1 00:00:04,440 --> 00:00:10,120 Hello and welcome to this video titled WPA3 Enhanced Open. 2 00:00:10,120 --> 00:00:17,200 So let's talk about this really fascinating feature of WPA3 by starting 3 00:00:17,200 --> 00:00:20,180 and talking about what the problem is that it solved. 4 00:00:20,180 --> 00:00:21,740 So here's a simple problem. 5 00:00:21,740 --> 00:00:27,020 Have you ever been to a network like in a coffee shop or an airport or 6 00:00:27,020 --> 00:00:28,600 a bookstore or something? 7 00:00:28,600 --> 00:00:32,720 Or maybe you've got some signs posted around about what the wireless LAN 8 00:00:32,720 --> 00:00:37,060 passphrase is and you mistyped it something small. 9 00:00:37,060 --> 00:00:40,500 You didn't realize you mistyped it and you're scratching your head wondering 10 00:00:40,500 --> 00:00:42,720 why am I unable to connect to this thing? 11 00:00:42,720 --> 00:00:43,720 What's going on? 12 00:00:43,720 --> 00:00:47,280 Or maybe you're in a place that doesn't have any signs anywhere. 13 00:00:47,280 --> 00:00:50,300 Maybe they got a little cryptic sign somewhere in the corner, not very 14 00:00:50,300 --> 00:00:52,080 visible or easy to see. 15 00:00:52,080 --> 00:00:54,520 So now you've got to wander around asking somebody, hey, do you know what 16 00:00:54,520 --> 00:00:56,440 your Wi-Fi password is here? 17 00:00:56,440 --> 00:00:58,200 What a pain. Right? 18 00:00:58,200 --> 00:01:05,500 So some people want to be able to connect to networks like that. 19 00:01:05,500 --> 00:01:08,480 Public open Wi-Fi networks. 20 00:01:08,480 --> 00:01:13,420 They don't want to have to type in some big long passphrase, but they 21 00:01:13,420 --> 00:01:16,380 do want their traffic to be encrypted, especially if they go to Uncle 22 00:01:16,380 --> 00:01:20,980 Bob's house. Very important your traffic is encrypted at Uncle Bob's house. 23 00:01:20,980 --> 00:01:24,420 So they want their traffic encrypted, but they don't want to have to find 24 00:01:24,420 --> 00:01:28,920 what the passphrase is, especially if it's some long, complex, weird passphrase 25 00:01:28,920 --> 00:01:32,760 that they on their tiny telephone, they might type it in incorrectly. 26 00:01:32,760 --> 00:01:33,980 They don't want to have to deal with that. 27 00:01:33,980 --> 00:01:37,560 They just want to connect to a network, not type in a passphrase, but 28 00:01:37,560 --> 00:01:41,600 somehow magically have their traffic encrypted so that people on the same 29 00:01:41,600 --> 00:01:43,740 network can't see what they're doing. 30 00:01:43,740 --> 00:01:45,920 So that is the problem. 31 00:01:45,920 --> 00:01:49,280 How do we provide Wi-Fi encryption without a passphrase? 32 00:01:49,280 --> 00:01:54,000 Because up until now, whether we were talking about WPA2 or WPA3 with 33 00:01:54,000 --> 00:01:59,240 SAE, either way, we had a pre-shared key or passphrase that was fundamentally 34 00:01:59,240 --> 00:02:05,100 required to derive this pre -this pairwise master key. 35 00:02:05,100 --> 00:02:08,080 And without a pairwise master key, we couldn't do the EAP over land handshake 36 00:02:08,080 --> 00:02:09,620 and we were done. 37 00:02:09,620 --> 00:02:10,920 No encryption possible. 38 00:02:10,920 --> 00:02:13,720 After all, you got to get to that temporal key, right? 39 00:02:13,720 --> 00:02:17,740 That TK and that TK starts way up with the creation of a pairwise master 40 00:02:17,740 --> 00:02:21,560 key. So how do we create one of those things without some sort of a pre 41 00:02:21,560 --> 00:02:23,480 -shared key or authentication? 42 00:02:23,480 --> 00:02:28,200 And that is what Wi-Fi enhanced open was developed for. 43 00:02:28,200 --> 00:02:34,820 So this was first introduced with WPA3 and it's a security method aimed 44 00:02:34,820 --> 00:02:38,840 at open, no password Wi-Fi networks, but give people the ability to have 45 00:02:38,840 --> 00:02:41,460 encrypted sessions across that. 46 00:02:41,460 --> 00:02:45,560 Now technically speaking, it's called opportunistic wireless encryption. 47 00:02:45,560 --> 00:02:51,300 So that's the mechanism used under the hood of Wi-Fi enhanced open. 48 00:02:51,300 --> 00:02:54,280 And so we're going to have a cryptographic handshake that generates a 49 00:02:54,280 --> 00:02:58,880 unique encryption key between each client and the access point. 50 00:02:58,880 --> 00:03:03,500 And yet the SSID itself, when you look at the beacons, is going to be 51 00:03:03,500 --> 00:03:08,740 advertised as an open SSID, meaning you don't have to type in a passphrase. 52 00:03:08,740 --> 00:03:12,140 So let's look at a high level of how this works. 53 00:03:12,140 --> 00:03:17,520 First of all, the client device will see beacons flying around and the 54 00:03:17,520 --> 00:03:20,360 beacons will say open authentication. 55 00:03:20,360 --> 00:03:23,480 Okay, so and they'll show up in your list there with, you know, without 56 00:03:23,480 --> 00:03:28,260 the padlock saying this is an open authentication wireless LAN. 57 00:03:28,260 --> 00:03:34,120 And so, but there is an information element, a special IE within the beacon 58 00:03:34,120 --> 00:03:40,580 itself that says, Hey, this open wireless LAN supports opportunistic wireless 59 00:03:40,580 --> 00:03:43,040 encryption, OWE. 60 00:03:43,040 --> 00:03:48,580 So assuming that your client supports that feature and most Wi-Fi clients 61 00:03:48,580 --> 00:03:53,740 developed in the last, oh, two, three, four years, they should, then it 62 00:03:53,740 --> 00:03:58,120 will, what will happen is just a one to exchange of 802.11 authentication 63 00:03:58,120 --> 00:03:59,440 frames, just like normal. 64 00:03:59,440 --> 00:04:02,540 Did this say open in the authentication frame? 65 00:04:02,540 --> 00:04:04,980 There's no passphrase or anything there. 66 00:04:04,980 --> 00:04:08,840 And then there'll be your authentication handshake, association request 67 00:04:08,840 --> 00:04:11,040 and association response. 68 00:04:11,040 --> 00:04:13,360 But here's where things get a little bit different. 69 00:04:13,360 --> 00:04:17,400 Normally in an association request and association response, we don't 70 00:04:17,400 --> 00:04:22,500 really sort of think of those frames as having anything to do with authentication. 71 00:04:22,500 --> 00:04:26,120 Normally we think, okay, well, authentication is going to happen afterwards 72 00:04:26,120 --> 00:04:31,080 with the four way E-Bover LAN handshake, not so here. 73 00:04:31,080 --> 00:04:35,460 In this particular case, because the client recognized that this wireless 74 00:04:35,460 --> 00:04:41,300 LAN supports opportunistic wireless encryption, OWE, the client at that 75 00:04:41,300 --> 00:04:45,040 moment, right there when he sees that, that client will, in the background, 76 00:04:45,040 --> 00:04:45,720 you don't have to do anything. 77 00:04:45,720 --> 00:04:49,760 This happens in your phone, your tablet, it will immediately create for 78 00:04:49,760 --> 00:04:54,920 itself a public private key pair, right then on the spot. 79 00:04:54,920 --> 00:04:59,380 And then when it sends its association request frame, it will actually 80 00:04:59,380 --> 00:05:03,620 include some Diffie Hellman information right there in the association 81 00:05:03,620 --> 00:05:09,440 request, including that public key, it generated like a split second ago. 82 00:05:09,440 --> 00:05:14,460 And then the access point will send an association response with its Diffie 83 00:05:14,460 --> 00:05:18,700 Hellman information, its public key, and then just using standard Diffie 84 00:05:18,700 --> 00:05:22,380 Hellman using this public private key and the magic that Diffie Hellman 85 00:05:22,380 --> 00:05:26,600 goes through, both sides will be able to derive a shared secret, which 86 00:05:26,600 --> 00:05:30,600 can then be turned into a pairwise master key, which is ready and waiting 87 00:05:30,600 --> 00:05:35,340 for the next step, which is our standard four way E-Bover LAN handshake. 88 00:05:35,340 --> 00:05:39,100 And all this is done without requiring a password. 89 00:05:39,100 --> 00:05:43,460 And if you later leave disassociate from that network and then come back 90 00:05:43,460 --> 00:05:47,460 at a later time, guess what, your phone, your tablet will create a brand 91 00:05:47,460 --> 00:05:50,560 new public private key pair. 92 00:05:50,560 --> 00:05:55,760 And so because every client on that wireless LAN, you, Bob sitting next 93 00:05:55,760 --> 00:05:59,820 to you, Sally, who's sitting in the next row over, because every client 94 00:05:59,820 --> 00:06:03,660 is going to drive their own unique public private key pair when they join 95 00:06:03,660 --> 00:06:05,100 this OWE wireless LAN. 96 00:06:05,100 --> 00:06:08,840 And this is just what WPA3 does. 97 00:06:08,840 --> 00:06:13,960 Everybody will ultimately derive their own unique temporal key. 98 00:06:13,960 --> 00:06:16,160 So everybody's encryption will be done unique. 99 00:06:16,160 --> 00:06:19,160 Nobody can decrypt anybody else's traffic. 100 00:06:19,160 --> 00:06:27,920 So enhanced open requires support of PMF protected management frames. 101 00:06:27,920 --> 00:06:30,720 But remember, we're talking about WPA3 here. 102 00:06:30,720 --> 00:06:33,060 This is a WPA3 feature. 103 00:06:33,060 --> 00:06:37,500 And if you're going to do a WPA3 wireless LAN, protected management frames 104 00:06:37,500 --> 00:06:39,920 are required. That's part of the standard. 105 00:06:39,920 --> 00:06:42,640 So you're not going to be able to do this without PMF. 106 00:06:42,640 --> 00:06:44,480 So how do you create this? 107 00:06:44,480 --> 00:06:48,460 So a standard OWE wireless LAN, very simple. 108 00:06:48,460 --> 00:06:51,380 So, you know, I'm not showing you the first screen here where you create 109 00:06:51,380 --> 00:06:57,980 the wireless LAN, but for example, let's just go over here in our controller. 110 00:06:57,980 --> 00:06:59,960 So you just do what you normally do. 111 00:06:59,960 --> 00:07:04,180 You would click configure, wireless LANs. 112 00:07:04,180 --> 00:07:09,420 Sometimes this is a little touchy on my side here. 113 00:07:09,420 --> 00:07:12,960 There we go. And then you just add a wireless LAN like you normally do. 114 00:07:12,960 --> 00:07:15,240 So this first stage is no different. 115 00:07:15,240 --> 00:07:18,200 So, you know, if this is at an airport, for example, we might call it 116 00:07:18,200 --> 00:07:22,220 airport guest. Right. 117 00:07:22,220 --> 00:07:25,300 And it would be enabled. 118 00:07:25,300 --> 00:07:28,060 I'm not going to do six gigahertz here. 119 00:07:28,060 --> 00:07:31,940 By the way, OWE is not supported on six gigahertz. 120 00:07:31,940 --> 00:07:33,720 That's going to come up in another slide. 121 00:07:33,720 --> 00:07:37,980 Only support on 2.4 and five gigahertz, not six gigahertz. 122 00:07:37,980 --> 00:07:41,900 And then when I go to the security section, that brings us to what we 123 00:07:41,900 --> 00:07:44,180 were just looking at, which is this right here. 124 00:07:44,180 --> 00:07:46,680 So then you're going to select WPA3. 125 00:07:46,680 --> 00:07:50,620 And then you're going to select for your authentication key management, 126 00:07:50,620 --> 00:07:55,820 OWE right here. And notice that as soon as you click that, watch this. 127 00:07:55,820 --> 00:08:01,580 WPA3. Okay. So let's tell me down here what authentication key management 128 00:08:01,580 --> 00:08:07,120 do you want? Now, if I selected SAE, then I'd have to type down here a 129 00:08:07,120 --> 00:08:09,260 pre shared key, right? 130 00:08:09,260 --> 00:08:14,160 But if I select OWE, all that goes away. 131 00:08:14,160 --> 00:08:19,160 And there is no pre shared key to select because that's not part of OWE. 132 00:08:19,160 --> 00:08:22,080 And then you just apply it. 133 00:08:22,080 --> 00:08:25,140 And then you have your OWE wireless LAN. 134 00:08:25,140 --> 00:08:28,160 So if you capture the beacons from that wireless LAN, this is what you're 135 00:08:28,160 --> 00:08:31,860 going to see down here under your robust security network information 136 00:08:31,860 --> 00:08:36,800 element. A subcategory of authentication key management knows what says. 137 00:08:36,800 --> 00:08:38,620 It doesn't say PSK. 138 00:08:38,620 --> 00:08:40,360 It doesn't say SAE. 139 00:08:40,360 --> 00:08:43,700 It says opportunistic wireless encryption. 140 00:08:43,700 --> 00:08:47,900 So this is how the Wi-Fi clients who support this can recognize this and 141 00:08:47,900 --> 00:08:50,280 say, oh, I can connect to that. 142 00:08:50,280 --> 00:08:53,280 And when the Wi-Fi client, like I said, knows this is from the client 143 00:08:53,280 --> 00:08:56,640 to the Cisco access point, association request. 144 00:08:56,640 --> 00:09:00,080 And like I said, here in the association request, here's your Diffie-Hellman 145 00:09:00,080 --> 00:09:03,160 stuff. So that the client can begin the Diffie-Hellman exchange. 146 00:09:03,160 --> 00:09:07,460 So with this, just one, two exchange of messages, association request, 147 00:09:07,460 --> 00:09:12,660 followed by association response, both sides using Diffie-Hellman will 148 00:09:12,660 --> 00:09:16,920 be able to create a shared secret, which can then be turned into a pairwise 149 00:09:16,920 --> 00:09:25,840 master key. So knows here what's different with SAE, right? 150 00:09:25,840 --> 00:09:27,320 There's several differences with SAE. 151 00:09:27,320 --> 00:09:33,760 So when we were doing a WPA3 SAE wireless LAN, the generator slash base 152 00:09:33,760 --> 00:09:37,420 was something called a password element. 153 00:09:37,420 --> 00:09:40,200 So a password element went right here. 154 00:09:40,200 --> 00:09:46,360 And the password element was derived from, in part, your WPA3 pre-shared 155 00:09:46,360 --> 00:09:49,600 key, like INE123 or coffee is great or whatever. 156 00:09:49,600 --> 00:09:54,300 So you took that name you typed in for the wireless LAN, that passphrase, 157 00:09:54,300 --> 00:10:00,120 that PSK, and it created a password element using either hunting and pecking 158 00:10:00,120 --> 00:10:01,600 or hash to element. 159 00:10:01,600 --> 00:10:04,800 And that went right here in the generator base. 160 00:10:04,800 --> 00:10:11,020 Now the modulus was a well-known number, depending on what Diffie-Hellman 161 00:10:11,020 --> 00:10:12,260 group was selected. 162 00:10:12,260 --> 00:10:16,620 And then you had a couple of randomly selected exponents. 163 00:10:16,620 --> 00:10:19,380 And there were all sorts of things that took place right here, like the 164 00:10:19,380 --> 00:10:23,880 calculation of a finite field element and the calculation of a scalar 165 00:10:23,880 --> 00:10:27,560 value. But notice right here, first of all, that stuff's not there. 166 00:10:27,560 --> 00:10:29,300 Just a simple Diffie-Hellman exchange. 167 00:10:29,300 --> 00:10:33,140 There's no scalar, there's no finite field element, that doesn't exist. 168 00:10:33,140 --> 00:10:38,260 And instead of having some variable thing, like a pre-shared key or a 169 00:10:38,260 --> 00:10:42,360 password, which goes into the creation of our generator, this generator 170 00:10:42,360 --> 00:10:45,280 here is just a well-known number. 171 00:10:45,280 --> 00:10:50,320 So when you do standard Diffie-Hellman, the generator and the modulus 172 00:10:50,320 --> 00:10:53,320 are well-known as part of the group. 173 00:10:53,320 --> 00:10:56,180 You know, if you choose Diffie-Hellman group 5, there's going to be a 174 00:10:56,180 --> 00:10:58,580 generator and a modulus assigned to that group. 175 00:10:58,580 --> 00:11:02,200 If you do Diffie-Hellman group 19, there will be a different generator 176 00:11:02,200 --> 00:11:04,060 and a different modulus for that. 177 00:11:04,060 --> 00:11:08,100 The only thing that will change will be the randomly selected exponent. 178 00:11:08,100 --> 00:11:10,760 So now they're going to exchange their public keys, we just saw that. 179 00:11:10,760 --> 00:11:14,020 That's in the association request and association response. 180 00:11:14,020 --> 00:11:16,720 Now they have the shared secret that they derive. 181 00:11:16,720 --> 00:11:23,660 And then from the shared secret, they create their pairwise master key. 182 00:11:23,660 --> 00:11:29,500 So here you can see, we just have the two authentication messages, which 183 00:11:29,500 --> 00:11:33,240 are open. So you notice the authentication here just has open system, 184 00:11:33,240 --> 00:11:37,880 just a regular 802.11 open authentication, nothing special about that. 185 00:11:37,880 --> 00:11:41,700 All the special sauce happens here in the association request and the 186 00:11:41,700 --> 00:11:43,400 association response. 187 00:11:43,400 --> 00:11:46,560 And then we go through our four -way EPU overland key message. 188 00:11:46,560 --> 00:11:50,600 Ignore the fact that this one has message number three duplicated. 189 00:11:50,600 --> 00:11:53,020 There was just some weirdness happening there at the time. 190 00:11:53,020 --> 00:11:57,220 But as long as you get through message one through four, you're good. 191 00:11:57,220 --> 00:12:01,100 Now the last thing I want to talk about in here is something called OWE 192 00:12:01,100 --> 00:12:03,020 transition mode. 193 00:12:03,020 --> 00:12:06,440 You might have a situation like, you know, let's say you're the network 194 00:12:06,440 --> 00:12:09,900 administrator at the airport or at the coffee shop. 195 00:12:09,900 --> 00:12:13,060 And once again, you want to offer an open network for people to connect 196 00:12:13,060 --> 00:12:16,760 to. But you say to yourself, you know what, there's going to be thousands 197 00:12:16,760 --> 00:12:19,400 of people going to this airport every single day. 198 00:12:19,400 --> 00:12:23,320 And there's a very good chance that while some of their laptops and tablets 199 00:12:23,320 --> 00:12:29,060 and stuff support OWE, Wi-Fi enhanced open, a lot of them might not. 200 00:12:29,060 --> 00:12:33,200 And, you know, I don't want to have to advertise two wireless LANs because 201 00:12:33,200 --> 00:12:36,020 then how will people know to choose, right? 202 00:12:36,020 --> 00:12:39,540 Grandma waiting for her flight to Denver, Colorado, she's not going to 203 00:12:39,540 --> 00:12:41,780 know which SSID to choose. 204 00:12:41,780 --> 00:12:47,240 So wouldn't it be great if we could just offer one airport network, right? 205 00:12:47,240 --> 00:12:51,060 Put that on signs or whatever, connect to airport dash network or whatever. 206 00:12:51,060 --> 00:12:57,420 And then for those people who do support OWE, they can connect securely 207 00:12:57,420 --> 00:12:59,760 having their traffic encrypted. 208 00:12:59,760 --> 00:13:03,580 But for those people who are running like WPA2 or something, they can 209 00:13:03,580 --> 00:13:05,880 disconnect via a regular open network. 210 00:13:05,880 --> 00:13:07,980 Now they won't have their traffic encrypted, of course. 211 00:13:07,980 --> 00:13:10,980 They're running that risk, but that's because they refused to upgrade 212 00:13:10,980 --> 00:13:14,560 their phone five years ago and they're still walking around with outdated 213 00:13:14,560 --> 00:13:17,340 equipment. So that's shame on them. 214 00:13:17,340 --> 00:13:19,240 So how do we do that? 215 00:13:19,240 --> 00:13:25,040 And that's what OWE transition mode is all about, solving that problem. 216 00:13:25,040 --> 00:13:28,960 So in this particular case, we're actually going to end up creating. 217 00:13:28,960 --> 00:13:32,120 I'm going to walk you through it at a high level first and then we'll 218 00:13:32,120 --> 00:13:33,000 see it in the controller. 219 00:13:33,000 --> 00:13:36,920 We're actually going to create in the controller two wireless LANs. 220 00:13:36,920 --> 00:13:40,480 One that's just a pure open wireless LAN with no encryption authentication, 221 00:13:40,480 --> 00:13:45,020 anything. That's for those older WPA2 devices. 222 00:13:45,020 --> 00:13:48,800 Then we're going to create another wireless LAN that supports our opportunistic 223 00:13:48,800 --> 00:13:50,580 wireless encryption. 224 00:13:50,580 --> 00:13:53,000 But here's where the secret sauce happens. 225 00:13:53,000 --> 00:13:56,640 Number one, we're going to take that opportunistic wireless encryption 226 00:13:56,640 --> 00:13:59,800 wireless LAN and we're going to configure it in such a way that it does 227 00:13:59,800 --> 00:14:01,680 not send out its beacons. 228 00:14:01,680 --> 00:14:04,900 Its beacons are hidden, not broadcasted. 229 00:14:04,900 --> 00:14:08,020 Now you might be thinking, well, if they're not broadcasted, then how 230 00:14:08,020 --> 00:14:11,020 do the OWE clients ever find out about it? 231 00:14:11,020 --> 00:14:12,020 We'll talk about that. 232 00:14:12,020 --> 00:14:12,840 We'll get there. 233 00:14:12,840 --> 00:14:14,680 But here's the beauty of it. 234 00:14:14,680 --> 00:14:18,300 In both of those wireless LANs, we're going to tie them together. 235 00:14:18,300 --> 00:14:23,180 There's a field in both the open one and the OWE one where they point 236 00:14:23,180 --> 00:14:29,600 to each other. And so now when people, people who support OWE will connect 237 00:14:29,600 --> 00:14:30,960 to the right one. 238 00:14:30,960 --> 00:14:36,000 Let's actually walk through this and see how it works. 239 00:14:36,000 --> 00:14:38,520 All right, so let's go back here. 240 00:14:38,520 --> 00:14:41,520 Let's just get out of that. 241 00:14:41,520 --> 00:14:47,100 Okay, so step number one, creating the open wireless LAN that the grandma 242 00:14:47,100 --> 00:14:51,860 and uncle Bob can connect to with her old WPA2 device. 243 00:14:51,860 --> 00:14:54,760 They're not concerned about encryption because honestly, they don't even 244 00:14:54,760 --> 00:14:56,400 know what encryption is. 245 00:14:56,400 --> 00:15:00,500 So we type in airport dash network. 246 00:15:00,500 --> 00:15:03,040 And hopefully they'll be smart enough to recognize when they see that 247 00:15:03,040 --> 00:15:06,260 on their phone that, oh, that's the network I should connect to. 248 00:15:06,260 --> 00:15:08,400 So we want to have that be enabled. 249 00:15:08,400 --> 00:15:13,020 There we go. Remember, we got disable six gigahertz because opportunistic 250 00:15:13,020 --> 00:15:14,480 wireless encryption doesn't work there. 251 00:15:14,480 --> 00:15:15,980 Now this one's not going to have that. 252 00:15:15,980 --> 00:15:18,440 This one, we're just going to go to security. 253 00:15:18,440 --> 00:15:20,440 And we're going to say, none. 254 00:15:20,440 --> 00:15:22,500 Ooh, there's a scary thing. 255 00:15:22,500 --> 00:15:30,100 Okay, but before we leave this, here's the thing. 256 00:15:30,100 --> 00:15:30,660 We're going to have to put that check. 257 00:15:30,660 --> 00:15:33,800 So it's checked by default, which is nice, but we have to put something 258 00:15:33,800 --> 00:15:40,360 here. And what we're going to put here is the wireless LAN ID of the other 259 00:15:40,360 --> 00:15:45,020 wireless LAN we haven't created yet, which is our opportunistic wireless 260 00:15:45,020 --> 00:15:48,860 encryption wireless LAN, our OWE wireless LAN. 261 00:15:48,860 --> 00:15:51,740 Now you say, Hey, I don't know what that is because I haven't created 262 00:15:51,740 --> 00:15:53,540 it yet. That's fine. 263 00:15:53,540 --> 00:15:55,280 So I could do one of two things. 264 00:15:55,280 --> 00:15:58,280 Now, looking at my GUI here, I can see that this is the first wireless 265 00:15:58,280 --> 00:16:00,020 LAN I've ever created, right? 266 00:16:00,020 --> 00:16:02,380 So the wireless LAN IDs are numerical. 267 00:16:02,380 --> 00:16:04,920 First one will be number one, second one will be number two. 268 00:16:04,920 --> 00:16:08,840 So I can pretty much safely predict that by next wireless LAN I create 269 00:16:08,840 --> 00:16:11,760 is going to be wireless LAN ID number two. 270 00:16:11,760 --> 00:16:14,600 So I'm just going to put two right here. 271 00:16:14,600 --> 00:16:19,700 Alternatively, when you create a wireless LAN, like if I go back here, 272 00:16:19,700 --> 00:16:22,160 see, you can change the wireless LAN ID. 273 00:16:22,160 --> 00:16:24,940 You don't have to stick with one, two, three, four. 274 00:16:24,940 --> 00:16:26,700 You could make it whatever you want. 275 00:16:26,700 --> 00:16:30,420 So either way, you have to put some number in here. 276 00:16:30,420 --> 00:16:33,260 But because I know the next one's going to be number two, I'm just going 277 00:16:33,260 --> 00:16:35,080 to keep it as two. 278 00:16:35,080 --> 00:16:38,720 All right. So let's go ahead and apply to device. 279 00:16:38,720 --> 00:16:43,480 And then once again, as you're because it's a 9800, we have to click on 280 00:16:43,480 --> 00:16:47,400 again and we have to make sure that it's assigned to a policy tag and 281 00:16:47,400 --> 00:16:48,300 a policy profile. 282 00:16:48,300 --> 00:16:53,500 Now this one here, because I actually created it before this video started, 283 00:16:53,500 --> 00:16:57,140 it sort of remembered that this was already in there. 284 00:16:57,140 --> 00:17:00,760 And but I previously had to assign this to the default and the default 285 00:17:00,760 --> 00:17:05,360 policy profile. Of course, you could put it on any policy profile in any 286 00:17:05,360 --> 00:17:08,460 policy tag you want just to make things simple, though. 287 00:17:08,460 --> 00:17:10,040 I'm keeping it with the default. 288 00:17:10,040 --> 00:17:15,140 So we'll just select that and then we'll update it. 289 00:17:15,140 --> 00:17:20,660 All righty. So now we have to create the other wireless LAN, which is 290 00:17:20,660 --> 00:17:25,280 going to be for our more tech savvy, OWE folks. 291 00:17:25,280 --> 00:17:29,260 So we're going to call this airport. 292 00:17:29,260 --> 00:17:35,280 OWE. I'll just say airport OWE. 293 00:17:35,280 --> 00:17:39,020 Now, here's first thing. 294 00:17:39,020 --> 00:17:46,960 Obviously, we got turn off six gigahertz. 295 00:17:46,960 --> 00:17:49,540 So the SSID from being broadcast. 296 00:17:49,540 --> 00:17:53,680 There should not be beacons broadcasted with this one. 297 00:17:53,680 --> 00:17:55,960 All right. So now let's go to security. 298 00:17:55,960 --> 00:17:59,100 Now we're going to say WPA three. 299 00:17:59,100 --> 00:18:02,720 We're going to select OWE. 300 00:18:02,720 --> 00:18:05,600 There it is. All right. 301 00:18:05,600 --> 00:18:07,720 And transition mode wireless LAN. 302 00:18:07,720 --> 00:18:11,960 Now we're going to put in here the wireless LAN ID of that first wireless 303 00:18:11,960 --> 00:18:15,900 LAN. And I just created the regular open network wireless LAN, which happened 304 00:18:15,900 --> 00:18:17,820 to be one in this case. 305 00:18:17,820 --> 00:18:19,760 So I'll put that in there. 306 00:18:19,760 --> 00:18:21,760 Apply to device. 307 00:18:21,760 --> 00:18:25,460 All right. Let's just click it again and make sure it's on the correct 308 00:18:25,460 --> 00:18:27,840 policy tags and all that good stuff. 309 00:18:27,840 --> 00:18:29,440 Okay. So it's not showing up there. 310 00:18:29,440 --> 00:18:33,460 So let's go ahead and apply that to the default policy tag and policy 311 00:18:33,460 --> 00:18:36,000 profile. Save that. 312 00:18:36,000 --> 00:18:38,920 Update and apply to device. 313 00:18:38,920 --> 00:18:40,580 And there we go. 314 00:18:40,580 --> 00:18:47,740 Okay. So now step number two, let's go to our dashboard and find out what 315 00:18:47,740 --> 00:18:52,760 channel my particular access point is speaking on because I'm going to 316 00:18:52,760 --> 00:18:55,860 do us a sniffer trace here and I need to know the channel to do that on. 317 00:18:55,860 --> 00:18:58,040 So I'm going to click on the access point. 318 00:18:58,040 --> 00:19:01,200 Click on him again. 319 00:19:01,200 --> 00:19:03,420 And we can see right here in the five giga. 320 00:19:03,420 --> 00:19:07,220 He's doing six channel six in the two point four and he's doing channel 321 00:19:07,220 --> 00:19:10,240 one hundred in the five gigahertz. 322 00:19:10,240 --> 00:19:14,060 So if you're on a Macbook like me, you might not be aware of this, but 323 00:19:14,060 --> 00:19:17,460 you can actually use your Macbook as a wireless sniffer and create and 324 00:19:17,460 --> 00:19:20,160 see your beacons and probes and all that good stuff. 325 00:19:20,160 --> 00:19:21,500 And here's how you do it. 326 00:19:21,500 --> 00:19:25,940 So you go up to your up here in the upper right corner. 327 00:19:25,940 --> 00:19:27,940 Right there. Oops. 328 00:19:27,940 --> 00:19:29,400 Why is it doing that? 329 00:19:29,400 --> 00:19:30,680 Maybe this isn't working here. 330 00:19:30,680 --> 00:19:31,320 Oh, there we go. 331 00:19:31,320 --> 00:19:33,500 Okay. So right there. 332 00:19:33,500 --> 00:19:36,140 We're going to click on the Wi-Fi symbol. 333 00:19:36,140 --> 00:19:41,260 But I'm going to first hold down on my Mac keyboard, the option key. 334 00:19:41,260 --> 00:19:44,180 And then I'm going to click on it left click. 335 00:19:44,180 --> 00:19:47,660 So now by holding down the option key, I get these things here and I want 336 00:19:47,660 --> 00:19:50,420 to click on open wireless diagnostics. 337 00:19:50,420 --> 00:19:58,540 All right. Now, normally when you open wireless diagnostics, you get a 338 00:19:58,540 --> 00:20:03,520 message saying, would you like to start a diagnostic report? 339 00:20:03,520 --> 00:20:07,100 But because I previously did this as sniffer, I'll just say what you would 340 00:20:07,100 --> 00:20:11,340 do here is you would click on window and you would select sniffer and 341 00:20:11,340 --> 00:20:13,840 that will bring up this box right here that you're seeing. 342 00:20:13,840 --> 00:20:15,620 So you're not going to see this immediately. 343 00:20:15,620 --> 00:20:19,680 I saw this because I was previously in sniffer mode, but normally when 344 00:20:19,680 --> 00:20:23,620 you do wireless diagnostics, then you'd have to go window sniffer and 345 00:20:23,620 --> 00:20:24,820 then you'll get this. 346 00:20:24,820 --> 00:20:27,400 And then you select the channel that you want to sniff on. 347 00:20:27,400 --> 00:20:30,380 So I want sniff on channel 100. 348 00:20:30,380 --> 00:20:32,660 And I'm going to go ahead and start. 349 00:20:32,660 --> 00:20:36,000 I'm going to type in my password. 350 00:20:36,000 --> 00:20:39,960 All right. And there it goes. 351 00:20:39,960 --> 00:20:42,620 I'm just going to stop it because, you know, right now I just want to 352 00:20:42,620 --> 00:20:45,940 show you a beacon and there's 10 beacons per second that go out. 353 00:20:45,940 --> 00:20:48,740 So I don't have to sniff for very long. 354 00:20:48,740 --> 00:20:54,000 All right. So let's go over here to wire shark. 355 00:20:54,000 --> 00:20:58,920 File open. So there it is right there. 356 00:20:58,920 --> 00:20:59,660 I'm going to go on Macbook. 357 00:20:59,660 --> 00:21:02,800 So this is my most recent one right there that I just did. 358 00:21:02,800 --> 00:21:08,020 Open that up. And let's scroll down. 359 00:21:08,020 --> 00:21:11,120 And okay, airport network is one of the ones right there. 360 00:21:11,120 --> 00:21:13,000 It's the top one. 361 00:21:13,000 --> 00:21:14,860 So let's go up to here. 362 00:21:14,860 --> 00:21:18,000 And what I want to show you is this. 363 00:21:18,000 --> 00:21:20,440 Let's go ahead and collapse some of these. 364 00:21:20,440 --> 00:21:23,900 What we really want to look at is the robust security network information 365 00:21:23,900 --> 00:21:35,280 element. We don't need all these other ones here. 366 00:21:35,280 --> 00:21:43,340 So this is our open wireless LAN that grandma and uncle Bob. 367 00:21:43,340 --> 00:21:46,340 I don't know why it keeps doing that. 368 00:21:46,340 --> 00:21:58,180 Okay. So airport network. 369 00:21:58,180 --> 00:22:04,140 And notice how because airport network was configured as just a regular 370 00:22:04,140 --> 00:22:07,200 open network with no authentication or anything. 371 00:22:07,200 --> 00:22:10,620 There is no robust security network element in here. 372 00:22:10,620 --> 00:22:12,000 It doesn't exist. 373 00:22:12,000 --> 00:22:17,900 And notice that my other one I create, which was my airport dash OWE for 374 00:22:17,900 --> 00:22:19,540 my opportunistic one. 375 00:22:19,540 --> 00:22:21,220 We don't see any beacons for that. 376 00:22:21,220 --> 00:22:23,140 And that's, that's what we wanted. 377 00:22:23,140 --> 00:22:23,960 Right? The beacons are hidden. 378 00:22:23,960 --> 00:22:25,320 They're not being broadcast. 379 00:22:25,320 --> 00:22:27,900 And yet here's what's kind of interesting. 380 00:22:27,900 --> 00:22:30,560 When we look at the one that is open. 381 00:22:30,560 --> 00:22:35,520 If we go down to the bottom, we see an information element down here. 382 00:22:35,520 --> 00:22:39,480 Wi-Fi Alliance OWE transition mode. 383 00:22:39,480 --> 00:22:49,100 So if Bob's uncle Bob's or grandma's phone was looking at this, it would 384 00:22:49,100 --> 00:22:51,400 not understand this information element. 385 00:22:51,400 --> 00:22:52,920 It would ignore this. 386 00:22:52,920 --> 00:22:57,640 And so their phones would just connect to airport network as an open, 387 00:22:57,640 --> 00:22:59,520 unencrypted connection. 388 00:22:59,520 --> 00:23:01,160 And that's what they would see. 389 00:23:01,160 --> 00:23:06,720 But your modern smartphone will recognize this information element. 390 00:23:06,720 --> 00:23:08,640 And they'll say, Oh, interesting. 391 00:23:08,640 --> 00:23:12,120 There's another hidden SSID called airport one. 392 00:23:12,120 --> 00:23:13,800 There it is right there. 393 00:23:13,800 --> 00:23:16,280 The supports enhanced open. 394 00:23:16,280 --> 00:23:18,760 I should connect to that. 395 00:23:18,760 --> 00:23:23,420 And so let me actually show you verification of that. 396 00:23:23,420 --> 00:23:30,260 So here is my phone. 397 00:23:30,260 --> 00:23:34,300 See if you can see that. 398 00:23:34,300 --> 00:23:36,200 Oh, it is not showing up very well. 399 00:23:36,200 --> 00:23:38,120 There we go. Okay. 400 00:23:38,120 --> 00:23:42,960 So notice you see the airport network on there, but there's no mention 401 00:23:42,960 --> 00:23:45,880 of airport dash OWE. 402 00:23:45,880 --> 00:23:48,920 That's not showing up. 403 00:23:48,920 --> 00:23:55,540 Okay. And those for airport network, it says security week because it's 404 00:23:55,540 --> 00:23:58,700 seeing that as an open network. 405 00:23:58,700 --> 00:24:01,120 But if I click on that. 406 00:24:01,120 --> 00:24:06,580 Okay. Right now it says you're connecting to unsecured Wi-Fi. 407 00:24:06,580 --> 00:24:07,860 Hopefully that will. 408 00:24:07,860 --> 00:24:11,320 Come on. There you go. 409 00:24:11,320 --> 00:24:13,620 Okay. Connecting unsecured Wi-Fi. 410 00:24:13,620 --> 00:24:16,740 But when I click connect. 411 00:24:16,740 --> 00:24:23,360 Now hopefully this will come into focus here. 412 00:24:23,360 --> 00:24:25,900 And just a moment. 413 00:24:25,900 --> 00:24:26,380 It should happen. 414 00:24:26,380 --> 00:24:31,140 There you go. Notice how airport network says security strong connected 415 00:24:31,140 --> 00:24:32,820 security strong. 416 00:24:32,820 --> 00:24:36,220 Now you might be thinking, well, wait a second. 417 00:24:36,220 --> 00:24:40,540 I thought you were connecting to the airport OWE network, but that says 418 00:24:40,540 --> 00:24:44,160 you connected to the airport network, the open one. 419 00:24:44,160 --> 00:24:45,320 Which one is it? 420 00:24:45,320 --> 00:24:49,160 Well, if we go back to our 9800. 421 00:24:49,160 --> 00:24:53,800 Now if we go to our dashboard. 422 00:24:53,800 --> 00:24:56,540 We see a client. 423 00:24:56,540 --> 00:24:58,000 That's my smartphone. 424 00:24:58,000 --> 00:25:01,100 If we click on that. 425 00:25:01,100 --> 00:25:04,840 Notice what SSID he's actually connected to. 426 00:25:04,840 --> 00:25:07,660 Airport dash OWE. 427 00:25:07,660 --> 00:25:13,700 So even though he originally saw the airport dash network as an open network 428 00:25:13,700 --> 00:25:18,780 because my smartphone does support OWE on in the background. 429 00:25:18,780 --> 00:25:23,600 It actually associated securely and did DIFY helmet and everything with 430 00:25:23,600 --> 00:25:26,700 the airport dash OWE network. 431 00:25:26,700 --> 00:25:29,720 Now you might be wondering, well, then why doesn't your smartphone actually 432 00:25:29,720 --> 00:25:32,460 show airport dash OWE? 433 00:25:32,460 --> 00:25:34,740 Well, for two reasons. 434 00:25:34,740 --> 00:25:38,540 Number one, airport dash OWE is not being broadcasted. 435 00:25:38,540 --> 00:25:40,240 Its beacons are not being sent. 436 00:25:40,240 --> 00:25:42,080 And my phone recognizes that. 437 00:25:42,080 --> 00:25:46,620 And number two, my phone is recognizing that the airport network is kind 438 00:25:46,620 --> 00:25:52,940 of like the front door is kind of like the way in to this encrypted network. 439 00:25:52,940 --> 00:25:59,180 So for me, on my phone, it shows because once again, if I was Uncle Bob 440 00:25:59,180 --> 00:26:04,540 or Aunt Sally. And I clicked on airport network and all of a sudden the 441 00:26:04,540 --> 00:26:08,160 name changed to airport dash OWE. 442 00:26:08,160 --> 00:26:10,460 I might be thinking, oh, good golly. 443 00:26:10,460 --> 00:26:11,540 What's going on? 444 00:26:11,540 --> 00:26:12,740 Somebody messing with my phone. 445 00:26:12,740 --> 00:26:14,760 Did I just download a virus? 446 00:26:14,760 --> 00:26:17,240 You don't want people freaking out over that, right? 447 00:26:17,240 --> 00:26:19,500 They think they're connecting the airport network. 448 00:26:19,500 --> 00:26:20,500 Let them stay that way. 449 00:26:20,500 --> 00:26:24,060 So their phone will continue to say airport network, but in the background, 450 00:26:24,060 --> 00:26:28,300 it did what it's supposed to do and actually connected to our opportunistic 451 00:26:28,300 --> 00:26:33,460 wireless encrypted network instead, which is a better thing to do. 452 00:26:33,460 --> 00:26:41,980 So that pretty much covers everything I want to say about Wi-Fi enhanced 453 00:26:41,980 --> 00:26:48,100 open and in the background opportunistic wireless encryption that it uses. 454 00:26:48,100 --> 00:26:51,540 Thank you so much for watching this video and I hope it was helpful for