WPA status - WiFi Security and WiFi7

[sfx2000]

Curious to see where folks are - not a loaded question, but it's relevant to where WiFi7 is with security...

MLO requires WPA3 on any band it is used with, even on 5Ghz and 2.4Ghz...

 

[sfx2000]

@thiggins - similar to the IPv6 poll a couple of weeks back...

 

[sfx2000]

Wi-Fi 7 mandates the support for WPA3 and Enhanced Open (based on OWE) along with Protected Management Frame (PMF) for the clients to operate in802.11be data rates and features like MLO. There are new AKMs (AKM 24 and 25) added for WPA3-Personal. Additionally, Wi-Fi 7 requires beacon protectionfor both the AP and the Wireless Clients. With MLO, security needs to be established across all the links of a multi-link association. The security requirementsare to mainly make the Wi-Fi networks more secure and protect against cyberattacks.

 

[JoeHz]

I only have a wifi6 capable router (An RT-AX86U_Pro) as I own zippo in the way of Wifi7 capable devices.

When I got the router that supported it, I enabled the WPA3 (and now the Mac I use to develop for ios was satisfied -- it was right unhappy about things being WPA2).

Trying to get off of WPA2 entirely isn't doable as we have devices that don't know nothing about no WPA3. Even our one year old SleepNumber bed cannot handle it.

So it's pointless/impossible to make a WIfi7 device that doesn't support WPA3 because you won't be able to connect at such speeds without it? Or are we going to see routers that don't enforce this requirement in the spec because of this?

 

[sfx2000]

Trying to get off of WPA2 entirely isn't doable as we have devices that don't know nothing about no WPA3. Even our one year old SleepNumber bed cannot handle it.

Yeah, IoT devices are the major challenge - even 7 years later after WPA3 was released (yes, it's been that long, WPA3 was in June 2018).

WiFi Alliance for their part, they've made WPA3 conformance a requirement for some time now, but many IoT devices are not certified, and many of the chipsets may or may not, depending on vendor and even firmware level items.

It's interesting to note that all of the ISP deployed residential gateways within range for a quick audit (and this is DSL, Cable, and 5G-FWA) - they all default to WPA2 for 2.4 and 5GHz, probably for Tech Support simplicity - where the challenge for them is 6GHz coverage, where both WiFi6e and WiFi7 mandate WPA3...

WPA2/3 mixed (transitional) is likely the best approach, esp for WiFi7, as this does help for the 11be (aka EHT) and other WiFi7 features such as MLO, while allowing WiFi4/5/6 clients to still work on 2.4/5 bands...

Where it can get complicated, is when one has a diverse set up with Mesh, such as AI Mesh, where the dissimilar mesh points may or may not support the designated auth methods and/or radio modes...

 

[user114514]

It is clear that most vendors do not strictly adhere to the security requirements of WiFi7. They allow negotiation of EHT and MLO without SAE-EXT, GCMP-256, beacon protection.

The most sensible approach is WPA3-only SSID for modern devices and WPA2-only SSID for legacy devices. rather than mixing the two using WPA2/WPA3 transition.

 

[sfx2000]

It is clear that most vendors do not strictly adhere to the security requirements of WiFi7. They allow negotiation of EHT and MLO without SAE-EXT, GCMP-256, beacon protection.

GCMP-256 is still optional, so CCMP-128 is fine there - the risk the vendors have if they do not do WPA3 (PMF is required with WPA3, BTW) is that clients will just connect at the lower/older rates...

The secondary SSID is useful for older WiFi4/5 clients that cannot support WPA3, which as discussed in this thread, are still a real thing, esp with IoT devices, but also older PC's that run Win7 or even WinXP where WPA3 is a non-starter for most (device drivers also have to support it). And it's not just Windows - older Mac and iDevices may not support WPA3, and same goes with Linux, esp with older HW.

 

[user114514]

GCMP-256 is still optional, so CCMP-128 is fine there - the risk the vendors have if they do not do WPA3 (PMF is required with WPA3, BTW) is that clients will just connect at the lower/older rates...

The secondary SSID is useful for older WiFi4/5 clients that cannot support WPA3, which as discussed in this thread, are still a real thing, esp with IoT devices, but also older PC's that run Win7 or even WinXP where WPA3 is a non-starter for most (device drivers also have to support it). And it's not just Windows - older Mac and iDevices may not support WPA3, and same goes with Linux, esp with older HW.

WPA3 Encryption and Configuration Guide

The documentation provides a concise guide on configuring and understanding WPA3 encryption for secure Wi-Fi networks, focusing on best practices and implementation strategies.

documentation.meraki.com

Security requirements with Wi-Fi 7
Wi-Fi 7 (802.11be) standard mandates higher security requirements. This will allow network administrators to choose more granular security encryptions types and AKMs at a per SSID level. Open and WPA/WPA2 only SSIDs are not acceptable per the Wi-Fi 7 standard. Dashboard will enforce this requirement.

With Wi-Fi 7, the following security standards are required:

AKM SAE-EXT (24) and above

GCMP 256

AP Beacon protection
Note: All the above security standards must be enforced at the same time.

WPA3 Specification

Wi-Fi Alliance Public File Download

www.wi-fi.org

2.5 Additional Requirements on WPA3-Personal modes
4. If an AP's BSS Configuration enables EHT or MLO, it shall enable AKM suite selector 00-0F-AC:24.
5. If an AP's BSS Configuration enables EHT or MLO. It shall enable GCMP-256 as a pairwise cipher.
9. A STA that enables EHT or MLO shall, in its Network Profile, allow AKM suite selector 00-0F-AC:24 to be
selected.
10. A STA that enables EHT or MLO shall, in its Network Profile, allow GCMP-256 to be selected as a pairwise
cipher.

2.4 WPA3-Personal Compatibility Mode
The AP's BSS Configuration shall enable at least CCMP-128 as a pairwise cipher. NOTE: If the BSS enables
EHT or MLO, it also enable GCMP-256 as a pairwise cipher per Section 2.5. The AP advertises this configuration
as follows:
a. The AP shall advertise the single pairwise cipher CCMP-128 in the RSNE on all bands and in the RSNE
Override element in the 2.4 and 5 GHz bands.
b. The AP shall, if the BSS enables EHT or MLO, irrespective of the band the BSS is operating on, advertise
the single pairwise cipher GCMP-256 in the RSNE Override 2 element.

Cisco's documentation and the WPA3 specification both claim that GCMP-256 is necessary, and I'm not sure the same is true for ieee802.11be, which is still hidden behind a paywall.

 

[sfx2000]

The AP shall, if the BSS enables EHT or MLO, irrespective of the band the BSS is operating on, advertise the single pairwise cipher GCMP-256 in the RSNE Override 2 element.

Cisco's documentation and the WPA3 specification both claim that GCMP-256 is necessary, and I'm not sure the same is true for ieee802.11be, which is still hidden behind a paywall.

GCMP256 support is required for the wifi7 client in any case - one can deploy WiFi7 w/o MLO, so EHT can still use CCMP-128 for WPA3-Personal

WPA3-Enterprise, if I read the spec correctly, mandates GCMP-256 whether MLO is deployed or not.

 

[sfx2000]

The AP shall, if the BSS enables EHT or MLO, irrespective of the band the BSS is operating on, advertise the single pairwise cipher GCMP-256 in the RSNE Override 2 element.

Just want to add - EHT is fine with CCMP-128, that's never been an issue - MLO can be an issue, and this is a concern perhaps with all radios bound to MLO, as they all need to be GCMP-256 for reasons you mention above.

But WiFi7 MLO is an optional feature in the spec...

Anyways, I'm not certain I've been clear enough - for WiFi7, consider the requirements for a seamless use across all the supported bands - WPA3, PMF required, GCMP-256, and OCV as well - might as well do the full buffet here...

Make that one SSID across all bands - 2.4, 5, 6 Ghz for the WiFi7 clients...

A secondary SSID for "legacy" WPA2 - which really means WiFi4/5 clients that might have issues for WPA2/3 transitional support...

 

[user114514]

GCMP256 support is required for the wifi7 client in any case - one can deploy WiFi7 w/o MLO, so EHT can still use CCMP-128 for WPA3-Personal

From what I understand, EHT does support both CCMP-128 and GCMP-256.
But according to the WPA3 specification, EHT APs must support GCMP-256 in addition to CCMP-128, and EHT STAs must support and use GCMP-256 as the preferred cipher.
This means that EHT should use GCMP-256, but EHT STAs can still associate with EHT APs that do not comply with the specification without violating the specification.

WPA3-Enterprise, if I read the spec correctly, mandates GCMP-256 whether MLO is deployed or not.

If I understand correctly, WPA3-Enterprise is just WPA2-Enterprise+PMF, and WPA3-Enterprise 192-bit really changes AKM and only supports GCMP-256 from the start.
WPA3-Enterprise non-192-bit has the same GCMP-256 requirement as WPA3-Personal when using EHT and MLO.

 

[Tech9]

Since in 2025 not all the clients support WPA3 - I'm running WPA2-Personal on all home networks. Mixed mode and separate SSIDs all giving access to the main network doesn't make sense to me. Two doors to the same room locked with different keys. No issues with WPA2 and not going to play with firewall rules per client. Business networks are perfectly fine with WPA2-Enterprise.

 

[sfx2000]

Since in 2025 not all the clients support WPA3 - I'm running WPA2-Personal on all home networks. Mixed mode and separate SSIDs all giving access to the main network doesn't make sense to me. Two doors to the same room locked with different keys. No issues with WPA2 and not going to play with firewall rules per client. Business networks are perfectly fine with WPA2-Enterprise.

Yeah, and for different reasons - I've seen most carrier gateways do the WPA2 approach, mostly because it keeps support calls to a minimum...

WiFi-Alliance has kept WPA3 support as a must for certification since 2019 - but there's a lot of devices that have not gone thru WFA testing, as it's an optional thing.

As the thread here indicated - to get the most out of WiFi7, WPA3 is a must, but this adds issues with legacy devices that cannot support WPA3.

 

[Tech9]

Your poll data doesn't say much because with allowed multiple choice answer the same people selected WPA2, WPA2/WPA3 and WPA3. I'm highly in doubt someone is actually running WPA3 only or has more than a few Wi-Fi 7 devices different than phone/tablet.

 

[user114514]

I'm highly in doubt someone is actually running WPA3 only or has more than a few Wi-Fi 7 devices different than phone/tablet.

I'm a WPA3-only guy, not only that, H2E and 11ax are also configured to be mandatory like WPA3. All my devices are 6E/7, no IoT ewaste.