cisco Configure and Verify Wi-Fi 6E WLAN Layer 2 Security

小乔

The information in this document is based on these software and hardware versions:
• WLC 9800-CL with IOS® XE 17.9.3.
• APs C9136, CW9162, CW9164 and CW9166.
Wi-Fi 6E Clients:
Lenovo X1 Carbon Gen11 with Intel AX211 Wi-Fi 6 and 6E Adapter with driver version
22.200.2(1).
○
○ Netgear A8000 Wi-Fi 6 and 6E Adapter with driver v1(0.0.108);
○ Mobile Phone Pixel 6a with Android 13;
○ Mobile Phone Samsung S23 with Android 13.
•
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, ensure
that you understand the potential impact of any command.
Background Information
The key thing to know is that Wi-Fi 6E is not an entirely new standard, but an extension. At its base, Wi-Fi
6E is an extension of the Wi-Fi 6 (802.11ax) wireless standard into the 6-GHz radio-frequency band.
Wi-Fi 6E builds on Wi-Fi 6, which is the latest generation of the Wi-Fi standard, but only Wi-Fi 6E devices
and applications can operate in the 6-GHz band.
Wi-Fi 6E Security
Wi-Fi 6E uplevels security with Wi-Fi Protected Access 3 (WPA3) and Opportunistic Wireless Encryption
(OWE) and there is no backward compatibility with Open and WPA2 security.
WPA3 and Enhanced Open Security are now mandatory for Wi-Fi 6E certification and Wi-Fi 6E also
requires Protected Management Frame (PMF) in both AP and Clients.
When configuring a 6GHz SSID there are certain security requirements that must be met:
• WPA3 L2 security with OWE, SAE or 802.1x-SHA256
• Protected Management Frame Enabled;
• Any other L2 security method is not allowed, that is, no mixed mode possible.
WPA3
WPA3 is designed to improve Wi-Fi security by enabling better authentication over WPA2, providing
expanded cryptographic strength and increasing the resiliency of critical networks.
Key features of WPA3 include:
Protected Management Frame (PMF)protects unicast and broadcast management frames and
encrypts unicast management frames. This means wireless intrusion detection and wireless intrusion
prevention systemsnow have fewer brute-force ways to enforce client policies.
•
• Simultaneous Authentication of Equals (SAE)enables password-based authentication and a key
更多资源请访问鸿鹄论坛：http://bbs.hh010.com/
agreement mechanism. This protects against brute-force attacks.
Transition modeis a mixed mode that enables the use of WPA2 to connect clients that do not support
WPA3.
•
WPA3 is about continuous security development and conformance as well as interoperability.
There is no Information Element that designates WPA3 (same as WPA2). WPA3 is defined by AKM/Cipher
Suite/PMF combinations.
On the 9800 WLAN configuration, you have 4 different WPA3 encryption algorithms you can use.

游客，如果您要查看本帖隐藏内容请回复

mawr1985