WPA3-Enterprise & 192-bit Security
Overview
WPA3-Enterprise is the latest WiFi security standard, providing enhanced protection over WPA2-Enterprise through stronger cryptographic algorithms, improved key derivation, and protection against offline dictionary attacks. The 192-bit security mode (WPA3-Enterprise 192-bit) is designed for high-security environments requiring government-grade encryption.
IronWifi fully supports both WPA3-Enterprise (standard) and WPA3-Enterprise 192-bit mode, enabling organizations to deploy the highest level of WiFi security available.
Key Improvements Over WPA2
Enhanced Security
- Stronger encryption: GCMP-256 (vs AES-CCMP-128)
- Robust key derivation: HMAC-SHA-384 (vs HMAC-SHA-256)
- Larger key sizes: 256-bit and 384-bit keys
- Perfect Forward Secrecy (PFS) mandatory
- Protection against brute-force attacks
Better Authentication
- SAE (Simultaneous Authentication of Equals) for PSK
- Improved EAP-TLS with Suite B cryptography
- Management frame protection (MFP) mandatory
- Stronger handshake protection
Compliance
- CNSA Suite (Commercial National Security Algorithm) compliant
- FIPS 140-2/140-3 eligible
- Meets government security requirements
- Suitable for classified networks (with 192-bit mode)
WPA3-Enterprise Modes
Standard Mode (WPA3-Enterprise)
Security Profile
Encryption & Integrity:
- Data Encryption: AES-CCMP-128 or GCMP-128
- Data Integrity: AES-CCMP-128 or GCMP-128
- Key Size: 128-bit
- Group Cipher: AES-CCMP-128 or GCMP-128
Key Management:
- Protocol: 802.1X with EAP
- Key Derivation: HMAC-SHA-256
- PMK Length: 256 bits
- PTK Length: 384 bits
- GTK Length: 256 bits
Management Frame Protection:
- Required: Yes (802.11w)
- Algorithm: BIP-CMAC-128 or BIP-GMAC-128
Handshake:
- 4-way handshake with enhanced protection
- Perfect Forward Secrecy supported
- Downgrade attack protection
Use Cases
- General enterprise deployments
- SMB and mid-market organizations
- Education institutions
- Healthcare facilities (HIPAA compliant)
- Retail and hospitality
- Standard security requirements
Device Compatibility
- Most modern devices (2018+)
- iOS 13+ / iPadOS 13+
- Android 10+
- Windows 10 version 1903+
- macOS 10.15 (Catalina)+
- Broad device support
192-bit Security Mode (WPA3-Enterprise 192-bit)
Security Profile
Encryption & Integrity (CNSA Suite):
- Data Encryption: GCMP-256
- Data Integrity: GMAC-256
- Key Size: 256-bit
- Group Cipher: GCMP-256
Key Management:
- Protocol: 802.1X with EAP
- Key Derivation: HMAC-SHA-384
- PMK Length: 384 bits
- PTK Length: 512 bits
- GTK Length: 256 bits
Management Frame Protection:
- Required: Yes (802.11w)
- Algorithm: BIP-GMAC-256 or BIP-CMAC-256
EAP Methods (Suite B):
- EAP-TLS only
- TLS 1.2 or 1.3
- ECDHE (P-384) or DHE (3072-bit+)
- ECDSA (P-384) or RSA (3072-bit+)
- SHA-384 minimum
Certificate Requirements:
- RSA: 3072-bit minimum (4096-bit recommended)
- ECDSA: P-384 curve
- Signature: SHA-384 or SHA-512
- All certificates in chain must meet requirements
Use Cases
- Government and defense networks
- Intelligence agencies
- Critical infrastructure
- Financial services (high-security trading floors)
- Healthcare (HIPAA + additional security)
- Research facilities handling classified data
- National security applications
Device Compatibility
- Limited to newer devices
- iOS 15+ / iPadOS 15+
- Android 11+ (limited support)
- Windows 10 version 2004+ / Windows 11
- macOS 11.0 (Big Sur)+
- Enterprise-grade devices
- May require firmware updates
Comparison Matrix
Feature Comparison:
WPA2-Enterprise WPA3-Enterprise WPA3-192-bit
────────────────────────────────────────────────────────────────────────
Data Encryption AES-CCMP-128 GCMP-128/256 GCMP-256
Management Protection Optional Required Required
Key Derivation SHA-1/SHA-256 SHA-256 SHA-384
Perfect Forward Secrecy Optional Recommended Required
EAP Method Support All EAP All EAP EAP-TLS only
Certificate Key Size 1024-bit+ 2048-bit+ 3072-bit+
Device Compatibility Universal Wide (2018+) Limited (2020+)
Security Level Standard High Government-grade
Compliance PCI-DSS FISMA Moderate FISMA High
Recommended For General use Enterprise High-security
Migration Path:
WPA2-Enterprise → WPA2/WPA3 Transition → WPA3-Enterprise → WPA3-192-bit
Configuration Guide
IronWifi Console Setup
Standard WPA3-Enterprise
Navigation: Networks → [Your Network] → Security
Security Settings:
├─ Security Mode: WPA3-Enterprise
├─ Encryption: GCMP-128 (recommended) or AES-CCMP-128
├─ Management Frame Protection: Required
└─ Fast Transition (802.11r): Enabled (optional)
Authentication:
├─ Method: 802.1X
├─ EAP Type: EAP-TLS, PEAP-MSCHAPv2, TTLS-PAP (all supported)
├─ RADIUS Servers: IronWifi RADIUS
└─ Certificate Validation: Enabled
Advanced Options:
├─ PMF Cipher: BIP-CMAC-128 or BIP-GMAC-128
├─ Group Cipher: GCMP-128 or AES-CCMP-128
├─ Pairwise Cipher: GCMP-128 or AES-CCMP-128
└─ Key Rotation: 3600 seconds (default)
Transition Mode (Optional):
├─ Enable WPA2/WPA3 Transition: ✓
├─ Purpose: Support legacy devices during migration
├─ Duration: Temporary (3-6 months)
└─ Disable after migration complete
WPA3-Enterprise 192-bit Mode
Navigation: Networks → [Your Network] → Security → Advanced
Security Settings:
├─ Security Mode: WPA3-Enterprise 192-bit
├─ Encryption: GCMP-256 (mandatory)
├─ Management Frame Protection: Required (BIP-GMAC-256)
└─ Fast Transition: Enabled with GCMP-256
Authentication (Suite B):
├─ Method: 802.1X
├─ EAP Type: EAP-TLS ONLY
├─ RADIUS Servers: IronWifi RADIUS
└─ Certificate Requirements: Suite B compliant
Certificate Configuration:
├─ Minimum Key Size: 3072-bit RSA or P-384 ECDSA
├─ Signature Algorithm: SHA-384 or SHA-512
├─ CA Certificate: Suite B compliant
├─ RADIUS Certificate: Suite B compliant
└─ Client Certificates: Suite B compliant
TLS Configuration:
├─ TLS Version: 1.2 or 1.3 only
├─ Key Exchange: ECDHE (P-384) or DHE (3072-bit+)
├─ Cipher Suite: ECDHE-ECDSA-AES256-GCM-SHA384
├─ Or: DHE-RSA-AES256-GCM-SHA384
└─ Hash: SHA-384 minimum
Advanced Security:
├─ PMF Cipher: BIP-GMAC-256 (mandatory)
├─ Group Cipher: GCMP-256 (mandatory)
├─ Pairwise Cipher: GCMP-256 (mandatory)
├─ Key Derivation: HMAC-SHA-384
└─ Key Rotation: 1800 seconds (recommended)
Important Notes:
- All devices must support 192-bit mode
- No transition mode available
- All certificates must be Suite B compliant
- Incompatible devices will be unable to connect
- Test thoroughly before deployment
Access Point Configuration
Cisco Meraki
Dashboard → Wireless → Configure → Access Control
WPA3-Enterprise:
- Security: WPA3-Enterprise
- Encryption mode: WPA3 only
- 802.11w: Required
WPA3-Enterprise 192-bit:
- Security: WPA3-Enterprise with 192-bit security
- Encryption mode: WPA3 192-bit only
- All Suite B requirements automatically enforced
RADIUS Configuration:
- Primary: radius1.ironwifi.com:1812
- Secondary: radius2.ironwifi.com:1812
- Shared secret: [from IronWifi console]
- Accounting: Enabled
Cisco Catalyst / WLC
WLC Configuration:
WLAN → Security → Layer 2:
- Layer 2 Security: WPA3 + 802.1X
- WPA3 Policy: WPA3-Enterprise
- Management Frame Protection: Required
- Encryption: GCMP-128
For 192-bit mode:
- WPA3 Policy: WPA3-Enterprise 192-bit
- Automatically enforces:
- GCMP-256 encryption
- BIP-GMAC-256 for MFP
- Suite B cryptography
- EAP-TLS only
WLAN → Security → AAA Servers:
- RADIUS Authentication Servers:
- Primary: radius1.ironwifi.com
- Secondary: radius2.ironwifi.com
- Shared Secret: [IronWifi]
- Port: 1812
Ubiquiti UniFi
UniFi Controller:
Settings → Wireless Networks → [Your Network]:
Security:
- Security Protocol: WPA3 Enterprise
- RADIUS Profile: [IronWifi RADIUS]
- Enable PMF: Required
For 192-bit mode:
- Security Protocol: WPA3-192
- Note: Requires UniFi 6 or newer APs
- Automatically uses Suite B cryptography
RADIUS Configuration:
Settings → Profiles → RADIUS:
- Auth Server: radius1.ironwifi.com
- Port: 1812
- Secret: [from IronWifi]
- Accounting: Enabled
- Accounting Port: 1813
Aruba
Instant or Mobility Controller:
WPA3-Enterprise:
Configuration → WLAN → Security:
- Security Level: WPA3-Enterprise
- Encryption: GCMP-128 or CCMP-128
- Management Frame Protection: Required
- Authentication: 802.1X
WPA3-Enterprise 192-bit:
- Security Level: WPA3-Enterprise-192
- Suite B mode: Enabled
- All parameters automatically configured
Authentication Server:
- Type: RADIUS
- IP: radius1.ironwifi.com
- Port: 1812
- Shared Secret: [IronWifi]
- Backup Server: radius2.ironwifi.com
Ruckus
SmartZone / Unleashed:
WPA3-Enterprise:
WLAN → Security:
- Authentication: WPA3-Enterprise
- Encryption: GCMP-128 (AES preferred over TKIP)
- Management Frame Protection: Required
- Fast Transition: Optional
WPA3-Enterprise 192-bit:
- Authentication: WPA3-Enterprise-CNSA
- Automatically configures Suite B
- Requires Zone Director 6.0+ or SmartZone 5.0+
RADIUS:
- Primary: radius1.ironwifi.com:1812
- Secondary: radius2.ironwifi.com:1812
- Secret: [IronWifi shared secret]
Certificate Requirements for 192-bit Mode
CA Certificate (Root)
Certificate Authority Setup:
Key Algorithm: RSA 4096-bit or ECDSA P-384
Signature: SHA-384 or SHA-512
Validity: 10-20 years
Key Usage: Certificate Sign, CRL Sign
Basic Constraints: CA:TRUE, pathlen:1
Subject DN Example:
CN=Company Root CA
O=Company Name
C=US
Extensions:
- Subject Key Identifier
- Authority Key Identifier
- Basic Constraints (critical)
- Key Usage (critical)
RADIUS Server Certificate
RADIUS Certificate Requirements:
Key Algorithm: RSA 3072-bit or ECDSA P-384
Signature: SHA-384 or SHA-512
Validity: 2-3 years
Key Usage: Digital Signature, Key Encipherment
Extended Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
Subject DN:
CN=radius.ironwifi.com
O=Company Name
C=US
Subject Alternative Name:
- DNS: radius.ironwifi.com
- DNS: radius1.ironwifi.com
- DNS: radius2.ironwifi.com
Certificate Chain:
- Must include full chain
- Root CA → Intermediate CA → Server Cert
- All certificates Suite B compliant
Client Certificate
Client Certificate Requirements:
Key Algorithm: RSA 3072-bit or ECDSA P-384
Signature: SHA-384 or SHA-512
Validity: 1 year
Key Usage: Digital Signature, Key Encipherment
Extended Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2)
Subject DN:
CN=user@company.com
O=Company Name
C=US
Subject Alternative Name:
- Email: user@company.com
- UPN: user@company.com (for Windows)
Issuance:
- Issued by Suite B compliant CA
- Full certificate chain
- CRL distribution point
- OCSP responder URL
OpenSSL Generation Example
# Generate ECDSA P-384 private key
openssl ecparam -name secp384r1 -genkey -noout -out client-key.pem
# Generate Certificate Signing Request
openssl req -new -sha384 -key client-key.pem -out client-csr.pem \
-subj "/C=US/O=Company/CN=user@company.com"
# Sign certificate with CA (Suite B compliant)
openssl x509 -req -sha384 -days 365 \
-in client-csr.pem -CA ca-cert.pem -CAkey ca-key.pem \
-out client-cert.pem -set_serial 01 \
-extfile <(echo "extendedKeyUsage=clientAuth")
# Verify certificate meets requirements
openssl x509 -in client-cert.pem -text -noout
# Check: Public-Key: (384 bit), Signature Algorithm: ecdsa-with-SHA384
Client Device Configuration
Windows 10/11 (192-bit Mode)
System Requirements
Minimum Version:
- Windows 10 version 2004 (May 2020 Update) or later
- Windows 11 all versions
- Latest WiFi driver updates
Verify Support:
Open PowerShell:
netsh wlan show drivers
Look for:
- 802.11 Protocol Version: GCMP-256
- Authentication: WPA3-Enterprise
Manual Configuration
WiFi Profile XML:
<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>CompanyWPA3-192</name>
<SSIDConfig>
<SSID>
<name>CompanyWiFi</name>
</SSID>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<MSM>
<security>
<authEncryption>
<authentication>WPA3Enterprise192</authentication>
<encryption>GCMP256</encryption>
<useOneX>true</useOneX>
<FIPSMode>true</FIPSMode>
</authEncryption>
<PMF>required</PMF>
<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
<authMode>machineOrUser</authMode>
<EAPConfig>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
<ServerNames>radius.company.com</ServerNames>
<TrustedRootCA>[SHA1 hash of CA cert]</TrustedRootCA>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation>true</PerformServerValidation>
<AcceptServerName>true</AcceptServerName>
<TLSExtensions>
<FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
<CAHashList Enabled="true">
<IssuerHash>[CA cert hash]</IssuerHash>
</CAHashList>
<EKUMapping>
<EKUMap>
<EKUName>Client Authentication</EKUName>
<EKUOID>1.3.6.1.5.5.7.3.2</EKUOID>
</EKUMap>
</EKUMapping>
<ClientAuthEKUList Enabled="true"/>
<AnyPurposeEKUList Enabled="false"/>
</FilteringInfo>
</TLSExtensions>
</EapType>
</Eap>
</Config>
</EapHostConfig>
</EAPConfig>
</OneX>
</security>
</MSM>
</WLANProfile>
Import via PowerShell (as Administrator):
netsh wlan add profile filename="wpa3-192-profile.xml"
Group Policy Deployment
GPO Configuration:
1. Create GPO: WPA3-192 WiFi Configuration
2. Computer Configuration → Policies → Windows Settings → Security Settings → Wireless Network Policies
3. Right-click → Create New Wireless Policy
4. Add → Infrastructure network
5. Configure:
- Network Name: CompanyWiFi
- Security: WPA3-Enterprise
- Encryption: GCMP-256
- Authentication: EAP-TLS
- Import certificate settings
- Enable FIPS mode
6. Link GPO to appropriate OUs
7. Force update: gpupdate /force
macOS (192-bit Mode)
System Requirements
Minimum Version:
- macOS 11.0 (Big Sur) or later
- Latest macOS updates recommended
- Compatible WiFi hardware
Verify Support:
Option + Click WiFi icon
Check for WPA3 Enterprise support
Configuration Profile
.mobileconfig Profile:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.wifi.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.company.wifi.wpa3-192</string>
<key>PayloadUUID</key>
<string>[Unique UUID]</string>
<key>PayloadDisplayName</key>
<string>WPA3-192 WiFi</string>
<key>SSID_STR</key>
<string>CompanyWiFi</string>
<key>HIDDEN_NETWORK</key>
<false/>
<key>AutoJoin</key>
<true/>
<key>EncryptionType</key>
<string>WPA3</string>
<key>EAPClientConfiguration</key>
<dict>
<key>AcceptEAPTypes</key>
<array>
<integer>13</integer> <!-- EAP-TLS -->
</array>
<key>PayloadCertificateAnchorUUID</key>
<array>
<string>[CA Cert UUID]</string>
</array>
<key>TLSTrustedServerNames</key>
<array>
<string>radius.company.com</string>
</array>
<key>TLSMinimumVersion</key>
<string>1.2</string>
<key>TLSMaximumVersion</key>
<string>1.3</string>
<key>TLSCertificateIsRequired</key>
<true/>
<key>PayloadCertificateUUID</key>
<string>[Client Cert UUID]</string>
</dict>
<key>QoSMarkingPolicy</key>
<dict>
<key>QoSMarkingEnabled</key>
<true/>
</dict>
</dict>
<!-- Include CA and Client Certificate payloads -->
</array>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.company.wpa3-192</string>
<key>PayloadUUID</key>
<string>[Unique UUID]</string>
<key>PayloadDisplayName</key>
<string>WPA3-192 Enterprise WiFi</string>
</dict>
</plist>
Deployment:
- Via MDM (Jamf, Intune, etc.)
- Manual installation (double-click)
- System Preferences → Profiles
- Requires admin approval
iOS / iPadOS (192-bit Mode)
System Requirements
Minimum Version:
- iOS 15.0 or later
- iPadOS 15.0 or later
- Latest iOS/iPadOS updates
Verify Support:
Settings → General → About → WiFi Address
Supports WPA3 if device is:
- iPhone 11 or newer
- iPad Pro (2018) or newer
- iPad Air (2019) or newer
- iPad mini (2019) or newer
MDM Configuration
Similar to macOS profile structure
Key differences:
<key>EncryptionType</key>
<string>WPA3Enterprise</string>
<key>EAPClientConfiguration</key>
<dict>
<!-- Same as macOS -->
<key>TLSMinimumVersion</key>
<string>1.2</string>
<!-- iOS-specific settings -->
<key>OneTimeUserPassword</key>
<false/>
<key>SystemModeCredentialsSource</key>
<string>DeviceCertificate</string>
</dict>
Deploy via:
- Apple Business Manager + MDM
- Apple Configurator
- Over-the-air enrollment
Android (192-bit Mode)
System Requirements
Minimum Version:
- Android 11 or later
- Android 12+ recommended for full support
- Device manufacturer support required
Note: 192-bit support varies by:
- Device manufacturer
- WiFi chipset
- Android version
- Security patch level
Verify Support:
Settings → About phone → Regulatory information
Or check with: adb shell wpa_cli interface wlan0 status
Manual Configuration
Settings → Network & Internet → WiFi:
1. Tap network name
2. Advanced options
3. Security: WPA3-Enterprise
4. EAP method: TLS
5. Phase 2 authentication: None
6. CA certificate: Install CA cert
7. User certificate: Install client cert
8. Identity: user@company.com
9. Anonymous identity: (leave blank)
10. Domain: radius.company.com
Note:
- Android does not expose 192-bit configuration
- Device automatically negotiates highest security
- Some manufacturers have custom WiFi settings
MDM Deployment (Android Enterprise)
Work Profile / Fully Managed:
WiFi Configuration:
{
"ssid": "CompanyWiFi",
"securityType": "WPA_ENT",
"eapMethod": "TLS",
"phase2Method": "NONE",
"caCerts": ["ca-cert-uuid"],
"clientCert": "client-cert-uuid",
"identity": "${EMAIL}",
"domainSuffixMatch": "radius.company.com"
}
Deploy via:
- Google Workspace
- Microsoft Intune
- VMware Workspace ONE
- Other EMM/UEM platforms
Migration Strategies
WPA2 to WPA3 Transition
Phase 1: Preparation (Month 1-2)
Assessment:
□ Inventory all WiFi devices
□ Check WPA3 compatibility
□ Identify legacy devices
□ Plan remediation (replacement/exclusion)
□ Update firmware on APs
□ Update RADIUS infrastructure
Certificate Preparation (for 192-bit):
□ Generate Suite B compliant CA
□ Issue RADIUS server certificates
□ Prepare client certificate templates
□ Test certificate issuance
□ Validate certificate chain
Testing:
□ Set up test SSID with WPA3
□ Test with sample devices
□ Verify authentication
□ Measure performance
□ Document any issues
Phase 2: Transition Mode (Month 3-6)
Dual-Mode Configuration:
Option A: Transition Mode SSID
- Single SSID supports both WPA2 and WPA3
- Devices negotiate highest common security
- Gradual migration
- Monitor WPA3 adoption rate
Configuration:
SSID: CompanyWiFi
Security: WPA2/WPA3-Enterprise Transition Mode
Encryption: CCMP (WPA2) or GCMP (WPA3)
Management Frame Protection: Optional (WPA2), Required (WPA3)
Advantages:
+ Single SSID for all devices
+ Transparent to users
+ Gradual adoption
+ No user impact
Disadvantages:
- Security limited by weakest client
- Potential downgrade attacks
- Extended transition period
Option B: Parallel SSIDs
- Separate SSIDs for WPA2 and WPA3
- Users migrate by changing networks
- Clear security boundaries
- Controlled migration
Configuration:
SSID 1: CompanyWiFi-Legacy (WPA2-Enterprise)
SSID 2: CompanyWiFi (WPA3-Enterprise)
Advantages:
+ Clear security separation
+ Known security level per network
+ Easier to track migration
+ Explicit user choice
Disadvantages:
- Two networks to manage
- User education required
- Manual network switching
- Higher management overhead
Recommended: Start with Transition Mode, move to WPA3-only
Monitoring:
- Track WPA2 vs WPA3 connection ratio
- Identify persistent WPA2-only devices
- Set target: 95% WPA3 adoption
- Timeline: 3-6 months
Phase 3: WPA3-Only (Month 6+)
Cutover:
Week 1-2: Final Assessment
□ Verify 95%+ devices support WPA3
□ Contact owners of legacy devices
□ Plan exceptions (guest network)
□ Schedule cutover window
□ Communicate to users
Week 3: Cutover
□ Disable WPA2 support
□ Enable WPA3-only mode
□ Monitor connection success rate
□ Provide help desk support
□ Address issues immediately
Post-Cutover:
□ Monitor authentication logs
□ Handle exception requests
□ Update documentation
□ Train help desk
□ Review security posture
Legacy Device Handling:
- Dedicated guest/legacy WPA2 network (isolated)
- Device replacement program
- Exceptions with approval
- Time-limited access
Standard WPA3 to 192-bit Mode
Prerequisites
Infrastructure:
□ All APs support 192-bit mode
□ RADIUS servers support Suite B
□ Certificates meet Suite B requirements
□ All devices compatible (verify!)
Certification Readiness:
□ CA certificate: RSA 4096 or ECDSA P-384
□ RADIUS cert: Suite B compliant
□ Client cert template: Suite B
□ CRL/OCSP configured
□ Certificate lifecycle automated
Device Readiness:
□ Minimum OS versions met
□ Firmware updated
□ Suite B certificates distributed
□ Test connections validated
□ Fallback plan prepared
Important:
192-bit mode has NO transition mode
All devices must be fully compatible
Incompatible devices will be unable to connect
Migration Approach
Recommended: Parallel Network
1. Create new WPA3-192 SSID
SSID: CompanyWiFi-Secure
Security: WPA3-Enterprise 192-bit
2. Keep existing WPA3 SSID
SSID: CompanyWiFi
Security: WPA3-Enterprise (standard)
3. Phased migration by user group
- Week 1: IT team (10 users)
- Week 2-3: Security team (50 users)
- Week 4-6: Executive team (100 users)
- Week 7-12: All employees (1000+ users)
4. Criteria for migration
- Compatible device verified
- Suite B certificate issued
- User trained on new network
- Successful test connection
5. Eventual deprecation
- After 100% migration (6-12 months)
- Disable standard WPA3 network
- Single WPA3-192 network
Monitoring:
- Connection success rate > 99%
- Authentication time < 3 seconds
- Zero security incidents
- User satisfaction > 95%
Performance Considerations
Encryption Overhead
Performance Comparison:
WPA2-AES WPA3-GCMP WPA3-192-GCMP256
───────────────────────────────────────────────────────────────
Encryption Speed Good Better Good
CPU Overhead ~3-5% ~2-4% ~5-8%
Throughput Impact Minimal Minimal Low
Latency ~0.5ms ~0.4ms ~0.8ms
Hardware Accel. Common Common Newer devices
Throughput (1 Gbps link):
- WPA2-AES: ~940 Mbps
- WPA3-GCMP: ~950 Mbps
- WPA3-192-GCMP256: ~920 Mbps
Note: Modern WiFi 6/6E APs have hardware acceleration
Actual performance depends on AP chipset and client device
Authentication Time
EAP-TLS Handshake Duration:
WPA2 WPA3 WPA3-192
──────────────────────────────────────────────────────────
Initial Connection 2-3s 2.5-3.5s 3-4s
Reauthentication 0.5-1s 0.6-1.2s 0.8-1.5s
Fast Transition (11r) 50-100ms 60-120ms 80-150ms
Factors affecting time:
- Certificate chain length (fewer certs = faster)
- Certificate key size (larger = slower)
- RADIUS response time
- Network latency
- Client device performance
Optimization:
- Use ECDSA certificates (faster than RSA)
- Minimize certificate chain depth
- Enable fast transition (802.11r)
- RADIUS server close to APs
- High-performance RADIUS servers
Roaming Performance
Fast Transition (802.11r) with WPA3:
Without 802.11r:
- Full EAP-TLS authentication required
- Handshake time: 2-4 seconds
- Noticeable interruption
- VoIP calls may drop
With 802.11r:
- PMK cached in mobility domain
- Handshake time: 50-150ms
- Seamless roaming
- VoIP calls maintained
Configuration:
SSID Settings:
- Fast Transition: Enabled
- FT Protocol: Over-the-air and Over-DS
- Mobility Domain: [4-character hex]
- Reassociation Timeout: 20 seconds
802.11r support required:
- All APs in mobility domain
- Client devices (most modern)
- Coordinated roaming
Troubleshooting
Connection Failures
WPA3 Handshake Failures
Symptoms:
- "Cannot connect to network"
- "Authentication failed"
- Repeated connection attempts
Common Causes:
1. Device incompatibility
- Check minimum OS version
- Verify WPA3 support
- Update firmware/drivers
2. MFP (802.11w) issues
- MFP must be required
- AP configuration mismatch
- Verify AP firmware
3. Cipher mismatch
- AP supports GCMP-128
- Client only supports CCMP-128
- Update AP or client
Diagnosis:
- Check AP logs for PMF errors
- Verify client supports required ciphers
- Test with known-good device
- Capture wireless packets (if possible)
Solutions:
- Update client device
- Verify AP configuration
- Check RADIUS logs
- Test with transition mode
192-bit Mode Specific Issues
Symptoms:
- Connection works with standard WPA3
- Fails with 192-bit mode
- Certificate errors
Common Causes:
1. Certificate non-compliance
- RSA key < 3072 bits
- ECDSA not P-384
- Signature not SHA-384/512
- CA chain not Suite B
Verification:
openssl x509 -in cert.pem -text -noout
Check:
- Public-Key: (3072 bit) or (384 bit)
- Signature Algorithm: sha384WithRSAEncryption
or ecdsa-with-SHA384
2. TLS version/cipher issues
- TLS 1.0/1.1 not allowed
- Weak cipher negotiated
- DH group too small
RADIUS Debug:
Look for: TLS negotiation failures
Check: Accepted cipher suites
Verify: Key exchange parameters
3. Device firmware outdated
- Update to latest version
- Check vendor release notes
- Verify 192-bit support explicitly
Solutions:
- Regenerate certificates (Suite B)
- Update RADIUS TLS configuration
- Update device firmware
- Contact IronWifi support for certificate validation
Performance Issues
Slow Connection
Diagnosis:
1. Check authentication time
- Normal: Under 4 seconds
- Slow: Over 10 seconds
- Very slow: Over 30 seconds
2. Review RADIUS logs
- Look for delays
- Check certificate validation time
- Verify CRL/OCSP response time
3. Test network path
- AP to RADIUS latency
- Internet connectivity
- Firewall delays
Solutions:
Certificate optimization:
- Use ECDSA instead of RSA (faster)
- Minimize certificate chain
- Enable OCSP stapling
- Reduce CRL size
RADIUS optimization:
- Deploy RADIUS closer to APs
- Use faster hardware
- Enable certificate caching
- Optimize database queries
Network optimization:
- Ensure low latency to RADIUS
- QoS for RADIUS traffic
- Redundant paths
- Local RADIUS caching (if available)
Compatibility Issues
Mixed Device Environment
Challenge:
- Legacy devices: WPA2-only
- Modern devices: WPA3 capable
- Newest devices: 192-bit capable
Solution: Segmented Approach
SSID 1: CompanyWiFi-Legacy
- Security: WPA2-Enterprise
- Clients: Legacy devices only
- VLAN: Restricted network
- Bandwidth: Limited
- Access: Basic internet, no internal resources
- Time-limited: 2-year sunset plan
SSID 2: CompanyWiFi
- Security: WPA3-Enterprise
- Clients: Standard modern devices
- VLAN: Corporate network
- Bandwidth: Full speed
- Access: All resources
SSID 3: CompanyWiFi-Secure
- Security: WPA3-Enterprise 192-bit
- Clients: Compatible devices only
- VLAN: High-security network
- Bandwidth: Full speed
- Access: Sensitive resources
User Assignment:
- Standard users → CompanyWiFi (WPA3)
- Security team → CompanyWiFi-Secure (192-bit)
- Guests/legacy → CompanyWiFi-Legacy (WPA2, temp)
Best Practices
Security Hardening
Certificate Management
Best Practices:
Certificate Lifetime:
- CA Certificate: 10-20 years
- RADIUS Certificate: 2-3 years
- Client Certificate: 1 year
- Auto-renewal: 30 days before expiry
Key Protection:
- CA private key: Hardware Security Module (HSM)
- RADIUS private key: Encrypted storage
- Client private keys: Device-bound, non-exportable
- Key backup: Secure, encrypted, access-controlled
Revocation:
- Real-time revocation checking (OCSP)
- CRL updates: Hourly
- Immediate revocation for lost devices
- Automated revocation on employee termination
- Certificate Hold for investigations
Rotation:
- Regular key rotation
- Certificate renewal process
- Overlap period for transitions
- Automated distribution
Network Segmentation
Recommended Architecture:
Management VLAN:
- AP management interfaces
- Controllers
- RADIUS servers
- No client access
User VLANs:
- Standard users: VLAN 100
- Executives: VLAN 101
- Security team: VLAN 102
- Guest/Legacy: VLAN 199 (isolated)
Access Control:
- Firewall between VLANs
- Least privilege principle
- Micro-segmentation for 192-bit clients
- Zero trust architecture
192-bit Network Isolation:
- Dedicated VLAN for WPA3-192 clients
- Stricter firewall rules
- Enhanced monitoring
- Separate from standard network
Monitoring and Alerting
Security Monitoring
Real-time Alerts:
Critical (Immediate):
- Repeated authentication failures
- Downgrade attack detected
- MFP violation
- Deauthentication flood
- Rogue AP with company SSID
Warning (5-minute):
- Unusual authentication pattern
- Cipher mismatch events
- Certificate near expiry (7 days)
- RADIUS server slow response
Informational (Daily digest):
- WPA2 vs WPA3 ratio
- 192-bit adoption rate
- Authentication success rate
- Performance metrics
Monitoring Tools:
- SIEM integration
- IronWifi analytics
- AP logs analysis
- RADIUS accounting data
- Wireless IDS/IPS
Compliance Auditing
Regular Audits:
Weekly:
- Review authentication logs
- Check for anomalies
- Verify certificate status
- Monitor security events
Monthly:
- Compliance report
- Security posture assessment
- Certificate inventory
- Access review
Quarterly:
- Penetration testing
- Security audit
- Policy review
- Training assessment
Annual:
- Comprehensive security review
- Compliance certification
- Architecture review
- Disaster recovery test
Compliance and Certifications
Government Standards
CNSA Suite (for 192-bit)
NSA Commercial National Security Algorithm Suite:
Required Algorithms:
- Encryption: AES-256
- Digital Signatures: ECDSA (P-384) or RSA (3072-bit+)
- Key Exchange: ECDH (P-384) or DH (3072-bit+)
- Hashing: SHA-384
WPA3-192 Compliance:
✓ Data Encryption: GCMP-256 (AES-256)
✓ Key Derivation: HMAC-SHA-384
✓ Digital Signatures: ECDSA P-384 or RSA 3072+
✓ Key Exchange: ECDHE P-384 or DHE 3072+
✓ Management Frames: BIP-GMAC-256
Suitable For:
- National security systems
- Top Secret classified networks
- Critical infrastructure
- Government contractors
- Defense applications
FIPS 140-2/140-3
Federal Information Processing Standards:
WPA3 FIPS Compliance:
Cryptographic Module:
- WiFi chipset with FIPS validation
- AES implementation validated
- HMAC implementation validated
- Random number generator validated
WPA3-Enterprise:
- Can operate in FIPS mode
- AES-CCMP or GCMP encryption
- Validated cryptographic algorithms
- Meets FISMA Moderate
WPA3-Enterprise 192-bit:
- Enhanced FIPS compliance
- Suite B algorithms
- Meets FISMA High
- Suitable for government use
Certificate Requirements:
- Issued by FIPS-validated CA
- Key generation in FIPS module
- Secure key storage
Industry Standards
PCI-DSS
Payment Card Industry Requirements:
Requirement 4.1: Strong Cryptography
- WPA3 exceeds minimum requirements
- Strong encryption for cardholder data transmission
- Key management procedures
WPA3 Benefits for PCI:
✓ Strong encryption (GCMP-128/256)
✓ Mutual authentication (EAP-TLS)
✓ Automatic key rotation
✓ Protection against eavesdropping
✓ Management frame protection
Recommended Configuration:
- WPA3-Enterprise minimum
- EAP-TLS for merchants/processors
- Certificate-based authentication
- Quarterly security assessments
HIPAA
Health Insurance Portability and Accountability Act:
Technical Safeguards (§164.312):
Access Control:
- Unique user identification (certificates)
- Emergency access procedure
- Automatic logoff (session timeout)
- Encryption and decryption (WPA3)
Audit Controls:
- Authentication logging
- Access to ePHI tracked
- Certificate usage monitored
Integrity:
- Data integrity via GCMP
- Corruption detection
- Secure transmission
Transmission Security:
- WPA3-Enterprise encryption
- Protected health information secured
- Wireless security enhanced
Recommended:
- WPA3-Enterprise for all healthcare
- WPA3-192 for sensitive departments
- Certificate-based authentication
- Comprehensive logging
Support and Resources
IronWifi Support
Contact Information
- Email: support@ironwifi.com
- Portal: console.ironwifi.com/support
- Documentation: www.ironwifi.com/help-center
- Emergency: Available for Enterprise accounts
WPA3-Specific Support
- Configuration assistance
- Certificate generation
- Compatibility verification
- Migration planning
- Troubleshooting
Documentation
Related Guides
- Client Configuration - Device setup guides
- PKI Infrastructure - Certificate management
- Certificate Revocation - Revocation procedures
- Service Monitor - Performance monitoring
External Resources
Standards
- IEEE 802.11-2020: WiFi standard with WPA3
- RFC 8110: Opportunistic Wireless Encryption (OWE)
- CNSA Suite: NSA cryptographic requirements
- NIST SP 800-97: WiFi security guidelines
Vendor Documentation
Need Help with WPA3 Deployment?
Contact IronWifi for assistance with WPA3-Enterprise configuration, 192-bit mode setup, migration planning, or compliance requirements.