WPA3 Enterprise on Omada… Maybe not?

WPA3 Enterprise on Omada… Maybe not?

WPA3 Enterprise on Omada… Maybe not?
WPA3 Enterprise on Omada… Maybe not?
2024-06-14 07:25:54

Hi TP Link and everyone,

 

I'm experiencing strange behavior when trying to utilize WPA3-Enterprise on your product. Some of the findings:

 

- External analysis tools tend to report the SSID's capabilities as WPA2-Enterprise or "unknown"

- Clients connect and show WPA2-Enterprise instead of 3

- The selection drop-down in the controller is WPA2/WPA3-Enterprise implying that you can't force it to *only* WPA3 Enterprise

- Some clients (Windows) seem to state on the client end that they are able to use WPA3-Enterprise

- Where is 192-bit mode?

 

There is a single thread in this forum where commenters mentioned that the server certificate must be trusted certificate from a *public* CA in order for WPA3 to work, otherwise it falls back to WPA2. I take exception to that on two counts:

 

1.) Automatic fallback is nightmarish for security. Would anyone here be okay with WPA falling back to WEP if WPA failed? Falling back to a broken/less secure protocol would not be an okay behavior. If it is misconfigured, it should simply fail to connect.

 

2.) In my network, I roll my own PKI using a root CA built in OPNSense with server and client certificates issued from it. I have installed the CA as a trusted root on all of my subordinate network devices (clients, Omada controller, RADIUS server, etc.). 802.11w (PMF) is required as per the WPA3 spec. The Wi-Fi alliance itself details on slide 20 of this document that SCV should work so long as the CA is trusted:

 

https://www.wi-fi.org/system/files/202012_Wi-Fi_Security_Roadmap_and_WPA3_Updates.pdf

 

Furthermore, when I did use a server certificate from a public CA on the RADIUS server (Let's Encrypt), WPA3 still failed.

 

From this bizarre fallback behavior, inability to select *only* WPA3 Enterprise instead of a mixed 2/3 option, lack of 192-bit mode, and inconsistent behavior, my conclusion is that TP-Link has only partially implemented support for WPA3 Enterprise within Omada and its constituent products. 

 

What say you TP-Link?

  3      
  3      
#1
Options
8 Reply
Re:WPA3 Enterprise on Omada… Maybe not?
2024-06-17 03:15:48

Hi  @motoronion 

 

May I have the model number and firmware version of your EAPs?

 

Not all EAP models can support WPA3 fully. 

 

BTW I can see WPA3-AES only mode on my controller. Please also confirm the controller version you are testing.

 

motoronion wrote

 

- The selection drop-down in the controller is WPA2/WPA3-Enterprise implying that you can't force it to *only* WPA3 Enterprise

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:WPA3 Enterprise on Omada… Maybe not?
2024-06-17 10:14:34

  @Fae Hi, and thanks for getting back to me.

 

Re: the Edit Wireless Network page. You are right, it is WPA3-Enterprise only in the "WPA Mode" field. My mistake.

 

However, devices are still falling back to WPA2-Enterprise.

 

APs are:

 

2x EAP655-Wall(US) v1.0
 

Firmware on both:

 

1.2.7 Build 20240312 Rel. 58286

 

Controller version:

 

5.13.30.8 running on Debian
  0  
  0  
#3
Options
Re:WPA3 Enterprise on Omada… Maybe not?
2024-06-17 23:45:03

Hi  @motoronion,

 

May I have the windows PC network card/adapter model you are testing?

 

I'm going to run the test on my end.

motoronion wrote

 

- Some clients (Windows) seem to state on the client end that they are able to use WPA3-Enterprise

 

 

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#4
Options
Re:WPA3 Enterprise on Omada… Maybe not?
2024-06-18 00:26:03

Hi  @motoronion 

 

Could you please also try wireless security WPA2/WPA3-Personal? Will the devices choose WPA2 instead of WPA3?

 

Please also share us the model of your Windows PC network card/adapter, we are going to test it on our side. 

motoronion wrote

 

- Some clients (Windows) seem to state on the client end that they are able to use WPA3-Enterprise

 

 

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#5
Options
Re:WPA3 Enterprise on Omada… Maybe not?
2024-08-13 16:57:18

I'm having the same issue.


Testing with EAP653 which supports WPA3-Personal/Enterprise.

 

AP FW = 1.0.14

Controller FW = 5.13.30.8

Client = Win10 22H2 with Intel Wi-Fi 6 AX201 and current driver (supports WPA3 Personal + Enterprise)

 

With "WPA-Personal" -> "WPA2-PSK/WPA3-SAE" configured, client correctly reports WPA3-Personal (and works).

 

With "WPA-Enterprise" -> "WPA3-Enterprise/AES" configured, client reports WPA2-Enterprise (also works).

 

What is necessary to really use WPA3 here?

 

  0  
  0  
#6
Options
Re:WPA3 Enterprise on Omada… Maybe not?
2024-08-26 15:58:37 - last edited 2024-08-26 23:50:24

  @dneuhaeuser 

 

dneuhaeuser,

 

See my comment about WPA3 Enterprise encryption support here.

 

If you are using WPA3-Enterprise Transition mode CCM-128 (CCMP), then Windows settings and Windows' "netsh wlan show interface" command will show "Authentication : WPA2-Enterprise" because that is fundamentally what it is. Only WPA3-Enterprise Enterprise only GCM-256 or WPA3-Enterprise Suite-B 192-bit CNSA encryption will report as true WPA3-Enterprise.

  1  
  1  
#7
Options
Re:WPA3 Enterprise on Omada… Maybe not?
2024-08-26 16:31:04 - last edited 2024-08-26 16:56:21

also, looking at standalone configuration of EAP660/653 the only WPA3-Enterprise encryption available is "AES".

so I guess these models do not seem to support CGM256 or CNSA...  right?

 

is there a list somewhere which EAPs actually have full WPA3-Enterprise support?

 

  0  
  0  
#8
Options
Re:WPA3 Enterprise on Omada… Maybe not?
2024-08-27 22:14:29

AES is still used in WPA3. What you are referring to is the block cipher mode (CBC vs GCM), with GCM being the newer/better way. WPA3 fully implemented should be AES-256-GCM with SHA-384 HMAC. It is possible that the Omada hardware line has differing encryption support between EAP models... and this is something that TP-Link should provide an answer to since the product page does not enumerate all the supported encryption modes for each EAP.

 

I'm still facing the above problem where Windows devices are reporting WPA3-Enterprise, but Android devices are reporting WPA2-Enterprise. I probably do need to check the authentication for the Windows clients to see if it is actually WPA3. Either way, unexpected behavior is occuring.

  1  
  1  
#9
Options