Configuring WPA3 Encryption

Aruba Central (on-premises) supports WPA3 encryption for security profiles in SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. creation for networks that include access points (APs) running Aruba InstantOS 8.4.0.0 firmware version and above. The WPA3 security provides robust protection with unique encryption per user session thereby ensuring a highly secured connection even on a public Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. hotspotHotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet..

The following are the WPA3 encryptions based on the Enterprise, Personal, or Open network types:

• WPA-3 Enterprise when the security level is Enterprise.
• WPA-3 Personal when the security level is Personal.
• Enhanced Open when the security level is Open.

WPA3 Enterprise

WPA3-Enterprise enforces top secret security standards for an enterprise Wi-Fi in comparison to secret security standards. Top secret security standards includes:

• Deriving at least 384-bit PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. /MSK using Suite B compatible EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216..
• Securing pairwise data between STA and authenticator using AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM-256.
• Securing group addressed data between STA and authenticator using AES-GCM-256.
• Securing group addressed management frames using BIP-GMAC-256.

WPA3-Enterprise advertises or negotiates the following capabilities in beacons, probes response, or 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association:

• AKM Suite Selector as 00-0F-ACAccess Category. As per the IEEE 802.11e standards, AC refers to various levels of traffic prioritization in Enhanced Distributed Channel Access (EDCA) operation mode. The WLAN applications prioritize traffic based on the Background, Best Effort, Video, and Voice access categories. AC can also refer to Alternating Current, a form of electric energy that flows when the appliances are plugged to a wall socket.:12
• Pairwise Cipher Suite Selector as 00-0F-AC:9
• Group data cipher suite selector as 00-0F-AC:9
• Group management cipher suite (MFP) selector as 00-0F-AC:12

If WPA3-Enterprise is enabled, STA is successfully associated only if it uses one of the four suite selectors for AKM selection, pairwise data protection, group data protection, and group management protection. If a STA mismatches any one of the four suite selectors, the STA association fails.

To configure WPA3 for enterprise security, complete the following steps:

1. In the Network Operations app, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click WLANs tab.

   The WLANsWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. detail page is displayed.

5. Click +Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table, and then click the edit icon.
6. Click the Security tab.
7. Select Enterprise from the Security Level.

   The authentication options applicable to the Enterprise network are displayed.

8. Select one of the following from the Key Management drop-down list:
   • WPA-3 Enterprise(GCM 256)—Select this option to use WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-3 security employing GCM encryption operation mode limited to encrypting 256 bits of plain text.
   • WPA-3 Enterprise(CCM 128)—Select this option to use WPA-3 security employing CCM encryption operation mode limited to encrypting 128 bits of plain text.
9. Click Save Settings.

Configuring WPA3 for Personal Security

To configure WPA3 for personal security, complete the following steps:

1. In the Network Operations app, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click WLANs tab.

   The WLANs detail page is displayed.

5. Click +Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon.
6. Click the Security tab.
7. Select Personal from the Security Level.

   The authentication options applicable to the Personal network are displayed.

8. Select WPA-3 Personal from the Key Management drop-down list.
9. Click Save Settings.