Problems with WPA3

problems with WPA3

Problems with WPA3?

I am hearing a lot off chatter about WPA3, and about the problems people are having with it.

So, what’s the main problem? WPA3 has brought about a new era of secure networking, so shouldn’t everything be rosy?

You have WPA3-SAE (replacement for PSK). It stops WPA3 being vulnerable to Password guessing by dictionary, or brute force.
There is PMF (802.11w). It stops de-authentication attacks.
We have 192-bit mode, a more secure form of encryption, than 128-bit, for the truly paranoid.
There is also transition mode to soften the blow of a hard change over to WPA3. This allows older legacy clients to still connect using WPA2.

All of these are great, and WPA3 fixes a lot of problems with WPA2. But, unfortunately, WPA3 introduces a new set of problems. Basically, 6GHz is WPA3 only. Some companies are turning on transition mode, on 5GHz, to make it easier for networks with older legacy clients that do not support WPA3, to easily connect.

This sounds great but, what we are finding, is that there are issues when roaming from 6GHz to 5GHz. If the client is connected to 6GHz, and it roams to 5GHz, if WPA3 is set on 6GHz, and transition mode is set on 5GHz, the roam can fail, especially so if you are using 802.11r (FT). You can also get problems when roaming the other way as well!

Customers cannot just, overnight, change all their client devices to be WPA3 compatible, and some older clients are never going to be WPA3 compatible (old legacy bar code scanners for example.)

There are many solutions under discussion.
The one I want to propose here is quite simple: Run multiple SSIDs!
WHAT!?!?! Yes, multiple SSIDs!
Run an SSID on 6GHz and 5GHz that is WPA3-SAE only, then run a second SSID that is WPA2-PSK
only, on 5GHz.

This simple step fixes most problems.
“Ah, but can we run that many SSIDs?” I hear you ask. My answer: Sure, you can! Multi-SSIDs were only really a problem on 2.4GHz, with 1Mbps broadcast rate enabled. A word of caution, here, is that this can still be a problem, if you get carried away... but running two SSIDs like this shouldn’t break the bank.

Obviously, test this and take appropriate advice if you need to. Don’t rush out and do this without proper planning and forethought.

A similar approach can be done for PMF: turn it on for the WPA3 SSID (on both 6GHz and 5GHz), and leave it in transition mode on the 5GHz legacy SSID. You should find, if the client supports WPA3, it should support PMF.

Obviously, test this to the extreme, but running this dual SSID model, should fix most problems.
That’s it for now, see you next time!

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}