WPA3 Enterprise

WPA3 Enterprise

WPA3-Enterprise security is based on WPA2-Enterprise with the additional requirement of using Protected Management Frames (PMF) for WPA3 connections. CCMP-128 and GCMP 256 cipher suites are used for data encryption, and BIP (GMAC-256) cipher suite is used to protect Group Management frames. WPA3 Enterprise 192-bit mode is an optional mode of operation that offers increased security in enterprise networks, and it uses EAP-TLS (certificate-based authentication) and strong cryptographic algorithms. WPA3-Enterprise 192-bit Mode requires support of GCMP-256 for encryption and Signature hash algorithm ECDSA_SHA384 for key derivation.
Radius server and Certificate requirements for WPA3 192-bit mode:
  • WPA3 Enterprise 192-bit Mode requires a supported EAP server such as Cisco Identify Service Engine (ISE) and Aruba Clearpass Policy Manager (CPPM), which require 802.1X Authentication type as TLS EAP (EAP-TLS)
  • Supported 192-bit cipher suites: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • The current certificate generation mechanisms (Windows 2019 CA) support RSA key sizes of 512, 1024, 2048, 4096, 8192, and 16384. The 192-bit Mode mandates the use of RSA certificates with the key size >/= 3072 bits. Therefore, while generating the certs, be sure to use 4096 key size certs.