WPA3-Enterprise EAP-TLS on WAP650
I have successfully tested WPA2 Enterprise EAP-TLS on the Omada 650.
However when I switch to WPA3 Enterprise by setting the SSID properties "Security Mode"->WPA-Enterprise and "Version"->WPA3-Enterprise my client keeps getting forced into a WPA2 Enterprise connection.
I am using wpa_supplicant on a Rpi4 to test.
I am using Openssl certificates where my CA certificate is self-signed. I am running FreeRadius on a Ubuntu Laptop.
Any help would be great.
I have successfully tested WPA2 Enterprise EAP-TLS on the Omada 650.
However when I switch to WPA3 Enterprise by setting the SSID properties "Security Mode"->WPA-Enterprise and "Version"->WPA3-Enterprise my client keeps getting forced into a WPA2 Enterprise connection.
I am using wpa_supplicant on a Rpi4 to test.
I am using Openssl certificates where my CA certificate is self-signed. I am running FreeRadius on a Ubuntu Laptop.
Any help would be great.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @AnandEdwin
Thanks for posting here.
Here are some troubleshooting steps you may refer to:
1. Verify Device Compatibility
- Client Support: Ensure the RPi4’s Wi-Fi adapter and `wpa_supplicant` version support WPA3-Enterprise (check for `wpa_supplicant 2.10+`).
- Check version: `wpa_supplicant -v`
- Update: `sudo apt upgrade wpasupplicant`
2. Check FreeRADIUS Configuration
- EAP Type Restrictions: Ensure FreeRADIUS is not forcing WPA2-compatible EAP methods.
- In `mods-enabled/eap`, verify:
```ini
tls {
tls1_3 = yes # Enable TLS 1.3 (recommended for WPA3)
}
```
- Certificate Requirements: WPA3-Enterprise has stricter certificate rules:
- Key length **≥2048 bits** (especially for CA and server certs).
- Extended Key Usage (EKU) must include `TLS Web Server Authentication` and `TLS Web Client Authentication`.
3. wpa_supplicant Configuration
Ensure the client config (`/etc/wpa_supplicant.conf`) explicitly enables WPA3:
```plaintext
network={
ssid="Your_SSID"
key_mgmt=WPA-EAP
eap=TLS
identity="client@example.com"
ca_cert="/path/to/ca.pem"
client_cert="/path/to/client.pem"
private_key="/path/to/client.key"
private_key_passwd="(optional)"
phase2="auth=MSCHAPV2" # If using EAP-TTLS/MSCHAPv2
ieee80211w=2 # Mandatory for WPA3 (enables PMF)
}
```
Key parameters:
- `ieee80211w=2` → Enforces PMF (required for WPA3).
- If still falling back, try adding `proto=RSN` (forces WPA2/WPA3 RSN protocol).
4. Other Possible Issues
- Driver Limitations: The RPi4’s Wi-Fi driver (e.g., `brcmfmac`) may lack WPA3 support—try updating the kernel or using a different adapter (e.g., Intel AX200).
- Time Sync: Certificate validation depends on system time—ensure NTP sync between client and server.
- Copy Link
- Report Inappropriate Content
Hi @AnandEdwin
Thanks for posting here.
Here are some troubleshooting steps you may refer to:
1. Verify Device Compatibility
- Client Support: Ensure the RPi4’s Wi-Fi adapter and `wpa_supplicant` version support WPA3-Enterprise (check for `wpa_supplicant 2.10+`).
- Check version: `wpa_supplicant -v`
- Update: `sudo apt upgrade wpasupplicant`
2. Check FreeRADIUS Configuration
- EAP Type Restrictions: Ensure FreeRADIUS is not forcing WPA2-compatible EAP methods.
- In `mods-enabled/eap`, verify:
```ini
tls {
tls1_3 = yes # Enable TLS 1.3 (recommended for WPA3)
}
```
- Certificate Requirements: WPA3-Enterprise has stricter certificate rules:
- Key length **≥2048 bits** (especially for CA and server certs).
- Extended Key Usage (EKU) must include `TLS Web Server Authentication` and `TLS Web Client Authentication`.
3. wpa_supplicant Configuration
Ensure the client config (`/etc/wpa_supplicant.conf`) explicitly enables WPA3:
```plaintext
network={
ssid="Your_SSID"
key_mgmt=WPA-EAP
eap=TLS
identity="client@example.com"
ca_cert="/path/to/ca.pem"
client_cert="/path/to/client.pem"
private_key="/path/to/client.key"
private_key_passwd="(optional)"
phase2="auth=MSCHAPV2" # If using EAP-TTLS/MSCHAPv2
ieee80211w=2 # Mandatory for WPA3 (enables PMF)
}
```
Key parameters:
- `ieee80211w=2` → Enforces PMF (required for WPA3).
- If still falling back, try adding `proto=RSN` (forces WPA2/WPA3 RSN protocol).
4. Other Possible Issues
- Driver Limitations: The RPi4’s Wi-Fi driver (e.g., `brcmfmac`) may lack WPA3 support—try updating the kernel or using a different adapter (e.g., Intel AX200).
- Time Sync: Certificate validation depends on system time—ensure NTP sync between client and server.
- Copy Link
- Report Inappropriate Content
@Vincent-TP Thanks much for the quick response. I made the changes to the certificate generation. In the server certificate I made sure that extension "TLS Web Server Authentication" was included and in the Client certificate the extension "TLS Web Client Authentication" was included. I also confirmed that I am using 2048 encryption during the certificate generation step. I double checked the wpa_supplicant.conf to make sure it had the right parameters. However with all these changes, it still forced me to talk WPA2.
I had another question. In my web trawling yesteday I bumped into the information that operating the EAP650 in stand alone mode will not generate PMF (Protected Management Frames) which is mandatory for WPA3.
Could you confirm this?
- Copy Link
- Report Inappropriate Content
Update ==========
To put my EAP650 in Controller mode so I could set the PMF (Protected Management Frames) to mandated I did the following: I downloaded and installed the Omada Software Controller. I hard reset the EAP650 and then managed to add it to the Controller. I then created a new wireless network with the WPA3-Enterprise selected. I also set the PMF field to Mandatory to generate PMF frames. I was then able to connect to it from the Rpi but it is still doing only WPA2. I also generated a client certificate for a Macbook 2019 and tried connecting from the Macbook to the network I created. It still only connected via WPA2-Enterprise.
- Copy Link
- Report Inappropriate Content
Hi @AnandEdwin
What's the network adapter you are using on the Rpi4? Does it support WPA3?
If all configurations appear correct but the issue persists, the problem may lie in driver or hardware limitations. Conduct a definitive test:
- Test the same SSID on another WPA3-capable device (e.g., Windows/Android):
- If other devices connect successfully using WPA3, the issue is likely with the RPi4’s driver.
- If all devices fall back to WPA2, the problem lies in the AP or FreeRADIUS configuration.
In the meantime, please share with us some screenshots of the WPA settings for the EAP.
- Copy Link
- Report Inappropriate Content
I was using a Brostrend AC1200 wifi dongle on the Rpi4. Brostrend confirmed yesterday that this does not support WPA3. However I don't know why my Macbook 2019 would not do WPA3 either. I will try to find confirmed WPA3 devices and try.
Can you confirm Macbook 2019 should be able to do WPA3?
Regards
Anand
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 74
Replies: 5
Voters 0
No one has voted for it yet.