Thursday, February 14, 2019

Aruba's early implementation of WPA3, mixed mode

Aruba has released for general availability ArubaOS 8.4, which includes WPA3-PSK:
https://www.arubanetworks.com/techdocs/ArubaOS/8.4.x.x/Default.htm

Understandably, I was pretty excited to try it out and promptly upgraded my instant cluster, contained within the "safe zone" of my home lab. It was running 8.3.0.3 before, and the upgrade required me to stand up an HTTP server to distribute binaries. The one-click upgrade worked with no issues and took ~10 minutes for both APs with no client-side downtime.

I'll try not to gush too much here, but this is a pretty wicked software release. The virtual controller UI is vastly improved and had a few new options:





Configuring WPA3-SAE was also pretty easy:
Once configured, I was able to connect to the WPA3 SSID I had created.

Wait, WHAT? Windows 10 doesn't have any WPA3 support yet! Digging a little deeper, I found that I was connected to an SSID that supported WPA2-Personal.
It'd appear that we have the capability to run both WPA2 and 3 at the same time. Of course, we can trust but verify with a packet capture. This is not normally feasible without a software-defined radio, but Aruba provides a tool (PEEKREMOTE) that will let you remotely pull a packet capture. If you're interested in doing this yourself, the guide on how is at the end of this article. There are some important steps to follow when decoding the PCAP.

Here's what I found on the RSN IE portion of the 802.11 beacon frame:
From the looks of it, the RSN IEs allow for multiple cipher suites and AKMs. This isn't surprising, as this was how WPA1/2 works in mixed mode. From the PCAP, I would surmise that 00:0f:ac:08 is the 802.11i designation for SAE.


WPA2 & 3 Differences, courtesy of Ruckus Networks:
https://theruckusroom.ruckuswireless.com/wired-wireless/technologytrends/wpa2-wpa3-new-changed-future/
802.11i Robust Security Network Information Elements:
https://mrncciew.com/2014/08/21/cwsp-rsn-information-elements/
Airheads announcement:

No comments:

Post a Comment

Why Automate? Writing a self-testing Python class for REST or XML API invocation

 So far, most API invocations, at least in terms of what you need to do, are pretty simple to execute. Then again, just about every other ad...