WPA3-Enterprise Beacon
アルバの WPA3-Enterprise には、CCM 128、GCM 256、CNSA の3つのモードがある。各モードの Beacon フレームをキャプチャしてみました。各 SSID は、「bin4-wpa3-enterprise-ccm128」「bin4-wpa3-enterprise-gcm256」「bin4-wpa3-enterprise-cnsa」です。また、比較のために、WPA2-Enterprise の Beacon フレーム(SSID 「bin4-wpa2-enterprise」)もキャプチャしてみました。
- show ap bss-table コマンド
AP505# show ap bss-table Aruba AP BSS Table ------------------ bss ess port ip phy type ch/EIRP/max-EIRP cur-cl ap name in-t(s) tot-t flags --- --- ---- -- --- ---- ---------------- ------ ------- ------- ----- ----- b8:3a:5a:8b:36:d0 bin4-wpa3-enterprise-ccm128 ?/? 192.168.215.13 a-HE ap 108/18.0/29.7 0 AP505 0 28m:21s W3T b8:3a:5a:8b:36:d1 bin4-wpa3-enterprise-gcm256 ?/? 192.168.215.13 a-HE ap 108/18.0/29.7 0 AP505 0 24m:12s W3T b8:3a:5a:8b:36:d2 bin4-wpa3-enterprise-cnsa ?/? 192.168.215.13 a-HE ap 108/18.0/29.7 0 AP505 0 23m:51s W3T b8:3a:5a:8b:36:d3 bin4-wpa2-enterprise ?/? 192.168.215.13 a-HE ap 108/18.0/29.7 0 AP505 0 23m:33s T Channel followed by "*" indicates channel selected due to unsupported configured channel. "Spectrum" followed by "^" indicates Local Spectrum Override in effect. Num APs:5 Num Associations:0 Flags: K = 802.11K Enabled; W = 802.11W Enabled; r = 802.11r Enabled; 3 = WPA3 BSS; O = Enhanced-open BSS with transition mode; o = Enhanced-open transition mode open BSS; M = WPA3-SAE mixed mode BSS; E = Enhanced-open BSS without transition mode; m = Agile Multiband (MBO) BSS; c = MBO Cellular Data Capable BSS; I = Imminent VAP Down; T = Individual TWT Enabled; t = Broadcast TWT Enabled; d = Deferred Delete Pending; a = Airslice policy; A = Airslice app monitoring; D = VLAN Discovered; AP505#
- bin4-wpa3-enterprise-ccm128 の Beacon フレーム
RSN Information タグの AKM (Auth Key Management) が 00:0f:ac:01 (WPA) 、各暗号スイートが CCM となっていることが確認できます。また、RSN Capabilities 内の 802.11w/PMF (Protected Management Frames) が PMFR=0、PMFC=1 となっていることが確認できます。
- bin4-wpa3-enterprise-gcm256 の Beacon フレーム
RSN Information タグの AKM (Auth Key Management) が 00:0f:ac:05 (WPA:SHA256) 、各暗号スイートが GCM256/SHA256 となっていることが確認できます。また、RSN Capabilities 内の 802.11w/PMF (Protected Management Frames) が PMFR=1、PMFC=1 となっていることが確認できます
- bin4-wpa3-enterprise-cnsa の Beacon フレーム
RSN Information タグの AKM (Auth Key Management) が 00:0f:ac:0c (WPA:SHA384-SuiteB) 、各暗号スイートが GCM256/SHA384 となっていることが確認できます。また、RSN Capabilities 内の 802.11w/PMF (Protected Management Frames) が PMFR=1、PMFC=1 となっていることが確認できます
- bin4-wpa2-enterprise の Beacon フレーム
RSN Information タグの AKM (Auth Key Management) が 00:0f:ac:01 (WPA) 、各暗号スイートが CCM となっていることが確認できます。また、RSN Capabilities 内の 802.11w/PMF (Protected Management Frames) が PMFR=0、PMFC=0 となっていることが確認できます。
[English Version]
In Aruba, there are 3 types in WPA3-Enterprise mode, CCM 128, GCM 256 and CNSA. I captured WPA3-Enterprise Beacon frames. Each SSID name is bin4-wpa3-enterprise-ccm128, bin4-wpa3-enterprise-gcm256 and bin4-wpa3-enterprise-cnsa. I also captured WPA2-Enterprise Beacon frames for comparison (SSID: bin4-wpa2-enterprise).
- output of show ap bss-table
AP505# show ap bss-table Aruba AP BSS Table ------------------ bss ess port ip phy type ch/EIRP/max-EIRP cur-cl ap name in-t(s) tot-t flags --- --- ---- -- --- ---- ---------------- ------ ------- ------- ----- ----- b8:3a:5a:8b:36:d0 bin4-wpa3-enterprise-ccm128 ?/? 192.168.215.13 a-HE ap 108/18.0/29.7 0 AP505 0 28m:21s W3T b8:3a:5a:8b:36:d1 bin4-wpa3-enterprise-gcm256 ?/? 192.168.215.13 a-HE ap 108/18.0/29.7 0 AP505 0 24m:12s W3T b8:3a:5a:8b:36:d2 bin4-wpa3-enterprise-cnsa ?/? 192.168.215.13 a-HE ap 108/18.0/29.7 0 AP505 0 23m:51s W3T b8:3a:5a:8b:36:d3 bin4-wpa2-enterprise ?/? 192.168.215.13 a-HE ap 108/18.0/29.7 0 AP505 0 23m:33s T Channel followed by "*" indicates channel selected due to unsupported configured channel. "Spectrum" followed by "^" indicates Local Spectrum Override in effect. Num APs:5 Num Associations:0 Flags: K = 802.11K Enabled; W = 802.11W Enabled; r = 802.11r Enabled; 3 = WPA3 BSS; O = Enhanced-open BSS with transition mode; o = Enhanced-open transition mode open BSS; M = WPA3-SAE mixed mode BSS; E = Enhanced-open BSS without transition mode; m = Agile Multiband (MBO) BSS; c = MBO Cellular Data Capable BSS; I = Imminent VAP Down; T = Individual TWT Enabled; t = Broadcast TWT Enabled; d = Deferred Delete Pending; a = Airslice policy; A = Airslice app monitoring; D = VLAN Discovered; AP505#
- bin4-wpa3-enterprise-ccm128 Beacon frame
In RSN Information Tag, there are AKM (Auth Key Management) 00:0f:ac:01 (WPA) and cipher suite is CCM. In RSN Capabilities, we can see PMFR=0 and PMFC=1 of 802.11w/PMF (Protected Management Frames).
- bin4-wpa3-enterprise-gcm256 Beacon frame
In RSN Information Tag, there are AKM (Auth Key Management) 00:0f:ac:05 (WPA:SHA256) and cipher suite is GCM256/SHA256. In RSN Capabilities, we can see PMFR=1 and PMFC=1 of 802.11w/PMF (Protected Management Frames).
- bin4-wpa3-enterprise-cnsa Beacon frame
In RSN Information Tag, there are AKM (Auth Key Management) 00:0f:ac:0c (WPA:SHA384-SuiteB) and cipher suite is GCM256/SHA384. In RSN Capabilities, we can see PMFR=1 and PMFC=1 of 802.11w/PMF (Protected Management Frames).
- bin4-wpa2-enterprise Beacon frame
In RSN Information Tag, there are AKM (Auth Key Management) 00:0f:ac:01 (WPA) and cipher suite is CCM. In RSN Capabilities, we can see PMFR=0 and PMFC=0 of 802.11w/PMF (Protected Management Frames).