fi 6 particular WLAN profile: identical mycompany, SSID, with completely different profile title, mycompanyNG  broadcasted on 6GHz, utilizing WPA3 with 802.1x authentication and PMF

Cons

  • A number of shopper distributors have points dealing with WPA3 transition mode correctly
  • Purchasers could not like the identical SSID with completely different safety settings throughout bands.
  • Roaming shouldn’t be supported throughout WLANs. A shopper authenticated in 5 GHz, should do full authentication when shifting into 6

Execs

  • No new SSIDs on the shopper aspect to be managed
  • Gadgets supporting WPA3 will join in legacy bands with the upper safety normal. This may assist with safety migration
  • As we now have the identical SSID title throughout bands, shoppers will have the ability to fallback from 6 to 2.4/5, in case of any protection downside

Possibility 4:  Identical SSID, two WLAN profiles, no transition

That is mainly a small variation of possibility 3.  The present profile is left untouched, and we add a 6GHz particular WLAN profile:

  • Legacy SSID: mycompany, WLAN profile mycompany, broadcasted in 5 GHz. WPA2-Enterprise
  • Visitor SSID: mycompanyGuest, supporting webauth in 2.4 GHz
  • IoT: mycompanyIOT, with WPA2-PSK, for restricted sensor/telemetry units in 2.4 GHz

What we might add:

  • Wi-Fi 6 particular WLAN profile: identical mycompany, SSID, with completely different profile title, mycompanyNG  broadcasted on 6GHz, utilizing WPA3 with 802.1x authentication and PMF

Cons

  • Purchasers could not like the identical SSID with completely different safety settings throughout bands. That is but to be confirmed, to date, no points reported in testing
  • Roaming throughout WLANs shouldn’t be supported. A shopper authenticated in 5 GHz, should do full authentication when shifting into 6
  • Legacy bands can be caught on decrease safety protocols

Execs

  • No new SSIDs to be managed on the shopper aspect
  • As we now have the identical SSID title throughout bands, shoppers will have the ability to fallback from 6 to 2.4/5, in case of any protection downside
  • Avoids any shopper interoperability points with transition mode

Too many choices, however which is the very best?

For many clients, possibility 4 (new WLAN profile, identical title, new safety), is what can be applied more often than not, because it permits deployments, decreasing most dangers.

For purchasers that need higher safety, possibility 2 (particular SSID), or possibility 3 (change to transition mode, add new profile for six), would be the greatest suited.

And for certain, don’t transfer WPA2 networks to WPA2/WPA3 transition mode, with out validating together with your present shoppers, particularly if there are any legacy or customized units current.

 

For extra info on this topic


Share:

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments