WPA Enterprise with WPA3

Options
AdminSys
AdminSys Posts: 20  Freshman Member
First Anniversary First Comment
edited November 2023 in Nebula

We configured in nebula, an wifi SSID with autatication WPA Enterprise with WPA3 (autentication with My Radius server).. Everting is working fine (the radius server is an Windows Network Policy Server), but in clients in wireless settings window appear that the connection type is WPA2 (in MAC and Windows10 clients as well)

Best Answers

  • Zyxel_Kay
    Zyxel_Kay Posts: 584  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @AdminSys

    This behavior is due to the transition mode feature in WPA3, which is designed to accommodate client devices that do not fully support WPA3. When transition mode is enabled, it generates two virtual access points (VAPs): one using WPA3 and another using WPA2 Personal. This allows devices that support both WPA3 and WPA2 to connect seamlessly.

    If you want to enforce only WPA3-supported devices to connect and not allow devices to connect using WPA2, you can disable the transition mode by using the following CLI command through Putty or Tera Term via SSH.

    1. Identify the specific SSID security profile. In this example, let's configure for SSID2_testing.
      Command:
      Router > show wlan-ssid-profile all
      image.png
    2. Disable transition mode for the identified security profile.
      Command:
      Router> enable
      Router# configure terminal
      Router(config)# wlan-security-profile SECURITY2
      Router(config-wlan-security SECURITY2)# no transition-mode
      Router(config-wlan-security SECURITY2)# exit
    3. Verification: After disabling transition mode, a WPA3 non-supported device will not be able to connect to the SSID, confirming that only WPA3-supported devices can connect.
      image.png

    Kay

  • Zyxel_Kay
    Zyxel_Kay Posts: 584  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @AdminSys

    Currently, there is no direct way to disable the transition mode from the Nebula front-end configuration. The most efficient way to achieve this is by configuring it through the CLI command for each of your APs.

    In response to your request, we have raised this feature to the idea section:

    https://community.zyxel.com/en/discussion/19058/access-point-feature-to-disable-wpa3-transition-mode-on-ssid-advanced-settings

    Please show your support by voting for it, the votes and comments will be part of our evaluation process.

    Kay

All Replies

  • Zyxel_Kay
    Zyxel_Kay Posts: 584  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @AdminSys

    This behavior is due to the transition mode feature in WPA3, which is designed to accommodate client devices that do not fully support WPA3. When transition mode is enabled, it generates two virtual access points (VAPs): one using WPA3 and another using WPA2 Personal. This allows devices that support both WPA3 and WPA2 to connect seamlessly.

    If you want to enforce only WPA3-supported devices to connect and not allow devices to connect using WPA2, you can disable the transition mode by using the following CLI command through Putty or Tera Term via SSH.

    1. Identify the specific SSID security profile. In this example, let's configure for SSID2_testing.
      Command:
      Router > show wlan-ssid-profile all
      image.png
    2. Disable transition mode for the identified security profile.
      Command:
      Router> enable
      Router# configure terminal
      Router(config)# wlan-security-profile SECURITY2
      Router(config-wlan-security SECURITY2)# no transition-mode
      Router(config-wlan-security SECURITY2)# exit
    3. Verification: After disabling transition mode, a WPA3 non-supported device will not be able to connect to the SSID, confirming that only WPA3-supported devices can connect.
      image.png

    Kay

  • AdminSys
    AdminSys Posts: 20  Freshman Member
    First Anniversary First Comment
    Options

    we have 5 AP -s are configured in nebula.. we need to login to all AP -s to set this?

  • Zyxel_Kay
    Zyxel_Kay Posts: 584  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @AdminSys

    Currently, there is no direct way to disable the transition mode from the Nebula front-end configuration. The most efficient way to achieve this is by configuring it through the CLI command for each of your APs.

    In response to your request, we have raised this feature to the idea section:

    https://community.zyxel.com/en/discussion/19058/access-point-feature-to-disable-wpa3-transition-mode-on-ssid-advanced-settings

    Please show your support by voting for it, the votes and comments will be part of our evaluation process.

    Kay

Categories

Nebula Tips & Tricks


    Read more

    Nebula Help Center

    EnglishTiếng ViệtРусскийไทย中文(台灣)