[Nebula] Understanding WPA3 SSID

Zyxel_Judy

Scenario:
Your network includes a variety of devices with different encryption capabilities, including WPA3. You're considering configuring the security method to WPA3 but are unsure if WPA2 devices will still be able to connect or whether let only devices with WPA3 capability to connect to the WPA3 SSID. This FAQ will help clarify this for you.

For sure, devices that have WPA2 capability can connect to an SSID using the WPA3 encryption method due to the transition mode.

If you want only devices with WPA3 capability to connect to the WPA3 SSID, you can achieve this by configuring each AP through CLI commands.

Configuration:

1. Identify the specific SSID security profile. 

In this example, let's configure for SSID2_testing. Command:

Router > show wlan-ssid-profile all

2. Disable transition mode for the identified security profile.

Command:

Router> enable

Router# configure terminal

Router(config)# wlan-security-profile SECURITY2

Router(config-wlan-security SECURITY2)# no transition-mode

Router(config-wlan-security SECURITY2)# exit

Verification：

After disabling transition mode, a WPA3 non-supported device will not be able to connect to the SSID, confirming that only WPA3-supported devices can connect.

Note: At the time of this writing, there is no direct way to disable the transition mode from the Nebula front-end configuration.

Zyxel_Judy

In case there is the incompatibility problems led to certain network interface cards (NICs) are unable to connect to the SSID, please execute the command provided below:

Router> enable

Router# configure terminal

Router(config)# wlan-security-profile SECURITY2

Router(config-wlan-security SECURITY2)# no transition-mode

Router(config-wlan-security SECURITY2)# dot11w-op 2

Router(config-wlan-security SECURITY2)# exit