WPA3-Enterprise security is based on WPA2-Enterprise with the additional requirement of using Protected Management Frames (PMF) for WPA3 connections. CCMP-128 and GCMP-256 cipher suites are used for data encryption, and the BIP (GMAC-256) cipher suite is used to protect Group Management frames. WPA3-Enterprise 192-bit mode is an optional mode of operation that provides enhanced security in enterprise networks, utilizing EAP-TLS (certificate-based authentication) and robust cryptographic algorithms. WPA3-Enterprise 192-bit mode requires support from GCMP-256 for encryption and the Signature hash algorithm ECDSA_SHA384 for key derivation.
Radius server and Certificate requirements for WPA3 192-bit mode:
WPA3-Enterprise 192-bit mode requires a supported EAP server such as Cisco Identify Service Engine (ISE) and Aruba ClearPass Policy Manager (CPPM), which require 802.1X Authentication type as TLS EAP (EAP-TLS)
The current certificate generation mechanisms (Windows 2019 CA) support RSA key sizes of 512, 1,024, 2,048, 4,096, 8,192, and 16,384. The 192-bit mode requires the use of RSA certificates with a key size greater than or equal to 3,072 bits. Therefore, when generating certificates, be sure to use the 4096-bit key-size certificates.
