[Nebula 19.10 / AP FW 7.20] Security Methods for 802.11be (WiFi 7) Radios
Zyxel Employee
With the release of AP firmware 7.20, Zyxel has aligned its WiFi 7 access points with the WiFi Alliance’s updated security requirements for 802.11be operation. These changes affect which authentication and encryption protocols are permitted, particularly in the 6 GHz band, and introduce important adjustments for backward compatibility.
WiFi Alliance Security Requirements
For 802.11be radios, the following security methods are supported:
- Enhanced Open (no transition mode)
- WPA3-Personal
- WPA3-Enterprise
- WPA3-Personal with Transition Mode (excluded on 6 GHz)
For 6 GHz radios (including when set to 802.11ax mode):
- Enhanced Open
- WPA3-Personal
- WPA3-Enterprise
- ❌ No transition mode allowed
Prohibited methods on 11be radios:
- WEP
- Dynamic PSK (DPSK)
- WPA2-Personal / WPA2-Enterprise
- Any open/WPA2 modes not explicitly listed
This ensures that WiFi 7 deployments remain secure and free from vulnerabilities tied to outdated protocols.
What Happens With Unsupported Configurations
Although administrators can still select any method in the SSID profile GUI, the AP enforces compliance:
- Complete SSID disablement (e.g., WEP or DPSK on 6 GHz)
- Automatic adaptation to the closest supported method (e.g., WPA2 → WPA3)
This prevents insecure operation while keeping the network functional.
Evolution of the “Next Best” Security Method
Before Firmware 7.20
- 6 GHz radios automatically converted:
- Open → Enhanced Open
- WPA2-Personal → WPA3-Personal
- WPA2-Enterprise → WPA3-Enterprise
- 2.4 GHz & 5 GHz radios unaffected (unless MLO enabled).
Firmware 7.20 Changes
- MLO is mandatory on all 11be radios.
- 2.4 GHz and 5 GHz radios now inherit the same stricter security rules as 6 GHz.
- This may prevent older Wi-Fi 4/5 clients (that lack WPA3 support) from connecting.
Alternate Next Best Method (7.20)
To improve legacy device compatibility, firmware 7.20 introduces an alternate conversion approach:
- On 2.4 GHz and 5 GHz, transition mode can still be used where possible.
- On 6 GHz, transition modes remain strictly prohibited for maximum security.
This balance ensures that modern security is enforced while older clients retain connectivity on non-6 GHz bands.
Example Event Log Messages
When security configurations are adapted or rejected, APs generate clear event logs:
- dppsk disabled - reason: unsupported security option
- security adapted from WPA2-Personal to WPA3-Personal - reason: unsupported security option
This transparency helps administrators quickly understand and troubleshoot security enforcement actions.
Key Implications
- MLO is always on with 11be radios → all linked radios must follow strict WiFi Alliance security rules.
- To avoid MLO restrictions, admins must switch the radio mode back to 802.11ax.
- Unsupported security methods either disable the SSID entirely or are converted to compliant equivalents.
- Firmware 7.20’s alternate next best method provides better backward compatibility for mixed environments.
These updates reinforce Zyxel’s commitment to delivering WiFi 7 performance with strong security compliance, while still supporting real-world deployments that include legacy clients.
Categories
- All Categories
- 438 Beta Program
- 2.7K Nebula
- 188 Nebula Ideas
- 121 Nebula Status and Incidents
- 6.2K Security
- 454 USG FLEX H Series
- 303 Security Ideas
- 1.6K Switch
- 81 Switch Ideas
- 1.3K Wireless
- 44 Wireless Ideas
- 6.8K Consumer Product
- 278 Service & License
- 435 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 91 Security Highlight