Hi @Fae 

Thank you for this clarification!  I stand corrected.

It's can be difficult to keep track of which specific models support which specific features (802.11r, MESH, WPA3, etc.).  It might be useful to have a matrix that compares the different models, release dates, capabilities.  Between the different model numbers and revisions, it's not always easy to tell which models are newer, older, which chipsets they have, and the corresponding capabilities..

Similarly, many newer customers aren't aware of which which features require controller software for support.  And even older customers like me, get lost and confused with all of the dependencies and compatibilities for many of the newer features.

Fast Roaming is a great example.  There's a huge amount of (misdirected?) interest in this new capability.  But actually making it work and finding clients to that support it is much harder than people realized.  E.g. MacOS does not.  Windows 10 does not (unless you use 802.1X -- which no one does at home).  I assumed client support was more widespread because iOS supports it. 

Not to mention understanfing which EAP's support it, which STA NIC hardware, drivers, and OS'es support it, etc.  This might make for a goo whitepaper or application note.

-Jonathan

Hi @Lobster4,

True WPA3 is actually a very new capability that fundamentally changes the way the client/AP association & encryption handshake takes place.  With WEP/WPA1/WPA2 a lot of the initial back and forth between the client and AP (aka management frames) are unencrypted -- until the client is fully associated -- then user data frames are encrypted.

99% of the time this is not a concern, but in a high density environemnt (like a coffee shop, internet cafe, appartment highrise) unscrupulous individuals can intervene in the middle of this process and capture client details (like MAC address, hostname, etc.) and masquerade as a fake client or a fake access point by intercepting the regular, unencrypted WPA1 & WPA2 management frames.  They can also cause denials of service by injecting bogus management frames causing clients to disconnect.

https://www.diffen.com/difference/WPA2_vs_WPA3

While exploitation does happen in the wild.  The reality is that it's pretty rare.  It's likely never going to happen in your home, small business, or house of worship.  It's most likely to happen in a location with a bunch of wireless users conducting business (Starbucks, internet cafe, university library, etc.) where you have a bored technically savy invdividual who is looking to try and make a quick buck, steal free internet access, or harass an annoying neighbor through a denial of service attack.

WPA3 also forces more complex encryption cryptography as well so all of the encrypted data between your laptop and the AP are more secure.  Of course, this data is frequently encrypted at least one or two more times as well (inside of the STA to AP connection).  Nearly every website you go to today uses SSL or TLS to encypt the connection between the browser and the website you are connecting to.  And most businesses and many private indivividuals are using VPN as well.

So, for example, when I read my GMAIL, the connection between Chrome and Google's server is TLS encrypted.  This encrypted stream is encrypted again as it travels over my company's VPN connection (DTLS, RSA AES256 SHA, encrypted).  And finally it's encrypted again using WPA2/AES as it travels wireless from my laptop to the AP.

Generally speaking modern encyption protocols, and multiple layers of encryption are so time consuming to try and hack, that it's just not worth it.  That's why many of the exploits focus on some of the weaker / hidden vulnerabilities in the overall process.

Good luck with your new EAP!  I hope you love it.  I really like mine.  FYI, the "MESH" feature only comes into play if you are going to have EAP's that are not Ethernet connected.  This is helpful in certain cases (like my outdoor access point in the garden that I don't want to run Ethernet to).  But generally speaking, if you plan to run Ethernet to all of your AP's then MESH is not used.

Similarly, there is a lot of interest in Fast Roaming (802.11r) -- which also requires the Omada controller --  but the reality is that most clients (MacOS, Windows 10 w/WPA2-PSK) won't do Fast Roaming yet.  Though iOS devices do.  Not sure about Android.

JSchnee21 wrote

Hi @Lobster4,

 

 

 

Good luck with your new EAP!  I hope you love it.  I really like mine.  FYI, the "MESH" feature only comes into play if you are going to have EAP's that are not Ethernet connected.  This is helpful in certain cases (like my outdoor access point in the garden that I don't want to run Ethernet to).  But generally speaking, if you plan to run Ethernet to all of your AP's then MESH is not used.

 

Similarly, there is a lot of interest in Fast Roaming (802.11r) -- which also requires the Omada controller --  but the reality is that most clients (MacOS, Windows 10 w/WPA2-PSK) won't do Fast Roaming yet.  Though iOS devices do.  Not sure about Android.

@JSchnee21 

ooohhh.  Well that's interesting.  I didn't know that.  So the "Mesh" feature is only used with EAP's that are specifically NOT connected via an Ethernet wire?  I have a need for exactly that in the lobby area where the signal is a little weak and we can't run a network wire.  So all I have to do is plug it into a power source, then it's configured somewhat like an extender/repeater?  And I can configure it via the Omada Controller software?

@Fae 

Interesting stuff.  I will definitely have a need for the Mesh feature.

It says I have to always keep the controller software running, but then says:

Note: If your Omada Controller is accidentally shut down, as long as the Mesh relationships among Mesh APs are not changed, the Mesh network can maintain the basic Wi-Fi coverage, but it can’t be managed or changed, the Auto Failover/Fast Roaming and most of the advanced features will not work.

I won't be running the controller constantly on a computer, but as long as the basic wifi still works with the controller shut down, I think it will still work fine for me.

I'm also wondering is this is what the OC200 controller would be for, so I don't have to always have the software running on a PC.  I have to look into that too.

Thanks again.