WPA Enterprise with WPA3

AdminSys

We configured in nebula, an wifi SSID with autatication WPA Enterprise with WPA3 (autentication with My Radius server).. Everting is working fine (the radius server is an Windows Network Policy Server), but in clients in wireless settings window appear that the connection type is WPA2 (in MAC and Windows10 clients as well)

Zyxel_Kay

Hi @AdminSys

This behavior is due to the transition mode feature in WPA3, which is designed to accommodate client devices that do not fully support WPA3. When transition mode is enabled, it generates two virtual access points (VAPs): one using WPA3 and another using WPA2 Personal. This allows devices that support both WPA3 and WPA2 to connect seamlessly.

If you want to enforce only WPA3-supported devices to connect and not allow devices to connect using WPA2, you can disable the transition mode by using the following CLI command through Putty or Tera Term via SSH.

1. Identify the specific SSID security profile. In this example, let's configure for SSID2_testing.
   Command:
   Router > show wlan-ssid-profile all
   
2. Disable transition mode for the identified security profile.
   Command:
   Router> enable
   Router# configure terminal
   Router(config)# wlan-security-profile SECURITY2
   Router(config-wlan-security SECURITY2)# no transition-mode
   Router(config-wlan-security SECURITY2)# exit
3. Verification: After disabling transition mode, a WPA3 non-supported device will not be able to connect to the SSID, confirming that only WPA3-supported devices can connect.
   

Zyxel_Kay

Hi @AdminSys

Currently, there is no direct way to disable the transition mode from the Nebula front-end configuration. The most efficient way to achieve this is by configuring it through the CLI command for each of your APs.

In response to your request, we have raised this feature to the idea section:

https://community.zyxel.com/en/discussion/19058/access-point-feature-to-disable-wpa3-transition-mode-on-ssid-advanced-settings

Please show your support by voting for it, the votes and comments will be part of our evaluation process.

Zyxel_Kay

Hi @AdminSys

This behavior is due to the transition mode feature in WPA3, which is designed to accommodate client devices that do not fully support WPA3. When transition mode is enabled, it generates two virtual access points (VAPs): one using WPA3 and another using WPA2 Personal. This allows devices that support both WPA3 and WPA2 to connect seamlessly.

If you want to enforce only WPA3-supported devices to connect and not allow devices to connect using WPA2, you can disable the transition mode by using the following CLI command through Putty or Tera Term via SSH.

1. Identify the specific SSID security profile. In this example, let's configure for SSID2_testing.
   Command:
   Router > show wlan-ssid-profile all
   
2. Disable transition mode for the identified security profile.
   Command:
   Router> enable
   Router# configure terminal
   Router(config)# wlan-security-profile SECURITY2
   Router(config-wlan-security SECURITY2)# no transition-mode
   Router(config-wlan-security SECURITY2)# exit
3. Verification: After disabling transition mode, a WPA3 non-supported device will not be able to connect to the SSID, confirming that only WPA3-supported devices can connect.
   

AdminSys

we have 5 AP -s are configured in nebula.. we need to login to all AP -s to set this?

Zyxel_Kay

Hi @AdminSys

Currently, there is no direct way to disable the transition mode from the Nebula front-end configuration. The most efficient way to achieve this is by configuring it through the CLI command for each of your APs.

In response to your request, we have raised this feature to the idea section:

https://community.zyxel.com/en/discussion/19058/access-point-feature-to-disable-wpa3-transition-mode-on-ssid-advanced-settings

Please show your support by voting for it, the votes and comments will be part of our evaluation process.