WPA3 via Unifi APs

A Former User

@johnpoz OK, thanks. Saved me some time and head scratching. All of my "home" devices are iPhones, iPads and MacBooks.

I have two nanoHDs and a AC-Pro, so that one generation 2 AP would be an issue.

Maybe I'll just do nothing. ;) More coffee required.

At some point I'd love to pick your brain about using a L2/L3 switch and the topology. That's for another day after I've gone to school on the subject so as to not look like a dummy ;)

Thanks again!

johnpoz

Yeah sure - happy to help... Take a look at my edit if you missed it.. Do you have eapol_test running on anything. I guess you have to compile it yourself from wpasupplicant.. I wasn't able to find a binary.. I can sure fire it up on VM I would think..

Wonder if that would be something useful to add when you add the freerad package, you can test basic connectivity with radtest, but you can not really test eap-tls with that.

A Former User

@johnpoz I don't.

I also haven't gone through my radius conf in any serious way. I think that is a good activity for me today. Maybe I should put up a freerad server in a VM and go through it all by hand, take the GUI out of it and actually learn the concepts and config. Make a setting, google google google. Rinse and Repeat... ;)

johnpoz

Same here ;) It just worked really out of the box.. clicky clicky ;)

Guess that is part of the reason I didn't notice that you really should have to have a user created - hehehe but I didn't and eap-tls was working..

If no user to match the CN - wtf was it checking the user against ;) doh!

A Former User

I guess I'll start at the basics. Unwind any misconceptions before moving forward.

https://networkradius.com/doc/FreeRADIUS%20Technical%20Guide.pdf

chpalmer

Just updated my UAP-AC-Pro's to 5.53.1.12737 which showed up available this morning.

Just FYI for those looking. I assume one would need this for WPA3 capabilities..

johnpoz

The previous firmware supported it, 5.53.1 was just putting them all on the same version again for the different gens of their AP.

mcury

There was a bug in the previous version..
Some printers were not connecting with WPA2/WPA3 transitional - PMF optional..

Now it's fixed.. So you can have WPA2 only devices connected to a WPA3 BSSID without problems now.. At least nanoHD.. I guess this release is going to be an official release

mcury

BTW, I finally solved the wrong date/time in the controller.

Thanks to an user in the Ubnt forum, found out that the controller is not using the system time, it's using the Java time, which is outdated..

In case you are facing this problem in the controller, follows below how to fix:

Update JAVA TZ time
Java SE Timezone Updater 2.3.2

https://www.oracle.com/java/technologies/javase-tzupdater-downloads.html

java -jar tzupdater.jar --version
sudo systemctl stop unifi.service
sudo java -jar tzupdater.jar -l
java -jar tzupdater.jar --version
sudo systemctl start unifi.service

occamsrazor

Did you manage to get WPA3 Personal working with a NanoHD or FlexHD? I just updated my controller to 6.1.54 and am struggling to get it working with a Macbook. I tried enabling it but the Macbook didn't seem to make a WPA3 connection. I read this thread which was a bit over my head, but the impression I got is that with MTK models like NanoHD/FlexHD WPA3 may not be working???

https://community.ui.com/questions/802-11r-Fast-BSS-Transition-and-802-11v-BSS-Transition-Management-Frame-on-WPA3-Supported-Matrix/de07c88c-7b9f-43ab-9c5b-e99c0f7756a0

BTW I figure you must know but just in case any reading this doesn't.... re: seeing if clients are using WPA2/WPA3.... on Mac you can just option-click the WiFi menubar icon and it'll tell you all the connection info.

A Former User

@occamsrazor It works "fine" on a nanoHD. The issue, as pointed out, is clients that do not support WPA3. In my case it's around clients that do not support PMFs that are required with WPA3-Enterprise.

As to the status on a MacOS, there is a bug (I reported it) that if a you connect WPA2-Enterprise with mandatory PMF the Mac will indicate it's a WPA3-Enterprise connection in error.

To me, this is a question of what do you really want or require. Meaning does WPA3 buy you anything that is worth the effort. You'll have to answer that for yourself. Any weakness is only a potential problem once some client is authenticated on a WLAN. My home network is not a zero trust network (IoT devices are walled off and given Internet access only via a WLAN just for them) so it's not a big deal to me.

I want to encourage anyone who is thinking about updating their controller to the 6.1.x train be absolutely sure you have a fallback plan. Backup your Unifi config and know how to downgrade the controller.

mcury

I has helping Glenn to fix this problem:

https://community.ui.com/questions/Samsung-printer-connectivity-issue/e9b782b9-a40b-48cb-b43c-0b0d35716f0e

He asked me to test a firmware in the nanoHD, and with it I was able to connect my printers to the WPA2/WPA3 transitional BSSID, with PMF optional.

My Galaxy S10 detects the network as a WPA2/WPA3 network, but I didn't perform packet captures to confirm if my phone is indeed using the WPA3..

Try to "forget" the network in the Macbook, and connect again.
More info about it in this topic:

https://community.ui.com/releases/UniFi-Network-Controller-6-1-51/9124593a-1d5e-40f1-a3a7-ab62862e1fce#comment/d6af6798-d8dd-4ecf-8399-05e2cd487409

occamsrazor

@jwj said in WPA3 via Unifi APs:

To me, this is a question of what do you really want or require. Meaning does WPA3 buy you anything that is worth the effort. You'll have to answer that for yourself.

I really have no need for WPA3 in terms of security, I just like to try new things and understand how they do, or don't work. I was interested by improvements in roaming supposedly in WPA3, though the WPA3 specific fast-roaming seems unsupported by NanoHD at least at this time.

@mcury said in WPA3 via Unifi APs:

He asked me to test a firmware in the nanoHD, and with it I was able to connect my printers to the WPA2/WPA3 transitional BSSID, with PMF optional.

Do you mean it's only working in a non-public firmware? My NanoHDs are on 5.53.1.12737

@mcury said in WPA3 via Unifi APs:

Try to "forget" the network in the Macbook, and connect again.

I just tried that but it didn't seem to help, Mac menubar and Wifi settings still report it as WPA2-PSK only. Is there a minimum MacOS for WPA3? My Macbook is still running Mojave 10.14.6....

My Wireless Networks settings are:

Security: WPA Personal
WPA3: Support WPA3 connections
WPA3 Transition Mode: Support WPA2 connections on same SSID
Fast Roaming: Enable fast roaming
WPA3 specific Fast Roaming: OFF (If I enable it says my NanoHDs do not support this feature)
PMF: Optional

I notice that the "WPA Mode" setting directly beneath the PMF setting is greyed out (unselectable) and says "WPA2 only"

mcury

@occamsrazor said in WPA3 via Unifi APs:

Do you mean it's only working in a non-public firmware? My NanoHDs are on 5.53.1.12737

The FW 5.53.1 probably has the fixes present in the non-public firmware, so it should be working for you. At least my printers are connecting with this firmware, no confirmation from Ubnt that indeed the fixes are present in it.. It's woking so I'm making an assumption that it's present.

I just tried that but it didn't seem to help, Mac menubar and Wifi settings still report it as WPA2-PSK only. Is there a minimum MacOS for WPA3? My Macbook is still running Mojave 10.14.6....

I don't think so, you see, WPA2/WPA3 transitional with PMF optional, should be fully compatible with WPA2 only devices, if this problem is happening to you, report it asap so they can fix it in the next release.

My Wireless Networks settings are:
Security: WPA Personal
WPA3: Support WPA3 connections
WPA3 Transition Mode: Support WPA2 connections on same SSID
Fast Roaming: Enable fast roaming
WPA3 specific Fast Roaming: OFF (If I enable it says my NanoHDs do not support this feature)
PMF: Optional

I tested using the same settings..

occamsrazor

@mcury said in WPA3 via Unifi APs:

I don't think so, you see, WPA2/WPA3 transitional with PMF optional, should be fully compatible with WPA2 only devices, if this problem is happening to you, report it asap so they can fix it in the next release.

I may have been confusing. With Unifi set to WPA3 Transition the MacBook still did connect fine, only at WPA2 not WPA3.
According to this article WPA3 support was only introduced in Catalina, not Mojave, so that explains it...

"Try to manually join a Wi-Fi network in Catalina on many Macs and you’ll see that WPA3, the new Wi-Fi encryption protocol, has joined the (still default WPA2) and the (old, insecure) WEP and WPA as a security option.
But unlike iOS 13 and iPadOS 13, which support WPA3 universally across all supported devices, not every Catalina Mac can use WPA3. Older 2012-era Macs with 802.11n adapters still top out at WPA2."
https://arstechnica.com/gadgets/2019/10/macos-10-15-catalina-the-ars-technica-review/12/

I just tried with my new M1 Mac Mini running Big Sur (which only usually ever uses ethernet) and it connected immediately on WPA3 without even needing to forget the network... so seems it is the lack of WPA3 connection is just because Mojave does not support.

It's a shame Unifi doesn't expose the WPA version in the Clients list. I can't install that developer profile on my iPhone as it's a company-owned phone.

mcury

@occamsrazor said in WPA3 via Unifi APs:

It's a shame Unifi doesn't expose the WPA version in the Clients list. I can't install that developer profile on my iPhone as it's a company-owned phone.

Exactly, people are asking for this feature.. Controller should be providing this info in the clients list...

occamsrazor

@mcury said in WPA3 via Unifi APs:

Exactly, people are asking for this feature.. Controller should be providing this info in the clients list...

Not sure if there was a request already, searching that forum is so hard, but I created a new one:

https://community.ui.com/questions/Feature-request-Expose-WPA-WPA2-WPA3-version-status-in-Client-List/8afb8530-1a03-45e2-a798-2d5a18207341

A Former User

@occamsrazor said in WPA3 via Unifi APs:

It's a shame Unifi doesn't expose the WPA version in the Clients list.

Not holding my breath.

A Former User

@occamsrazor I up-voted your post on the Ubiquiti forum linked above. Others should do the same if they want Ubiquiti to even notice that it exists.

chpalmer

@johnpoz said in WPA3 via Unifi APs:

The previous firmware supported it, 5.53.1 was just putting them all on the same version again for the different gens of their AP.

4.3.28.11361 ?? Reason I ask is because non of my devices connected with WPA3 until I upgraded to the later firmware.