1 00:00:04,460 --> 00:00:09,920 Hello and welcome this video titled WPA Transition Mode. 2 00:00:09,920 --> 00:00:13,200 So in this video we're going to be talking about what happens when you 3 00:00:13,200 --> 00:00:18,260 want to offer a wireless LAN and SSID and you might have some clients 4 00:00:18,260 --> 00:00:24,260 that only support WPA2 and other newer clients that support WPA3. 5 00:00:24,260 --> 00:00:26,480 What do you do in that situation? 6 00:00:26,480 --> 00:00:29,500 And that's actually what we're going to talk about right here. 7 00:00:29,500 --> 00:00:33,820 So we already know that WPA3 has a lot of things built into it that make 8 00:00:33,820 --> 00:00:37,220 it inherently stronger, more secure than WPA2. 9 00:00:37,220 --> 00:00:39,500 It's got the protected management frames. 10 00:00:39,500 --> 00:00:42,480 It has the ability to turn on beacon protection if you want. 11 00:00:42,480 --> 00:00:45,880 It has the stronger security suites. 12 00:00:45,880 --> 00:00:50,560 Certainly in the personal mode, the simultaneous authentication of equals 13 00:00:50,560 --> 00:00:56,920 is a lot stronger and deriving per client PMKs than WPA2 that has a single 14 00:00:56,920 --> 00:00:59,300 P.A. PMK for every client. 15 00:00:59,300 --> 00:01:00,820 And I could go on and on and on. 16 00:01:00,820 --> 00:01:04,820 However, not all clients support WPA3. 17 00:01:04,820 --> 00:01:10,620 Certainly things that, for example, older smartphones and tablets, Internet 18 00:01:10,620 --> 00:01:15,400 of Things Devices and this open source automation project called Home 19 00:01:15,400 --> 00:01:19,740 Automation or Home Assistant doesn't support WPA3. 20 00:01:19,740 --> 00:01:21,940 And those are just some examples. 21 00:01:21,940 --> 00:01:25,060 So how do we offer an SSID that services everybody that everybody can 22 00:01:25,060 --> 00:01:30,040 connect to? And this is what WPA transition mode is all about. 23 00:01:30,040 --> 00:01:35,100 So in a nutshell, when you select WPA transition mode, really what you're 24 00:01:35,100 --> 00:01:39,800 doing is you're just offering in your beacons an SSID that's advertising 25 00:01:39,800 --> 00:01:44,720 that it can do both, WPA2 and WPA3 personal. 26 00:01:44,720 --> 00:01:50,160 So the rule state that if a Wi-Fi client is capable of connecting via 27 00:01:50,160 --> 00:01:53,080 WPA3 SAE, they should. 28 00:01:53,080 --> 00:01:59,060 Only clients that don't understand WPA3 should connect via the older legacy 29 00:01:59,060 --> 00:02:06,160 WPA2. Now, when it comes to protected management frames, we know that 30 00:02:06,160 --> 00:02:07,040 that is an option. 31 00:02:07,040 --> 00:02:09,680 We're going to see that here once again, when you're configuring, you're 32 00:02:09,680 --> 00:02:13,660 editing your wireless LAN, especially in like the Catalyst 9800 controller, 33 00:02:13,660 --> 00:02:17,300 there's a box in there for protected management frames and you can set 34 00:02:17,300 --> 00:02:21,260 it to disabled, required or optional. 35 00:02:21,260 --> 00:02:22,820 Those are your three options. 36 00:02:22,820 --> 00:02:27,340 So in this particular case, because you might have some WPA2 clients that 37 00:02:27,340 --> 00:02:33,740 might not recognize PMF because PMF wasn't mandatory until W3, WPA3 came 38 00:02:33,740 --> 00:02:36,880 out, you really need to set it to optional. 39 00:02:36,880 --> 00:02:40,400 Because if you set it to required, then those clients might not be able 40 00:02:40,400 --> 00:02:43,500 to connect. Now, you might be thinking, well, wait a second, if I set 41 00:02:43,500 --> 00:02:48,700 it to optional, then how are my WPA3 clients going to be able to connect? 42 00:02:48,700 --> 00:02:52,680 Well, WPA3 requires protective management frames. 43 00:02:52,680 --> 00:02:56,660 And so if you remember my video where I introduced the concept of PMF, 44 00:02:56,660 --> 00:03:00,600 I showed you a screenshot of a beacon, a sniffer trace of a beacon. 45 00:03:00,600 --> 00:03:03,300 And we saw in there that there were two bits for flags. 46 00:03:03,300 --> 00:03:08,920 One of those bits said, protective management frames are capable. 47 00:03:08,920 --> 00:03:12,880 In other words, I, the access point, I can do it if you want to. 48 00:03:12,880 --> 00:03:16,480 And then there was another flag that if it was set to one said, you have 49 00:03:16,480 --> 00:03:18,660 to use protected management frames. 50 00:03:18,660 --> 00:03:22,580 So in this particular case, if we set it to optional, the beacon will 51 00:03:22,580 --> 00:03:24,240 say it's capable. 52 00:03:24,240 --> 00:03:25,840 It won't say it's required. 53 00:03:25,840 --> 00:03:26,940 It will say it's capable. 54 00:03:26,940 --> 00:03:31,880 And when the WPA3 clients see that, they are required to use protected 55 00:03:31,880 --> 00:03:33,940 management frames. 56 00:03:33,940 --> 00:03:38,100 So here's how you create a transition mode wireless LAN. 57 00:03:38,100 --> 00:03:44,400 So up there in the security section, you select WPA2 plus WPA3, or however 58 00:03:44,400 --> 00:03:47,820 it looks in your web UI for your particular product. 59 00:03:47,820 --> 00:03:54,400 And then you would have AES CCMP 128 selected, because for the personal 60 00:03:54,400 --> 00:03:57,560 mode of WPA2, that's all it supports. 61 00:03:57,560 --> 00:03:59,960 It only supports AES CCMP. 62 00:03:59,960 --> 00:04:02,980 And then under your authentication key management, you will select both 63 00:04:02,980 --> 00:04:10,340 pre shared key, which the WPA2 clients will need and SAE for the WPA3 64 00:04:10,340 --> 00:04:13,640 clients. And then it's kind of cut off here on the bottom, but you're 65 00:04:13,640 --> 00:04:17,360 still going to have to type in your passphrase for the wireless LAN. 66 00:04:17,360 --> 00:04:21,260 The both types of WPA clients will use to connect. 67 00:04:21,260 --> 00:04:25,040 And so you can see right here, here's part of the beacon. 68 00:04:25,040 --> 00:04:28,820 And this is in the robust security network information element. 69 00:04:28,820 --> 00:04:32,260 And you can see now that under authentication key management, it's saying, 70 00:04:32,260 --> 00:04:35,740 I actually support two different kinds of managing keys. 71 00:04:35,740 --> 00:04:39,580 You can connect to me with pre shared key, or you can connect to me with 72 00:04:39,580 --> 00:04:42,680 simultaneous authentication of equals. 73 00:04:42,680 --> 00:04:47,400 So this is our verification that the access point is supporting a transition 74 00:04:47,400 --> 00:04:51,340 mode wireless LAN. 75 00:04:51,340 --> 00:04:56,840 All right. Now you probably know that GCMP 128 is much stronger of an 76 00:04:56,840 --> 00:04:59,380 encryption algorithm than AES CCMP. 77 00:04:59,380 --> 00:05:02,920 So the question might be, well, can I use both? 78 00:05:02,920 --> 00:05:09,320 Can I maybe have my WPA2 clients use the AES and my WPA3 clients use GCMP 79 00:05:09,320 --> 00:05:12,280 128 in a transition mode wireless LAN? 80 00:05:12,280 --> 00:05:13,880 The answer is no, you cannot. 81 00:05:13,880 --> 00:05:17,660 Remember, WPA2 clients only understand CCMP. 82 00:05:17,660 --> 00:05:22,560 WPA3 clients can use GCMP 128. 83 00:05:22,560 --> 00:05:25,660 But the only way that's going to work is when the wireless LAN is set 84 00:05:25,660 --> 00:05:29,900 to WPA3 only, not transition mode. 85 00:05:29,900 --> 00:05:32,520 So here's actually what you will see. 86 00:05:32,520 --> 00:05:35,260 So here we've got our transition mode wireless LAN. 87 00:05:35,260 --> 00:05:36,180 And we've tried it. 88 00:05:36,180 --> 00:05:39,100 We tried clicking both of these boxes right here. 89 00:05:39,100 --> 00:05:43,640 And the moment you do, you get this error message here in red. 90 00:05:43,640 --> 00:05:47,060 And notice I've got SAE and PSK selected. 91 00:05:47,060 --> 00:05:54,780 So in short, the only way you could get GCMP to work is if you're using 92 00:05:54,780 --> 00:06:03,040 802.1x. So basically, if you unselect SAE and PSK, so let's say you say, 93 00:06:03,040 --> 00:06:06,020 I'm going to do this. 94 00:06:06,020 --> 00:06:12,120 I am going to go over here and I'm going to deselect this so that only 95 00:06:12,120 --> 00:06:16,780 GCMP 128 is usable. 96 00:06:16,780 --> 00:06:20,320 So can I do that in a transition mode wireless LAN? 97 00:06:20,320 --> 00:06:25,620 Well, you can. But the only way to get that to work is if you deselected 98 00:06:25,620 --> 00:06:34,040 SAE, deselected pre-shared key, and instead used sweet B1x. 99 00:06:34,040 --> 00:06:36,040 And notice the 1x in there? 100 00:06:36,040 --> 00:06:40,260 That should key you off to that is 802.1x. 101 00:06:40,260 --> 00:06:44,740 So this is now basically turning it into an enterprise wireless LAN, not 102 00:06:44,740 --> 00:06:46,420 a personal wireless LAN. 103 00:06:46,420 --> 00:06:51,580 So the short end of it is that if you want to do WPA2 personal and WPA3 104 00:06:51,580 --> 00:06:56,900 personal, otherwise known as SAE, then you can't do GCMP. 105 00:06:56,900 --> 00:07:00,820 You can only stick with AES CCMP 128. 106 00:07:00,820 --> 00:07:03,980 That's the only one that will work. 107 00:07:03,980 --> 00:07:09,120 All right. Now, you might also notice that there in some platforms like 108 00:07:09,120 --> 00:07:13,220 the 9800, there is a checkbox called transition disable. 109 00:07:13,220 --> 00:07:15,860 And you might be wondering, what happens if I click that? 110 00:07:15,860 --> 00:07:20,020 Okay. Well, if you click that, it's going to set a flag called the transition 111 00:07:20,020 --> 00:07:21,920 disable flag in the beacon. 112 00:07:21,920 --> 00:07:23,660 And this is actually kind of interesting how this works. 113 00:07:23,660 --> 00:07:29,780 What that means is that if a wireless LAN connects to this SSID via WPA3, 114 00:07:29,780 --> 00:07:32,540 guess what? It will see that flag. 115 00:07:32,540 --> 00:07:34,980 It will cache that status. 116 00:07:34,980 --> 00:07:39,480 It will say, Oh, I know that this particular SSID, this this wireless 117 00:07:39,480 --> 00:07:44,180 LAN, I am not allowed to fall back to WPA2. 118 00:07:44,180 --> 00:07:49,120 Once I connect via WPA3, I always have to connect to WPA3. 119 00:07:49,120 --> 00:07:53,260 Not only on this access point, but any access point that's advertising 120 00:07:53,260 --> 00:07:56,260 this SSID. And so that's what it means. 121 00:07:56,260 --> 00:08:01,320 It means once you connect via WPA3, you can never fall back to WPA2. 122 00:08:01,320 --> 00:08:06,160 So if you know in advance that all of your access points support both 123 00:08:06,160 --> 00:08:10,420 WPA2 and WPA3, this is a good idea. 124 00:08:10,420 --> 00:08:13,940 Now, for example, you know, what if you had one or two access points out 125 00:08:13,940 --> 00:08:17,760 there, they were advertising this exact same SSID. 126 00:08:17,760 --> 00:08:21,320 But on those access points, maybe their autonomous access points, you 127 00:08:21,320 --> 00:08:24,600 know, standalone or something, those access points, they're advertising 128 00:08:24,600 --> 00:08:30,200 it as WPA2 only, you know, maybe they're older, they don't support WPA3, 129 00:08:30,200 --> 00:08:33,460 but you want to give people in that remote corner of the building access 130 00:08:33,460 --> 00:08:34,840 to the wireless LAN. 131 00:08:34,840 --> 00:08:38,300 So on those access points, you say, okay, I'll advertise the same SSID, 132 00:08:38,300 --> 00:08:45,100 but as WPA2. Well, if on your newer access points that support both, you 133 00:08:45,100 --> 00:08:49,200 had the transition disable flag set, that might be problematic. 134 00:08:49,200 --> 00:08:52,180 Because, you know, John who's on the first floor of the building, you 135 00:08:52,180 --> 00:08:54,820 know, he might connect via WPA3. 136 00:08:54,820 --> 00:08:58,360 And now he's locked into that because that transition disable flag. 137 00:08:58,360 --> 00:09:01,880 Now, John roams throughout the building, and eventually roams over to 138 00:09:01,880 --> 00:09:05,980 that corner where those other access points are, he'll say, well, I want 139 00:09:05,980 --> 00:09:10,740 a Rome right there, but I can't because the beacons I'm seeing don't have 140 00:09:10,740 --> 00:09:15,240 the transition disable flag, they're only offering WPA2. 141 00:09:15,240 --> 00:09:18,680 And I've already been told via previous access points, I can't connect 142 00:09:18,680 --> 00:09:23,420 via WPA2. So John would not be able to roam to those access points. 143 00:09:23,420 --> 00:09:26,540 So that's why you only want to check this box if you know that all of 144 00:09:26,540 --> 00:09:31,360 your APs support both WPA2 and WPA3. 145 00:09:31,360 --> 00:09:33,320 And this is what that looks like. 146 00:09:33,320 --> 00:09:37,960 So this is the box right here for the transition disable. 147 00:09:37,960 --> 00:09:41,480 So just a few other caveats about this. 148 00:09:41,480 --> 00:09:45,780 So this is a somewhat new implementation. 149 00:09:45,780 --> 00:09:50,680 So this is this is implemented after 2018 and WPA3. 150 00:09:50,680 --> 00:09:55,760 As far as Cisco's concerned and their 9800 wireless LAN controllers, they 151 00:09:55,760 --> 00:10:00,220 added this around 17 5 17 dot six. 152 00:10:00,220 --> 00:10:10,340 And as far as the access points propagate that bit called the transition 153 00:10:10,340 --> 00:10:12,240 disable bit in their beacon. 154 00:10:12,240 --> 00:10:16,580 So if you have an older access point like one of these right here, it 155 00:10:16,580 --> 00:10:17,760 won't support it. 156 00:10:17,760 --> 00:10:22,520 So this will be yet another example of where you configure something in 157 00:10:22,520 --> 00:10:25,640 the wireless LAN controller, it doesn't give you an error message. 158 00:10:25,640 --> 00:10:30,040 And yet it's not working correctly on the access point. 159 00:10:30,040 --> 00:10:37,220 Similar to my beacon protection presentation and beacon protection, that 160 00:10:37,220 --> 00:10:40,080 was the same type of thing where you could select the beacon protection 161 00:10:40,080 --> 00:10:41,820 checkbox in the wireless LAN controller. 162 00:10:41,820 --> 00:10:46,620 But the older access points, like the ones here in this list, if you actually 163 00:10:46,620 --> 00:10:49,680 caught their beacons, you would see there was no mic in there. 164 00:10:49,680 --> 00:10:52,860 They weren't being protected because they didn't support that in hardware. 165 00:10:52,860 --> 00:10:55,080 Same thing is true right here. 166 00:10:55,080 --> 00:10:59,060 Now there are some risks though with transition mode, you need to be aware 167 00:10:59,060 --> 00:11:05,840 of this. So remember, there's a reason why we want our WPA three clients 168 00:11:05,840 --> 00:11:11,220 to be operating in WPA three mode, because it's safer, it's more secure, 169 00:11:11,220 --> 00:11:13,380 it's virtually impossible. 170 00:11:13,380 --> 00:11:18,060 If all of your clients were operating in WPA three mode, it's going to 171 00:11:18,060 --> 00:11:23,160 be next to impossible for some outside malicious actor to figure out just 172 00:11:23,160 --> 00:11:27,400 from sniffing the traffic, what the pairwise master key is on any of those 173 00:11:27,400 --> 00:11:32,220 clients, or even what the WPA three passphrases to get on the wireless 174 00:11:32,220 --> 00:11:33,880 LAN in the first place. 175 00:11:33,880 --> 00:11:36,480 Just by capturing frames, they're not going to be able to reverse engineer 176 00:11:36,480 --> 00:11:42,320 that. But with WPA two, especially if your passphrase is fairly simple, 177 00:11:42,320 --> 00:11:45,800 it is possible to reverse engineer that there are well known documented 178 00:11:45,800 --> 00:11:49,620 attacks against WPA two clients that can do just that. 179 00:11:49,620 --> 00:11:53,180 So if you're in transition mode, there is a possibility of a downgrade 180 00:11:53,180 --> 00:11:58,800 attack, where a malicious actor might spoof beacons attempting to influence 181 00:11:58,800 --> 00:12:03,420 WPA three clients to disassociate, deauthenticate, and then reauthenticate 182 00:12:03,420 --> 00:12:06,720 and associate using WPA two mode only. 183 00:12:06,720 --> 00:12:10,400 And now they might be able to guess the passphrase once they do that. 184 00:12:10,400 --> 00:12:15,420 And also, because you've got some mixed devices in there, those devices 185 00:12:15,420 --> 00:12:20,460 operating in WPA two modes still have the same vulnerability, still have 186 00:12:20,460 --> 00:12:29,640 the same like it says transition, we're transitioning everything. 187 00:12:29,640 --> 00:12:33,560 Hopefully within a few months, all of our clients will support WPA three, 188 00:12:33,560 --> 00:12:40,700 and then we'll be able to uncheck WPA two and have everything do WPA three. 189 00:12:40,700 --> 00:12:45,160 So that concludes this video on WPA transition mode wireless LANs. 190 00:12:45,160 --> 00:12:45,940 Thank you for watching.