アルバの WPA3-Enterprise には、CCM 128、GCM 256、CNSA の3つのモードがある。各モードの Beacon フレームをキャプチャしてみました。各 SSID は、「bin4-wpa3-enterprise-ccm128」「bin4-wpa3-enterprise-gcm256」「bin4-wpa3-enterprise-cnsa」です。また、比較のために、WPA2-Enterprise の Beacon フレーム（SSID 「bin4-wpa2-enterprise」）もキャプチャしてみました。

• show ap bss-table コマンド

AP505# show ap bss-table

Aruba AP BSS Table
------------------
bss                ess                          port  ip              phy   type  ch/EIRP/max-EIRP  cur-cl  ap name  in-t(s)  tot-t    flags
---                ---                          ----  --              ---   ----  ----------------  ------  -------  -------  -----    -----
b8:3a:5a:8b:36:d0  bin4-wpa3-enterprise-ccm128  ?/?   192.168.215.13  a-HE  ap    108/18.0/29.7     0       AP505    0        28m:21s  W3T
b8:3a:5a:8b:36:d1  bin4-wpa3-enterprise-gcm256  ?/?   192.168.215.13  a-HE  ap    108/18.0/29.7     0       AP505    0        24m:12s  W3T
b8:3a:5a:8b:36:d2  bin4-wpa3-enterprise-cnsa    ?/?   192.168.215.13  a-HE  ap    108/18.0/29.7     0       AP505    0        23m:51s  W3T
b8:3a:5a:8b:36:d3  bin4-wpa2-enterprise         ?/?   192.168.215.13  a-HE  ap    108/18.0/29.7     0       AP505    0        23m:33s  T

Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.

Num APs:5
Num Associations:0

Flags:       K = 802.11K Enabled; W = 802.11W Enabled; r = 802.11r Enabled; 3 = WPA3 BSS; O = Enhanced-open BSS with transition mode; o = Enhanced-open transition mode open BSS; M = WPA3-SAE mixed mode BSS; E = Enhanced-open BSS without transition mode; m = Agile Multiband (MBO) BSS; c = MBO Cellular Data Capable BSS; I = Imminent VAP Down; T = Individual TWT Enabled; t = Broadcast TWT Enabled; d = Deferred Delete Pending; a = Airslice policy; A = Airslice app monitoring; D = VLAN Discovered;
AP505#

• bin4-wpa3-enterprise-ccm128 の Beacon フレーム

RSN Information タグの AKM (Auth Key Management) が 00:0f:ac:01 (WPA) 、各暗号スイートが CCM となっていることが確認できます。また、RSN Capabilities 内の 802.11w/PMF (Protected Management Frames) が PMFR=0、PMFC=1 となっていることが確認できます。

• bin4-wpa3-enterprise-gcm256 の Beacon フレーム

RSN Information タグの AKM (Auth Key Management) が 00:0f:ac:05 (WPA:SHA256) 、各暗号スイートが GCM256/SHA256 となっていることが確認できます。また、RSN Capabilities 内の 802.11w/PMF (Protected Management Frames) が PMFR=1、PMFC=1 となっていることが確認できます

• bin4-wpa3-enterprise-cnsa の Beacon フレーム

RSN Information タグの AKM (Auth Key Management) が 00:0f:ac:0c (WPA:SHA384-SuiteB) 、各暗号スイートが GCM256/SHA384 となっていることが確認できます。また、RSN Capabilities 内の 802.11w/PMF (Protected Management Frames) が PMFR=1、PMFC=1 となっていることが確認できます

• bin4-wpa2-enterprise の Beacon フレーム

RSN Information タグの AKM (Auth Key Management) が 00:0f:ac:01 (WPA) 、各暗号スイートが CCM となっていることが確認できます。また、RSN Capabilities 内の 802.11w/PMF (Protected Management Frames) が PMFR=0、PMFC=0 となっていることが確認できます。

[English Version]

In Aruba, there are 3 types in WPA3-Enterprise mode, CCM 128, GCM 256 and CNSA. I captured WPA3-Enterprise Beacon frames. Each SSID name is bin4-wpa3-enterprise-ccm128, bin4-wpa3-enterprise-gcm256 and bin4-wpa3-enterprise-cnsa. I also captured WPA2-Enterprise Beacon frames for comparison (SSID: bin4-wpa2-enterprise).

• output of show ap bss-table

AP505# show ap bss-table

Aruba AP BSS Table
------------------
bss                ess                          port  ip              phy   type  ch/EIRP/max-EIRP  cur-cl  ap name  in-t(s)  tot-t    flags
---                ---                          ----  --              ---   ----  ----------------  ------  -------  -------  -----    -----
b8:3a:5a:8b:36:d0  bin4-wpa3-enterprise-ccm128  ?/?   192.168.215.13  a-HE  ap    108/18.0/29.7     0       AP505    0        28m:21s  W3T
b8:3a:5a:8b:36:d1  bin4-wpa3-enterprise-gcm256  ?/?   192.168.215.13  a-HE  ap    108/18.0/29.7     0       AP505    0        24m:12s  W3T
b8:3a:5a:8b:36:d2  bin4-wpa3-enterprise-cnsa    ?/?   192.168.215.13  a-HE  ap    108/18.0/29.7     0       AP505    0        23m:51s  W3T
b8:3a:5a:8b:36:d3  bin4-wpa2-enterprise         ?/?   192.168.215.13  a-HE  ap    108/18.0/29.7     0       AP505    0        23m:33s  T

Channel followed by "*" indicates channel selected due to unsupported configured channel.
"Spectrum" followed by "^" indicates Local Spectrum Override in effect.

Num APs:5
Num Associations:0

Flags:       K = 802.11K Enabled; W = 802.11W Enabled; r = 802.11r Enabled; 3 = WPA3 BSS; O = Enhanced-open BSS with transition mode; o = Enhanced-open transition mode open BSS; M = WPA3-SAE mixed mode BSS; E = Enhanced-open BSS without transition mode; m = Agile Multiband (MBO) BSS; c = MBO Cellular Data Capable BSS; I = Imminent VAP Down; T = Individual TWT Enabled; t = Broadcast TWT Enabled; d = Deferred Delete Pending; a = Airslice policy; A = Airslice app monitoring; D = VLAN Discovered;
AP505#

• bin4-wpa3-enterprise-ccm128 Beacon frame

In RSN Information Tag, there are AKM (Auth Key Management) 00:0f:ac:01 (WPA) and cipher suite is CCM. In RSN Capabilities, we can see PMFR=0 and PMFC=1 of 802.11w/PMF (Protected Management Frames).

• bin4-wpa3-enterprise-gcm256 Beacon frame

In RSN Information Tag, there are AKM (Auth Key Management) 00:0f:ac:05 (WPA:SHA256) and cipher suite is GCM256/SHA256. In RSN Capabilities, we can see PMFR=1 and PMFC=1 of 802.11w/PMF (Protected Management Frames).

• bin4-wpa3-enterprise-cnsa Beacon frame

In RSN Information Tag, there are AKM (Auth Key Management) 00:0f:ac:0c (WPA:SHA384-SuiteB) and cipher suite is GCM256/SHA384. In RSN Capabilities, we can see PMFR=1 and PMFC=1 of 802.11w/PMF (Protected Management Frames).

• bin4-wpa2-enterprise Beacon frame

In RSN Information Tag, there are AKM (Auth Key Management) 00:0f:ac:01 (WPA) and cipher suite is CCM. In RSN Capabilities, we can see PMFR=0 and PMFC=0 of 802.11w/PMF (Protected Management Frames).