Heads-Up: Latest Wi-Fi 7 enforces new MLO change, Zyxel implement in 7.20!
Zyxel Employee
With the evolution of the WiFi 7 standard, security requirements for Multi-Link Operation (MLO) have become more stringent.
Starting from firmware 7.20, Zyxel Access Points follow these updated requirements by enforcing stricter security rules when MLO is enabled.
Legacy security modes such as WPA1/WPA2 Mixed are no longer supported under MLO. Using these settings may result in the SSID being disabled and can lead to connectivity issues.
This article explains the impact of these changes and how Zyxel APs remain compliant with the WiFi 7 standard while providing options to support legacy clients where necessary.
Firmware version 7.20 will be available starting from July 14, 2025.
How MLO Security Enforcement Has Changed After 7.20 Firmware
Prior to WiFi 7, networks often used WPA2 or older security standards that offered flexibility but posed security risks. With WiFi 6E and now WiFi 7, stronger encryption and authentication—especially for MLO—are becoming mandatory.
With the introduction of firmware version 7.20, Zyxel Access Points operating in 802.11be mode now follow enhanced security compliance aligned with the IEEE 802.11be standard.
Enforced MLO Rules:
- When radio mode is configured as 802.11be mode, MLO must be enabled.
- Open, WPA1, WPA2, WPA2-Mixed modes are no longer supported in BE mode.
- 6GHz Band:
• Must use WPA3, or Enhanced Open. - 2.4GHz / 5GHz Bands:
• May use WPA3, WPA3 Transition Mode, or Enhanced Open. - Additional Notes:
• Enhanced Open Transition mode are not supported under WiFi 7 802.11be.
• For 802.11be radio mode, non-compliant security setup SSIDs will be automatically disabled.
• 802.11be radio mode does not support DDPSK configuration, SSID configured with DPPSK will be disabled on 802.11be radio mode AP.
• Hidden SSID feature is not supported under WiFi 7 802.11be.
Compatibility Consideration:
To minimize service impact, once upgraded to version 7.20, the 2.4Ghz radio will be changed to 802.11ax mode, so that all of the existing SSIDs can still work as is on the 2.4Ghz radio.
This change is intended to ensure backward compatibility with legacy devices by retaining support for older security protocols such as Open, WPA1, and WPA2—protocols that are no longer supported under 802.11be.
For environments where all wireless clients support WPA3, administrators still have the option to manually switch the band back to 802.11be mode to take full advantage of WiFi 7 performance.
Upgrade Considerations:
In response to the security and compatibility changes introduced in firmware version 7.20, Zyxel recommends adopting one of the following two strategies based on your deployment scenario to ensure a smooth transition and maintain service continuity:
- 7.20 Auto Convert
Zyxel’s firmware upgrade process is designed to maximize compatibility while preserving the performance benefits of WiFi 7 MLO. During the upgrade, security configurations will be automatically adjusted based on the rules outlined in the “7.20 Auto Convert” column of the table below.
*Please note that legacy security modes such as Open, WEP, WPA1/WPA2-Mixed, and the DPPSK feature will only be supported on the 2.4GHz band after the upgrade.
If your deployment prioritizes compatibility with these security types or DPPSK scenarios over maximum performance, and requires them to operate on the 5GHz or 6GHz bands, it is recommended to manually switch those radios to 802.11ax mode to restore compatibility. - WiFi 7 MLO Best Practice
This strategy is designed for deployments aiming to fully utilize the performance and security features of WiFi 7 MLO. By proactively adjusting SSID configurations before upgrading, administrators can avoid compatibility issues and ensure optimal operation under 802.11be mode after the upgrade.
*Please note that 802.11be mode requires SSIDs to use WPA3, WPA3 Transition, or Enhanced Open. Legacy security types such as WPA2, WEP, WPA2-Mixed, and the DPPSK feature are not supported on 5GHz and 6GHz radios when operating in 802.11be mode.
To ensure compatibility with WiFi 7 MLO and maintain service continuity, please update your SSID security settings according to the recommendations listed under the "WiFi 7 MLO Best Practice" column in the table below.
Deployment Strategy: How to Prepare for 7.20 802.11BE MLO Security Enforcement
What Will Change to Your Current SSID Setup After Upgrading to Firmware 7.20?
Current SSID Security Setup (Before 7.20) | Band | 7.20 Auto Convert | WiFi 7 MLO Best Practice |
|---|---|---|---|
Open | 2.4GHz | ✅ Support, remain Open security for legacy client connectivity | Recommend configuring security mode to Enhanced Open. If legacy clients have connectivity issues, revert to Open mode. |
5GHz | 🔄 Auto-convert to Enhanced Open security | ||
6GHz | 🔄 Auto-convert to Enhanced Open security | ||
Enhanced Open Transition | 2.4GHz | ✅ Support, Enhanced Open Transition security for legacy client connectivity | Recommend disabling the transition mode. If legacy clients have connectivity issues, revert to Enhanced Open Transition mode. |
5GHz | 🔄 Auto-convert to Enhance Open security | ||
6GHz | 🔄 Auto-convert to Enhance Open security | ||
Enhanced Open | 2.4GHz | ✅ Supported | No action is required |
5GHz | ✅ Supported | ||
6GHz | ✅ Supported | ||
WEP | 2.4GHz | ✅ Support, Remain WEP security for legacy client connectivity | Recommend update the security mode to WPA3 Transition mode. If legacy clients experience connectivity issues, consider reverting to WEP mode |
5GHz | ❌ SSID disabled on 5GHz | ||
6GHz | ❌ SSID disabled on 6GHz | ||
WPA1/WPA2-Mixed | 2.4GHz | ✅ Support, remain WPA1/WPA2-Mixed security for legacy client connectivity | Recommend update the security mode to WPA3 Transition mode. If legacy clients experience connectivity issues, consider reverting to WPA1/WPA2-Mixed mode |
5GHz | ❌ SSID disabled on 5GHz | ||
6GHz | ❌ SSID disabled on 6GHz | ||
WPA2 | 2.4GHz | ✅ Support, remain WPA2 security for legacy client connectivity | Recommend update the security mode to WPA3 Transition mode. If legacy clients experience connectivity issues, consider reverting to WPA2 mode |
5GHz | 🔄 Auto-convert to WPA3 Transition security | ||
6GHz | 🔄 Auto-convert to WPA3 security | ||
WPA3 Transition | 2.4GHz | ✅ Supported | No action is required |
5GHz | ✅ Supported | ||
6GHz | 🔄 Auto-convert to WPA3 security | ||
WPA3 only | 2.4GHz | ✅ Supported | No action is required |
5GHz | ✅ Supported | ||
6GHz | ✅ Supported | ||
WPA2-Mixed Enterprise | 2.4GHz | ✅ Support, remain WPA2-Mixed Enterprise security for legacy client connectivity | Recommend configuring security to WPA3 Enterprise. If legacy clients have connectivity issues, revert to WPA2-Mixed Enterprise mode. |
5GHz | ❌ SSID disabled on 5GHz | ||
6GHz | ❌ SSID disabled on 6Ghz | ||
WPA2 – Enterprise | 2.4GHz | ✅ Support, remain WPA2 Enterprise security for legacy client connectivity | Recommend configuring security to WPA3 Enterprise. If legacy clients have connectivity issues, revert to WPA2 Enterprise mode. |
5GHz | 🔄Auto-convert to WPA3 Enterprise security | ||
6GHz | 🔄Auto-convert to WPA3 Enterprise security | ||
WPA3 – Enterprise | 2.4GHz | ✅ Supported | No action is required |
5GHz | ✅ Supported | ||
6GHz | ✅ Supported | ||
DPPSK | 2.4GHz | ✅ Supported | In scenarios where DPPSK is critical for user authentication and access control, it is recommended to configure the 5GHz and 6GHz radios to 802.11ax mode. As DPPSK is not supported under 802.11be, ensuring compatibility would take priority over the performance benefits of WiFi 7. |
5GHz | ❌ SSID disabled on 5GHz | ||
6GHz | ❌ SSID disabled on 6GHz |
Step-by-Step: Configure the 2.4GHz band radio back to 802.11be mode
Note: Before proceeding, please ensure that your environment does not rely on legacy clients that may be incompatible with 802.11be.
To enable full WiFi 7 MLO functionality on the 2.4GHz band after 7.20 upgrade, you need to manually set the radio mode to 802.11be.
You can reconfigure the radio mode to 802.11be mode on Nebula by following the steps below:
- Navigate to Radio settings page
- Go to
Configure » Access points » Radio settings page
- Go to
- Scroll down to Per AP Radio Configuration
- Locate the per-AP modification section near the bottom of the page.
- Locate the per-AP modification section near the bottom of the page.
- Choose the 2.4GHz tab and modify the radio band mode
- Adjust the 2.4GHz radio band mode to 802.11be for the Wifi 7 AP.
- Adjust the 2.4GHz radio band mode to 802.11be for the Wifi 7 AP.
- Save Updated Radio Configuration
- Click the Update and Save button to keep the updated radio configuration.
Troubleshooting for SSID disappearing after upgrade to 7.20
If your SSID gets disabled or you're unable to scan the SSID, you may see a log like in the Access point event logs page (Nebula » Monitor » Access points » Event log):
SSID: WBE660S-MLO Interface: wlan-3-1 security: DPPSK disable, reason: Unsupported security option.
Change the security setting to Enhanced Open/WPA3/WPA3 Transition and re-enable the SSID.
Zyxel_Hsinbo
Categories
- All Categories
- 434 Beta Program
- 2.7K Nebula
- 172 Nebula Ideas
- 117 Nebula Status and Incidents
- 6.1K Security
- 405 USG FLEX H Series
- 296 Security Ideas
- 1.6K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 43 Wireless Ideas
- 6.7K Consumer Product
- 268 Service & License
- 413 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 83 Security Highlight