WPA Enterprise with WPA3

AdminSys
AdminSys Posts: 26  Freshman Member
First Comment Seventh Anniversary
edited November 2023 in Nebula

We configured in nebula, an wifi SSID with autatication WPA Enterprise with WPA3 (autentication with My Radius server).. Everting is working fine (the radius server is an Windows Network Policy Server), but in clients in wireless settings window appear that the connection type is WPA2 (in MAC and Windows10 clients as well)

Best Answers

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,204  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    Answer ✓

    Hi @AdminSys

    This behavior is due to the transition mode feature in WPA3, which is designed to accommodate client devices that do not fully support WPA3. When transition mode is enabled, it generates two virtual access points (VAPs): one using WPA3 and another using WPA2 Personal. This allows devices that support both WPA3 and WPA2 to connect seamlessly.

    If you want to enforce only WPA3-supported devices to connect and not allow devices to connect using WPA2, you can disable the transition mode by using the following CLI command through Putty or Tera Term via SSH.

    1. Identify the specific SSID security profile. In this example, let's configure for SSID2_testing.
      Command:
      Router > show wlan-ssid-profile all
    2. Disable transition mode for the identified security profile.
      Command:
      Router> enable
      Router# configure terminal
      Router(config)# wlan-security-profile SECURITY2
      Router(config-wlan-security SECURITY2)# no transition-mode
      Router(config-wlan-security SECURITY2)# exit
    3. Verification: After disabling transition mode, a WPA3 non-supported device will not be able to connect to the SSID, confirming that only WPA3-supported devices can connect.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,204  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    Answer ✓

    Hi @AdminSys

    Currently, there is no direct way to disable the transition mode from the Nebula front-end configuration. The most efficient way to achieve this is by configuring it through the CLI command for each of your APs.

    In response to your request, we have raised this feature to the idea section:

    Please show your support by voting for it, the votes and comments will be part of our evaluation process.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

All Replies

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,204  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    Answer ✓

    Hi @AdminSys

    This behavior is due to the transition mode feature in WPA3, which is designed to accommodate client devices that do not fully support WPA3. When transition mode is enabled, it generates two virtual access points (VAPs): one using WPA3 and another using WPA2 Personal. This allows devices that support both WPA3 and WPA2 to connect seamlessly.

    If you want to enforce only WPA3-supported devices to connect and not allow devices to connect using WPA2, you can disable the transition mode by using the following CLI command through Putty or Tera Term via SSH.

    1. Identify the specific SSID security profile. In this example, let's configure for SSID2_testing.
      Command:
      Router > show wlan-ssid-profile all
    2. Disable transition mode for the identified security profile.
      Command:
      Router> enable
      Router# configure terminal
      Router(config)# wlan-security-profile SECURITY2
      Router(config-wlan-security SECURITY2)# no transition-mode
      Router(config-wlan-security SECURITY2)# exit
    3. Verification: After disabling transition mode, a WPA3 non-supported device will not be able to connect to the SSID, confirming that only WPA3-supported devices can connect.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • AdminSys
    AdminSys Posts: 26  Freshman Member
    First Comment Seventh Anniversary

    we have 5 AP -s are configured in nebula.. we need to login to all AP -s to set this?

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,204  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    Answer ✓

    Hi @AdminSys

    Currently, there is no direct way to disable the transition mode from the Nebula front-end configuration. The most efficient way to achieve this is by configuring it through the CLI command for each of your APs.

    In response to your request, we have raised this feature to the idea section:

    Please show your support by voting for it, the votes and comments will be part of our evaluation process.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

Nebula Tips & Tricks