NWA50AX - difference between wpa2-mix and wpa3

Options
e_mano_e
e_mano_e Posts: 113  Ally Member
First Answer First Comment Friend Collector Fifth Anniversary
edited May 2024 in Wireless
Hi,

the Zyxel Online Web Help isn't really much helpful to describe the difference.
The help just says: Select a security mode from the list: noneenhanced-openwepwpa2wpa2-mix or wpa3.

But what does wpa2-mix mean? Is it wpa/wpa2 combination?
Or is wpa-mix a wpa2/wpa3 combination?
And when I choose wpa3 will the access point fall back to wpa2 if older devices are trying to connect to wlan?

Thanks.

Accepted Solution

  • Zyxel_Dick
    Zyxel_Dick Posts: 21  Zyxel Employee
    First Comment Friend Collector Seventh Anniversary
    Answer ✓
    Hi e_mano_e,

    Welcome to Zyxel forum.

    There are 3 kinds of WLAN security mode setting.

    1. WPA1, it means WPA-TKIP and WPA2-AES, know as WPA2-Mix.
    2. WPA2, it means WPA2-AES only.
    3. WPA3, it means WPA3 only and when we select WPA3, it will enable "transition mode" to be compatible the client which does not support WPA3.

    Thank you.
    BR, Dick

    Zyxel_Dick

    Untitled Image
    https://bit.ly/4g2pS9L

All Replies

  • tgl
    tgl Posts: 11  Freshman Member
    First Comment Friend Collector Second Anniversary
    On my NWA210AX, the "wpa3" setting actually will let in both WPA2 and WPA3 clients (verifiable by looking at the station list, which shows each client's security setting).  I too would be interested to know how wpa2-mix differs.
  • Zyxel_Dick
    Zyxel_Dick Posts: 21  Zyxel Employee
    First Comment Friend Collector Seventh Anniversary
    Answer ✓
    Hi e_mano_e,

    Welcome to Zyxel forum.

    There are 3 kinds of WLAN security mode setting.

    1. WPA1, it means WPA-TKIP and WPA2-AES, know as WPA2-Mix.
    2. WPA2, it means WPA2-AES only.
    3. WPA3, it means WPA3 only and when we select WPA3, it will enable "transition mode" to be compatible the client which does not support WPA3.

    Thank you.
    BR, Dick

    Zyxel_Dick

    Untitled Image
    https://bit.ly/4g2pS9L
  • e_mano_e
    e_mano_e Posts: 113  Ally Member
    First Answer First Comment Friend Collector Fifth Anniversary
    @Zyxel_Dick
    your explanation would be a great addition for the Zyxel Web Online Help.
  • michaelrommel
    michaelrommel Posts: 3
    First Comment Friend Collector
    Hello, thanks for the clarification @Zyxel_Dick! There is one question remaining, which is the difference between activating
    • WPA2-mix with Cipher Setting AES and 
    • WPA2 with Cipher Setting auto
    Both can fallback to TKIP, so what is the difference?

    And I guess WPA2 AES also means CCMP, right?

    Thanks for any clarification!

      Michael.
  • Zyxel_Judy
    Zyxel_Judy Posts: 2,317  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula
    edited January 2023
    Hi @michaelrommel

    WPA2-mix include WPA+TKIP and WPA2+AES, so WPA2-mix with Cipher Setting AES means WPA2+AES.

    WPA2 with Cipher Setting auto means WPA2+TKIP and WPA2+AES. Due to TKIP is unsecure and the low speed for station (54Mbps), so we set WPA2+AES as default to get more secure and the faster speed for station.

    WPA2 AES also means CCMP.

    Zyxel_Judy

  • michaelrommel
    michaelrommel Posts: 3
    First Comment Friend Collector
    edited January 2023
    Thank you, Zyxel_Judy for explaining this! Much appreciated!

    Since I have two devices (Withings Scale and a Nest smoke detector) that do not connect to the access point whenever I set the SSID (iot.devices) to WPA2-AES and only if I set the cipher to auto, that means that other devices on this same SSID can also only use 54Mbps. So if there were other device that would be capable of achieving higher data rates and higher security (like raspberry pis), does it make sense to open up another SSID, like iot.tkip.devices and iot.aes.devices?

    Also, is there a place in a log or so, where I can see which client negotiated which cipher/WPA2/WPA3?
  • Zyxel_Judy
    Zyxel_Judy Posts: 2,317  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @michaelrommel

    In case you set WPA2 and the cipher to auto, it means WPA2+TKIP and WPA2+AES. Your two devices (Withings Scale and a Nest smoke detector) can connect with WPA2+TKIP, otherwise, the stations with the higher capability can connect with WPA2+AES to get higher data rates and higher security.

    In Nebula, there is no WPA2 with the cipher as auto, so suggest you choose WPA1, it means WPA-TKIP and WPA2-AES. You don’t need to create other SSID.

     

    In Access point > Monitor > Client list shows the column named “Security”. This column shows which secure encryption method (WPA1/WPA2/WPA3) is being used by the client to connect to the Nebula Device.


    Zyxel_Judy

  • michaelrommel
    michaelrommel Posts: 3
    First Comment Friend Collector
    Thank you very much, @Zyxel_Judy for the additional info! Then I have already set everything up as it should be. I am not using Nebula, just the local UI. And I really appreciate it, that I can just use that UI, I have switched to Zyxel from Ubiquity for that exact reason. I am pretty satisfied with the access point!

Categories

Wireless Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)