Security

Contents

The following scenarios show how to configure WLAN interfaces to use different security modes. All examples will be done using the wifi0 radio module and channel numer 36 to avoid waiting for the cac timer to exhaust. Note that an external radius server will be required in enterprise scenarios.

Open Security

Description

In this example, the wlan1 interface will be configured to use no security.

Scenario

Warning

Note that the traffic will be visible to any attacker. Use OWE or OWE-Transition instead.

Step 1: Set the following configuration in DUT0:

set controllers wlan installation indoor
set controllers wlan radios wifi0 band 5GHz
set controllers wlan radios wifi0 channel 36
set controllers wlan radios wifi0 short-gi false
set interfaces bridge br0
set interfaces bridge br0 address 192.168.100.10/24
set interfaces wlan wlan1 bridge-group bridge br0
set interfaces wlan wlan1 phy wifi0
set interfaces wlan wlan1 type access-point ssid network_5GHz
set interfaces wlan wlan1 type access-point security akm none

---

OWE Mode

Description

In this example, the wlan1 interface will be configured to use OWE security (Opportunistic Wireless Encryption). The main advantage of this mode compared with open security is that the traffic is encrypted making passive sniffing useless.

Scenario

Step 1: Set the following configuration in DUT0:

set controllers wlan installation indoor
set controllers wlan radios wifi0 band 5GHz
set controllers wlan radios wifi0 channel 36
set controllers wlan radios wifi0 short-gi false
set interfaces bridge br0
set interfaces bridge br0 address 192.168.100.10/24
set interfaces wlan wlan1 bridge-group bridge br0
set interfaces wlan wlan1 phy wifi0
set interfaces wlan wlan1 type access-point ssid network_5GHz
set interfaces wlan wlan1 type access-point security akm owe
set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp
set interfaces wlan wlan1 type access-point security psk-passphrase secret-password
set interfaces wlan wlan1 type access-point security pmf required

---

OWE-Transition Mode

Description

In this example, the wlan1 interface will be configured to use OWE security (Opportunistic Wireless Encryption) and an additional one, wlan2, will be also configured with open security. The former network is just a transition mechanism to tell WPA3 capable devices to use the OWE network in case they connect to this one.

Scenario

Step 1: Set the following configuration in DUT0:

set controllers wlan installation indoor
set controllers wlan radios wifi0 band 5GHz
set controllers wlan radios wifi0 channel 36
set controllers wlan radios wifi0 short-gi false
set interfaces bridge br0
set interfaces bridge br0 address 192.168.100.10/24
set interfaces wlan wlan1 bridge-group bridge br0
set interfaces wlan wlan1 phy wifi0
set interfaces wlan wlan1 type access-point ssid network_5GHz
set interfaces wlan wlan1 type access-point security akm owe transition wlan-ifc wlan2
set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp
set interfaces wlan wlan1 type access-point security pmf required
set interfaces wlan wlan1 type access-point disable-broadcast-ssid
set interfaces wlan wlan2 bridge-group bridge br0
set interfaces wlan wlan2 phy wifi0
set interfaces wlan wlan2 type access-point security akm none transition wlan-ifc wlan1
set interfaces wlan wlan2 type access-point ssid robotest_5ghz_owe

---

WPA-Personal Mode

Description

In this example, the wlan1 interface will be configured in WPA personal mode where the security is ensured by mean of the pre-shared key secret-password. The aes-ccmp and tkip ciphers will be used for unicast traffic.

Scenario

Warning

WPA-Personal is considered no longer secure. Use WPA/WPA2-Personal instead in case legacy devices are present in your deployment.

Step 1: Set the following configuration in DUT0:

set controllers wlan installation indoor
set controllers wlan radios wifi0 band 5GHz
set controllers wlan radios wifi0 channel 36
set controllers wlan radios wifi0 short-gi false
set interfaces bridge br0
set interfaces bridge br0 address 192.168.100.10/24
set interfaces wlan wlan1 bridge-group bridge br0
set interfaces wlan wlan1 phy wifi0
set interfaces wlan wlan1 type access-point ssid network_5GHz
set interfaces wlan wlan1 type access-point security akm psk
set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip
set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp
set interfaces wlan wlan1 type access-point security psk-passphrase secret-password

---

WPA2-Personal Mode

Description

In this example, the wlan1 interface will be configured in WPAv2 personal mode where the security is ensured by mean of the pre-shared key secret-password. The aes-ccmp and tkip ciphers will be used for unicast traffic.

Scenario

Warning

The tkip unicast cipher is considered unsecure. Use aes-ccmp instead.

Step 1: Set the following configuration in DUT0:

set controllers wlan installation indoor
set controllers wlan radios wifi0 band 5GHz
set controllers wlan radios wifi0 channel 36
set controllers wlan radios wifi0 short-gi false
set interfaces bridge br0
set interfaces bridge br0 address 192.168.100.10/24
set interfaces wlan wlan1 bridge-group bridge br0
set interfaces wlan wlan1 phy wifi0
set interfaces wlan wlan1 type access-point ssid network_5GHz
set interfaces wlan wlan1 type access-point security akm psk
set interfaces wlan wlan1 type access-point security pairwise-ciphers tkip
set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp
set interfaces wlan wlan1 type access-point security psk-passphrase secret-password

---

WPA/WPA2-Personal Mode

Description

In this example, the wlan1 interface will be configured in WPA/WPAv2 personal mode, also known as WPAv2 Mixed mode, where the security is ensured by mean of the pre-shared key secret-password. The aes-ccmp and tkip ciphers will be used for unicast traffic.

Scenario

Warning

This mode was originally intended to provide WPA2 security while maintaining support to legacy WPA stations. As stations can connect using WPA security, which is considered unsecure, only use this mode if legacy devices are present in your deployment.

Step 1: Set the following configuration in DUT0:

set controllers wlan installation indoor
set controllers wlan radios wifi0 band 5GHz
set controllers wlan radios wifi0 channel 36
set controllers wlan radios wifi0 short-gi false
set interfaces bridge br0
set interfaces bridge br0 address 192.168.100.10/24
set interfaces wlan wlan1 bridge-group bridge br0
set interfaces wlan wlan1 phy wifi0
set interfaces wlan wlan1 type access-point ssid network_5GHz
set interfaces wlan wlan1 type access-point security akm psk
set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip
set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp
set interfaces wlan wlan1 type access-point security pairwise-ciphers tkip
set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp
set interfaces wlan wlan1 type access-point security psk-passphrase secret-password

---

WPA3-Personal Only Mode

Description

In this example, the wlan1 interface will be configured in WPAv3 personal mode, also known as SAE (Simultaneous Authentication of Equals), the state-of-the-art in PSK mode, where the security is ensured by mean of the pre-shared key secret-password. The aes-ccmp cipher will be used for unicast traffic. Protected Management Frames or pmf must be set to required in this mode.

Scenario

Step 1: Set the following configuration in DUT0:

set controllers wlan installation indoor
set controllers wlan radios wifi0 band 5GHz
set controllers wlan radios wifi0 channel 36
set controllers wlan radios wifi0 short-gi false
set interfaces bridge br0
set interfaces bridge br0 address 192.168.100.10/24
set interfaces wlan wlan1 bridge-group bridge br0
set interfaces wlan wlan1 phy wifi0
set interfaces wlan wlan1 type access-point ssid network_5GHz
set interfaces wlan wlan1 type access-point security akm sae
set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp
set interfaces wlan wlan1 type access-point security psk-passphrase secret-password
set interfaces wlan wlan1 type access-point security pmf required

---

WPA2/WPA3-Personal Transition Mode

Description

In this example, the wlan1 interface will be configured in WPAv2/WPAv3 personal mode, also known as WPAv3 transition mode, where the security is ensured by mean of the pre-shared key secret-password. The aes-ccmp cipher will be used for unicast traffic. Protected Management Frames or pmf must be set to optional in this mode.

Scenario

Note

This is a transition mode intended to provide connectivity to WPAv2 capable stations. WPAv3 capable stations will use this security mode when connecting to the device.

Step 1: Set the following configuration in DUT0:

set controllers wlan installation indoor
set controllers wlan radios wifi0 band 5GHz
set controllers wlan radios wifi0 channel 36
set controllers wlan radios wifi0 short-gi false
set interfaces bridge br0
set interfaces bridge br0 address 192.168.100.10/24
set interfaces wlan wlan1 bridge-group bridge br0
set interfaces wlan wlan1 phy wifi0
set interfaces wlan wlan1 type access-point ssid network_5GHz
set interfaces wlan wlan1 type access-point security akm psk
set interfaces wlan wlan1 type access-point security akm psk-256
set interfaces wlan wlan1 type access-point security akm sae
set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp
set interfaces wlan wlan1 type access-point security psk-passphrase secret-password
set interfaces wlan wlan1 type access-point security pmf required

---

WPA-Enterprise Mode

Description

In this example, the wlan1 interface will be configured in WPA enterprise mode where the security is ensured by mean of the radius server 192.168.100.20. The aes-ccmp and tkip ciphers will be used for unicast traffic.

Scenario

Warning

WPA-Enterprise is considered no longer secure. Use WPA/WPAv2-Enterprise instead in case legacy devices are present in your deployment.

Step 1: Set the following configuration in DUT0:

set controllers wlan installation indoor
set controllers wlan radios wifi0 band 5GHz
set controllers wlan radios wifi0 channel 36
set controllers wlan radios wifi0 short-gi false
set interfaces bridge br0
set interfaces bridge br0 address 192.168.100.10/24
set interfaces wlan wlan1 bridge-group bridge br0
set interfaces wlan wlan1 phy wifi0
set interfaces wlan wlan1 type access-point ssid network_5GHz
set interfaces wlan wlan1 type access-point security akm dot1x
set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip
set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp
set system aaa server radius radius_server address 192.168.100.20
set system aaa server radius radius_server key secret-password
set system aaa group radius radius_group server radius_server
set system aaa list radius_list method 0 group radius radius_group
set interfaces wlan wlan1 type access-point security aaa authentication radius_list

---

WPA2-Enterprise Mode

Description

In this example, the wlan1 interface will be configured in WPAv2 enterprise mode where the security is ensured by mean of the radius server 192.168.100.20. The aes-ccmp and tkip ciphers will be used for unicast traffic.

Scenario

Warning

The tkip unicast cipher is considered unsecure. Use aes-ccmp instead.

Step 1: Set the following configuration in DUT0:

set controllers wlan installation indoor
set controllers wlan radios wifi0 band 5GHz
set controllers wlan radios wifi0 channel 36
set controllers wlan radios wifi0 short-gi false
set interfaces bridge br0
set interfaces bridge br0 address 192.168.100.10/24
set interfaces wlan wlan1 bridge-group bridge br0
set interfaces wlan wlan1 phy wifi0
set interfaces wlan wlan1 type access-point ssid network_5GHz
set interfaces wlan wlan1 type access-point security akm dot1x
set interfaces wlan wlan1 type access-point security pairwise-ciphers tkip
set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp
set system aaa server radius radius_server address 192.168.100.20
set system aaa server radius radius_server key secret-password
set system aaa group radius radius_group server radius_server
set system aaa list radius_list method 0 group radius radius_group
set interfaces wlan wlan1 type access-point security aaa authentication radius_list

---

WPA/WPA2-Enterprise Mode

Description

In this example, the wlan1 interface will be configured in WPA/WPAv2 enterprise mode, also known as WPAv2 mixed mode, where the security is ensured by mean of the radius server 192.168.100.20. The aes-ccmp and tkip ciphers will be used for unicast traffic.

Scenario

Warning

This mode was originally intended to provide WPAv2 security while maintaining support to legacy WPA stations. As stations can connect using WPA security, which is considered unsecure, only use this mode if legacy devices are present in your deployment.

Step 1: Set the following configuration in DUT0:

set controllers wlan installation indoor
set controllers wlan radios wifi0 band 5GHz
set controllers wlan radios wifi0 channel 36
set controllers wlan radios wifi0 short-gi false
set interfaces bridge br0
set interfaces bridge br0 address 192.168.100.10/24
set interfaces wlan wlan1 bridge-group bridge br0
set interfaces wlan wlan1 phy wifi0
set interfaces wlan wlan1 type access-point ssid network_5GHz
set interfaces wlan wlan1 type access-point security akm dot1x
set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip
set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp
set interfaces wlan wlan1 type access-point security pairwise-ciphers tkip
set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp
set system aaa server radius radius_server address 192.168.100.20
set system aaa server radius radius_server key secret-password
set system aaa group radius radius_group server radius_server
set system aaa list radius_list method 0 group radius radius_group
set interfaces wlan wlan1 type access-point security aaa authentication radius_list

---

WPA3-Enterprise Only Mode

Description

In this example, the wlan1 interface will be configured in WPAv3 enterprise mode where the security is ensured by mean of the radius server 192.168.100.20. The aes-ccmp cipher will be used for unicast traffic. Protected Management Frames or pmf must be set to required in this mode.

Scenario

Step 1: Set the following configuration in DUT0:

set controllers wlan installation indoor
set controllers wlan radios wifi0 band 5GHz
set controllers wlan radios wifi0 channel 36
set controllers wlan radios wifi0 short-gi false
set interfaces bridge br0
set interfaces bridge br0 address 192.168.100.10/24
set interfaces wlan wlan1 bridge-group bridge br0
set interfaces wlan wlan1 phy wifi0
set interfaces wlan wlan1 type access-point ssid network_5GHz
set interfaces wlan wlan1 type access-point security akm dot1x-256
set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp
set system aaa server radius radius_server address 192.168.100.20
set system aaa server radius radius_server key secret-password
set system aaa group radius radius_group server radius_server
set system aaa list radius_list method 0 group radius radius_group
set interfaces wlan wlan1 type access-point security aaa authentication radius_list
set interfaces wlan wlan1 type access-point security pmf required

---

WPA2/WPA3-Enterprise Transition Mode

Description

In this example, the wlan1 interface will be configured in WPAv2/WPAv3 enterprise mode, also known as WPAv3 transition mode, where the security is ensured by mean of the radius server 192.168.100.20. The aes-ccmp cipher will be used for unicast traffic. Protected Management Frames or pmf must be set to optional in this mode.

Scenario

Note

This is a transition mode intended to provide connectivity to WPAv2 capable stations. WPAv3 capable stations will use this security mode when connecting to the device.

Step 1: Set the following configuration in DUT0:

set controllers wlan installation indoor
set controllers wlan radios wifi0 band 5GHz
set controllers wlan radios wifi0 channel 36
set controllers wlan radios wifi0 short-gi false
set interfaces bridge br0
set interfaces bridge br0 address 192.168.100.10/24
set interfaces wlan wlan1 bridge-group bridge br0
set interfaces wlan wlan1 phy wifi0
set interfaces wlan wlan1 type access-point ssid network_5GHz
set interfaces wlan wlan1 type access-point security akm dot1x
set interfaces wlan wlan1 type access-point security akm dot1x-256
set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp
set system aaa server radius radius_server address 192.168.100.20
set system aaa server radius radius_server key secret-password
set system aaa group radius radius_group server radius_server
set system aaa list radius_list method 0 group radius radius_group
set interfaces wlan wlan1 type access-point security aaa authentication radius_list
set interfaces wlan wlan1 type access-point security pmf optional

---

WPA3-Enterprise “192-bit” (CNSA) Mode

Description

In this example, the wlan1 interface will be configured in CNSA WPAv3-enterprise mode (CNSA or Commercial National Security Algorithm), the most secure WLAN mode today available, where the security is ensured by mean of the radius server 192.168.100.20. The aes-gcmp-256 cipher will be used for unicast traffic. Protected Management Frames or pmf must be set to required in this mode.

Scenario

Step 1: Set the following configuration in DUT0:

set controllers wlan installation indoor
set controllers wlan radios wifi0 band 5GHz
set controllers wlan radios wifi0 channel 36
set controllers wlan radios wifi0 short-gi false
set interfaces bridge br0
set interfaces bridge br0 address 192.168.100.10/24
set interfaces wlan wlan1 bridge-group bridge br0
set interfaces wlan wlan1 phy wifi0
set interfaces wlan wlan1 type access-point ssid network_5GHz
set interfaces wlan wlan1 type access-point security akm cnsa
set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-gcmp-256
set system aaa server radius radius_server address 192.168.100.20
set system aaa server radius radius_server key secret-password
set system aaa group radius radius_group server radius_server
set system aaa list radius_list method 0 group radius radius_group
set interfaces wlan wlan1 type access-point security aaa authentication radius_list
set interfaces wlan wlan1 type access-point security pmf required

---