WPA3 Support on 802.11ax Platforms
- Former user (Deleted)
- Quyen Bui (Deactivated)
- 1 Design
- 1.1 Implementation Overview
- 1.2 OVSDB Changes
- 1.3 Usage Policy
- 1.4 Configuration examples (Wifi_VIF_Config)
- 1.4.1 Legacy Implementation
- 1.4.1.1 Reference WPA2
- 1.4.2 New Implementation
- 1.4.2.1 Supported Security Modes
- 1.4.2.2 WPA2
- 1.4.2.3 WPA2 Enterprise
- 1.4.2.4 Open
- 1.4.2.5 SAE
- 1.4.2.6 OWE
- 1.4.2.7 Mixed SAE / WPA2
- 1.4.2.8 "oftags" Configuration
- 1.4.1 Legacy Implementation
- 1.5 Authentication Failures Reporting
- 2 Requirements
Design
Implementation Overview
With WPA3 support, we had to introduce a new way to set the security types. Therefore, new fields were implemented in the Wifi_VIF_Config/State tables. Backward compatibility is kept, by only supporting the legacy security types.
WPA3 types:
SAE: At the moment, OpenSync supports single-password configurations without a user-defined Password Identifier. However, design is prepared for extension in future.
OWE: Not supported, but design is ready for future extension.
OVSDB Changes
Deprecated fields:
"security" field remain present, but won't be used (should remain unset).
"ft_psk" field will be ignored, Fast transition will be configurable with "ft-*" entries in "wpa_key_mgmt" field.
New fields:
Field name | Type | Mandatory | Presence in Wifi_VIF_* tables | Comment | |
Config | State | ||||
wpa | bool | yes | yes | yes | TRUE - use any if WPA* modes; FALSE - use OPEN mode |
wpa_key_mgmt | enum list | yes | yes | yes | Any valid combination of: "wpa2-psk", "sae", "wpa2-eap", "dpp", "ft-wpa2-psk", "ft-*" (other Fast Transition modes in future) etc. In future this list may be extended with e.g. "owe" |
wpa_psks | map <key_id : psk> | no, depends on "wpa_key_mgmt" | yes | yes | List of passwords used by WPA1/2 and SAE (see example below for more details). |
wpa_oftags | map <key_id : oftag> | no, depends on "wpa_key_mgmt" | yes | no | WPA1/2 passwords' oftags |
radius_srv_addr | string | no, depends on "wpa_key_mgmt" | yes | yes | Remote RADIUS server address (IP or domain name) |
radius_srv_port | int | no, depends on "wpa_key_mgmt" | yes | yes | Remote RADIUS server port number |
radius_srv_secret | string | no, depends on "wpa_key_mgmt" | yes | yes | Remote RADIUS server secret |
default_oftag | string | no | yes | no | Default oftag used when wpa/sae/*_oftag is not available (e.g. it will be used for WPA-Enterprise, OPEN and possibly OWE) |
Usage Policy
The controller selects between two implementations: legacy and new.
The legacy method of configuring the security type (OVSDB security field) is unable to set WPA3. Therefore, the new method must be used. Method selection is defined by the SDN controller.
Configuration examples (Wifi_VIF_Config)
Legacy Implementation
Reference WPA2
group_rekey | 86400 |
if_name | wl2.2 |
mac_list | ["set",[]] |
mac_list_type | ["set",[]] |
mcast2ucast | TRUE |
min_hw_mode | ["set",[]] |
mode | ap |
multi_ap | ["set",[]] |
parent | ["set",[]] |
rrm | 1 |
security | ["map",[["encryption","WPA-PSK"],["key","OpenSync111"],["key-1","OpenSync122"],["key-2","OpenSync123"],["mode","2"],["oftag","home--1"],["oftag-key-1","home-1"],["oftag-key-2","home-2"]]] |
ssid | opensync |
ssid_broadcast | enabled |
uapsd_enable | TRUE |
vif_dbg_lvl | ["set",[]] |
vif_radio_idx | 2 |
vlan_id | ["set",[]] |
wds | ["set",[]] |
wps | ["set",[]] |
wps_pbc | ["set",[]] |
wps_pbc_key_id | ["set",[]] |
New Implementation
Supported Security Modes
Open
WPA2 Enterprise with remote RADIUS
WPA2-only
WPA3-only
Mixed WPA1/WPA2
Mixed WPA2/WPA3
FT-WPA2-only
Mixed FT-WPA2/FT-WPA3
FT-WPA3
WPA2
security | / UNSET / |
wpa | TRUE |
wpa_key_mgmt | ["wpa2-psk"] |
wpa_psks | ["map",[["key","opensync111"],["key-1","opensync122"],["key-2","opensync123"]]] |
wpa_oftags | ["map",[["key","home--1"],["key-1","home-1"],["key-2","home-2"]]] |
WPA2 Enterprise
security | / UNSET / |
wpa | TRUE |
wpa_key_mgmt | ["wpa2-eap"] |
radius_srv_addr | 1.2.3.4 |
radius_srv_port | 883 |
radius_srv_secret | top_secret_psk |
default_oftag | home-1 |
Open
security | / UNSET / |
wpa | FALSE |
default_oftag | home-1 |
SAE
Currently, SAE configuration uses a single password without user-defined password identifiers. SAE AP is configured using "key" from "wpa_psks". In future, OpenSync may introduce "sae_psks" and "sae_oftags" to support SAE with multiple passwords and user-defined identifiers.
security | / UNSET / |
wpa | TRUE |
wpa_key_mgmt | ["sae"] |
wpa_psks | ["map",[["key","opensync111"]]] |
wpa_oftags | ["map",[["key","home--1"]]] |
sae_psks | ["map",[["key-1","opensync122"]]] |
sae_oftags | ["map",[["key-1","home--2"]]] |
OWE
OWE is currently a proposal.
bridge | / UNSET / | br-home |
if_name | wl2.2 | wl2.3 |
security | / UNSET / | / UNSET / |
ssid | opensync | opensync_owe |
ssid_broadcast | enabled | disabled |
wpa | FALSE | TRUE |
wpa_key_mgmt |
| ["owe"] |
default_oftag |
| home-1 |
owe_transition_ifname | wl2.3 |
|
Mixed SAE / WPA2
security | / UNSET / |
wpa | TRUE |
wpa_key_mgmt | ["sae","wpa2-psk"] |
wpa_psks | ["map",[["key","opensync111"],["key-1","opensync122"],["key-2","opensync123*"]]] |
wpa_oftags | ["map",[["key","home--1"],["key-1","home-1"],["key-2","home-2"]]] |
"oftags" Configuration
Within WPA3 support, a new "default_oftag" field was introduced. The field serves as a fallback for oftag lookup and is used whenever a better oftag cannot be find. At the moment, only WPA2 Personal can use multiple oftags associated to different PSks, in all other cases generic "default_oftag" should be set.
Security mode | wpa_oftags | default_oftag |
|---|---|---|
OPEN | N/A | used |
WPA1 Personal | N/A | used |
WPA1/WPA2 Personal | potentially used | potentially used |
WPA2 Enterprise | N/A | used |
WPA2 Personal (HomePass) | used | potentially used |
WPA3 Personal | N/A | used |
WPA2/WPA3 Personal | N/A | used |
OWE | N/A | used |
Authentication Failures Reporting
The new reporting functionality is implemented in SM. SM already comes with the necessary infrastructure (reporting management: activation, intervals, radio bands, etc.) and is prepared to compute the statistics. OpenSync introduces new Wifi_Stats_Config::stats_type called "client_auth_fails" and introduces a new MQTT message field. SM periodically sends reports. After each sent report, counters are reset.
At the moment, reporting is limited to WPA2 Personal and SAE, but design is ready for future extensions (e.g., reporting the WPA2/3-EAP failures).
Field | Value | Comment |
channel_list | ["set",[]] | Not used |
radio_type | 2.4G |
|
report_type | ["set",[]] | Not used |
reporting_count | ["set",[]] | Not used |
reporting_interval | 240 | Default: 15 minutes |
sampling_interval | ["set",[]] | Not used |
stats_type | client_auth_fails |
|
survey_interval_ms | ["set",[]] | Not used |
survey_type | ["set",[]] | Not used |
threshold | ["map",[]] | Not used |
New MQTT report message:
message ClientAuthFailsReport {
message VAP {
message Client {
required string mac_address = 1;
required uint32 auth_fails = 2;
required uint32 invalid_psk = 3;
}
required string ifname = 1;
repeated Client client_list = 2;
}
required RadioBandType band = 1;
repeated VAP vap_list = 2;
}Requirements
Client ability to support WPA3 Personal to connect to the system using all compatible standards from WiFi Alliance required for certification.
Support of the following modes:
WPA3 Personal native
WPA2/3 Personal mixed mode
WPA3 off (e.g., same as WPA2 Personal mode)