WPA3 Enterprise and Wi-Fi 6E

WPA3 was introduced as a replacement for WPA2 in January of 2018 and certification began in June of 2018.  WPA3 support has been mandatory for devices which bear the "Wi-Fi CERTIFIED™" logo since July 2020.  In this document, we are only concerned with WPA3 Enterprise.

In November 2020, the FCC allocated the 6GHz range of frequencies for non-exclusive use by Wi-Fi in the United States, to be shared with incumbent users.

Enterprise grade Access points began shipping by the end of 2021

✅   Only use 'eduroam' for the SSID name.  Variations are not recommended by vendors and is no longer supported by Eduroam.

✅   Deploy WPA3 Enterprise in transition mode and get comfortable with it before deploying 6GHz; even if 6GHz is not on your road map yet.

❌   Do not use 192-bit security

  • WPA3 Enterprise.   

6GHz only supports WPA3 Authentication. Eduroam requires WPA2 Enterprise and WPA3 Enterprise authentication; these are compatible with each other and should not cause compatibility issues.

    • Protected Management Frames (PMF).  As long as PMF is configured as “supported but not required” a WPA3 Enterprise network is identical to a WPA2 Enterprise network.  In this configuration older WPA2 devices can continue to connect to the network.
    • 192-bit Security.1  This is a new connect mode in WPA3 designed to meet standards of US government agencies.  To be able to successfully support this mode, all IdP servers would have to be configured to support this before and WPA3 clients in order to avoid interoperability issues that could stem from this.
    • WPA2/WPA3 Enterprise Transition Mode.2  It is recommended to implement WPA2/WPA3 Enterprise Transition Mode on 2.4GHz and 5GHz before enabling 6GHz.  This will allow older clients that don’t support WPA3 to continue to operate on the network while allowing newer devices to connect via WPA3 and provide the opportunity to troubleshoot any issue which may arise related to WPA3.

  • SSID name

6GHz allows for the use of a unique SSID in this range, however, Internet2 and most vendors recommend using the same SSID on 5GHz and 6GHz bands.  Internet2 requires service providers to use "eduroam" for the SSID name.

    • Roaming.  Because WPA3 Enterprise and WPA2 Enterprise are so similar, clients are able to roam between the two with no issues and users will have a better experience.
    • Security.   Organizations that use CAT or another configuration utility will provide configuration only for eduroam; if there is a different SSID in its place, users may be able to connect but intended security settings will be dropped or users configured with EAP-TLS will not be able to connect at all.
    • Service Provider.  As a service provider you are expected to provide equitable access to visitors at your site.  Using an SSID other than 'eduroam' may preclude visitors from using eduroam and is not permitted. 
  • NOTE: Some vendors allow you to configure two separate profiles for the 2.4/5GHz bands and the 6 GHz band using the same SSID.  This is not recommended as it causes hard roams between the two and many clients are not able to roam between them at all.

  1.  Eduroam advice for Wi-Fi Alliance WPA3
  2. Not all vendors have a "WPA3 Transition" feature; you can achieve this by setting Protected Management Frames to "preferred" in WPA2 Enterprise settings.
  • No labels