WPA3 via Unifi APs

occamsrazor · Feb 13, 2021, 5:02 PM

To me, this is a question of what do you really want or require. Meaning does WPA3 buy you anything that is worth the effort. You'll have to answer that for yourself.

I really have no need for WPA3 in terms of security, I just like to try new things and understand how they do, or don't work. I was interested by improvements in roaming supposedly in WPA3, though the WPA3 specific fast-roaming seems unsupported by NanoHD at least at this time.

@mcury said in WPA3 via Unifi APs:

He asked me to test a firmware in the nanoHD, and with it I was able to connect my printers to the WPA2/WPA3 transitional BSSID, with PMF optional.

Do you mean it's only working in a non-public firmware? My NanoHDs are on 5.53.1.12737

@mcury said in WPA3 via Unifi APs:

Try to "forget" the network in the Macbook, and connect again.

I just tried that but it didn't seem to help, Mac menubar and Wifi settings still report it as WPA2-PSK only. Is there a minimum MacOS for WPA3? My Macbook is still running Mojave 10.14.6....

My Wireless Networks settings are:

Security: WPA Personal
WPA3: Support WPA3 connections
WPA3 Transition Mode: Support WPA2 connections on same SSID
Fast Roaming: Enable fast roaming
WPA3 specific Fast Roaming: OFF (If I enable it says my NanoHDs do not support this feature)
PMF: Optional

I notice that the "WPA Mode" setting directly beneath the PMF setting is greyed out (unselectable) and says "WPA2 only"

mcury · Feb 13, 2021, 5:13 PM

@occamsrazor said in WPA3 via Unifi APs:

Do you mean it's only working in a non-public firmware? My NanoHDs are on 5.53.1.12737

The FW 5.53.1 probably has the fixes present in the non-public firmware, so it should be working for you. At least my printers are connecting with this firmware, no confirmation from Ubnt that indeed the fixes are present in it.. It's woking so I'm making an assumption that it's present.

I just tried that but it didn't seem to help, Mac menubar and Wifi settings still report it as WPA2-PSK only. Is there a minimum MacOS for WPA3? My Macbook is still running Mojave 10.14.6....

I don't think so, you see, WPA2/WPA3 transitional with PMF optional, should be fully compatible with WPA2 only devices, if this problem is happening to you, report it asap so they can fix it in the next release.

My Wireless Networks settings are:
Security: WPA Personal
WPA3: Support WPA3 connections
WPA3 Transition Mode: Support WPA2 connections on same SSID
Fast Roaming: Enable fast roaming
WPA3 specific Fast Roaming: OFF (If I enable it says my NanoHDs do not support this feature)
PMF: Optional

I tested using the same settings..

occamsrazor · Feb 13, 2021, 5:27 PM

@mcury said in WPA3 via Unifi APs:

I don't think so, you see, WPA2/WPA3 transitional with PMF optional, should be fully compatible with WPA2 only devices, if this problem is happening to you, report it asap so they can fix it in the next release.

I may have been confusing. With Unifi set to WPA3 Transition the MacBook still did connect fine, only at WPA2 not WPA3.
According to this article WPA3 support was only introduced in Catalina, not Mojave, so that explains it...

"Try to manually join a Wi-Fi network in Catalina on many Macs and you’ll see that WPA3, the new Wi-Fi encryption protocol, has joined the (still default WPA2) and the (old, insecure) WEP and WPA as a security option.
But unlike iOS 13 and iPadOS 13, which support WPA3 universally across all supported devices, not every Catalina Mac can use WPA3. Older 2012-era Macs with 802.11n adapters still top out at WPA2."
https://arstechnica.com/gadgets/2019/10/macos-10-15-catalina-the-ars-technica-review/12/

I just tried with my new M1 Mac Mini running Big Sur (which only usually ever uses ethernet) and it connected immediately on WPA3 without even needing to forget the network... so seems it is the lack of WPA3 connection is just because Mojave does not support.

It's a shame Unifi doesn't expose the WPA version in the Clients list. I can't install that developer profile on my iPhone as it's a company-owned phone.

mcury · Feb 13, 2021, 5:32 PM

@occamsrazor said in WPA3 via Unifi APs:

It's a shame Unifi doesn't expose the WPA version in the Clients list. I can't install that developer profile on my iPhone as it's a company-owned phone.

Exactly, people are asking for this feature.. Controller should be providing this info in the clients list...

occamsrazor · Feb 13, 2021, 5:52 PM

@mcury said in WPA3 via Unifi APs:

Exactly, people are asking for this feature.. Controller should be providing this info in the clients list...

Not sure if there was a request already, searching that forum is so hard, but I created a new one:

https://community.ui.com/questions/Feature-request-Expose-WPA-WPA2-WPA3-version-status-in-Client-List/8afb8530-1a03-45e2-a798-2d5a18207341

A Former User · Feb 13, 2021, 5:58 PM

@occamsrazor said in WPA3 via Unifi APs:

It's a shame Unifi doesn't expose the WPA version in the Clients list.

Not holding my breath.

A Former User · Feb 13, 2021, 6:12 PM

@occamsrazor I up-voted your post on the Ubiquiti forum linked above. Others should do the same if they want Ubiquiti to even notice that it exists.

chpalmer · Feb 14, 2021, 8:19 PM

@johnpoz said in WPA3 via Unifi APs:

The previous firmware supported it, 5.53.1 was just putting them all on the same version again for the different gens of their AP.

4.3.28.11361 ?? Reason I ask is because non of my devices connected with WPA3 until I upgraded to the later firmware.

johnpoz · Feb 14, 2021, 9:26 PM

What AP are you using?

As you could see I was using old 5.43.24 firmware and was getting wpa3 personal on my iphone.. When connected to ssid set for personal wpa2/3 But that was on pro, lite and lr models - not flex or nano. A enterprise ssid was still showing wpa2-enterprise

They had released a .27 and a .28, but for the pro,lite and lr line, etc. When they jumped to 5.53 - they are all listed on the same firmware version.

edit: I upvoted your post over on the unifi forums as well - its just moronic that what a client is connected at be it wpa2 or 3 is not on the controller.. Installing the profile is a pita, and its only good for like 30 days even. stupid why that needs a specific profile to be given to the user.. Great info there should just be default.. Actual signal strength, specific bssid connected to, etc.

edit: So with the latest firmware 5.53.1.12737, looks like showing that connected with wpa3-enterprise

I had bumped my sons on his flexHD to wpa2/3 personal.. But he had a problem with one of his roku sticks. I will have to try moving back to wpa3, see if I can even just turn off wpa2.. But I doubt some of his stuff, tv and rokus support 3, so will prob have to leave it in transition mode.

meejack970 · Mar 6, 2021, 6:29 PM

This post is deleted!

slu · Apr 8, 2021, 3:47 PM

@johnpoz said in WPA3 via Unifi APs:

I changed the cipher_list from default to HIGH, and then even just called out AES256-SHA256 by editing freeradius.inc - since couldn't find a way to edit that in the freerad gui..

Is this necessary?
Look like there is no option in the FreeRADIUS GUI...

johnpoz · Apr 8, 2021, 4:10 PM

No - That was me troubleshooting, that turned out to be an issue with no users on my part..

cipherlist is currently back to default

		cipher_list = "DEFAULT"

bcruze · Apr 11, 2021, 12:20 PM

interesting thread.

i have a Flexhd, nano, and AC LR at my residence.

i have enabled WPA 3 on one SSID and this is what it shows on my 2019 Macbook pro 2019; using system information > network > WIFI

Channel: 48,-1
Country Code: US
Network Type: Infrastructure
Security: WPA2/WPA3 Personal
Signal / Noise: -42 dBm / -91 dBm
Transmit Rate: 400
MCS Index: 9

since i don't have Apple devloper access i have no idea if it actually connected at WPA3
i have i XS, 12 and Ipad mini 5 and all stay connected but no idea on wpa2 or 3

johnpoz · Apr 11, 2021, 12:22 PM

@bcruze said in WPA3 via Unifi APs:

i don't have Apple devloper access i have no idea if it actually connected at WPA3

I have to assume you have an apple ID - if you have a mac ;)

So you just have accept the developers agreement to get access.

Turn off the wpa2 access in the ssid, then you would know for sure it connected with wpa3 ;)

bcruze · Apr 11, 2021, 12:41 PM

@johnpoz
ah i never looked into dev mode. i assumed it was invite only

confirmed those newer devices DO actually connect at wpa3 on the SSID i posted

johnpoz · Apr 11, 2021, 12:49 PM

I really don't get why that info is just not part of the basic info given to you when you look at your wifi.. That you have to jump through hoops and install some "profile" to be able to get that info is just nuts if you ask me.

And it expires very quickly too.. So have to pretty much install it every time you want to look at the info - even if only a few weeks later.

The other day was I was looking to see some info - and the wifi profile for ios wasn't even listed.. Was like wtf - did they stop publishing it? But then day or so later checked again and it was listed again..

I think I mentioned it elsewhere - but other little odd thing I have run into.. Is I was using QR codes to allow my guests to connect. And those don't seem to work if your in wpa3 only mode.. But if you allow for wpa2 on the same ssid, then the qr codes work, and it does show they connected via wpa3.

leolk · Apr 4, 2022, 10:02 AM

Hi,

May I ask you what parameters had you changed in freeradius.inc? I’ve changed cipher list but it does not work. Clients seem to receive no packet at all.However, WPA2 works very well. Thank you very much.

Running EAP-TLS & SHA512 cert with Aruba AP(