Wireless Access

Hello Dears,

We have a strange behavior here.

We have an SSID that uses 802.1x authentication and WPA3-enterprise encryption.

We only want the WPA3 encryption type to be used; we use WPA3-aes-ccm-128 with Opmode transition Disabled. WPA2 Clients can connect to WPA3-AES-CCM-128 despite Opmode transition being Disabled. 

We found this document that recommended upgrading to version 8.11.2.1 or later. We upgraded to 8.12.0.5, but still have the same issue.

Any ideas what the problem is?

Thanks for your support.

If the client is capable of AKM:5, it will be able to connect. WPA3-AES-CCM-128 on 8.11 and newer with TM disabled prevents AKM:1 (SHA-1 over .1X) from being used. The best way to confirm this is via OTA pcap during association to see what AKM is being used during association. If AKM:3 (if 802.11r/FT is enabled) or AKM:5 is used by the client, the client will be able to connect and use WPA3. It could be possible the client is actually capable of the WPA3 security parameters?

Original Message:
Sent: Jul 09, 2025 09:11 AM
From: Ahmed suliman
Subject: WPA2-only Capable Client able to connect to wpa3-aes-ccm-128 despite Opmode transition: Disabled

Hello Dears,

We have a strange behavior here.

We have an SSID that uses 802.1x authentication and WPA3-enterprise encryption.

We only want the WPA3 encryption type to be used; we use WPA3-aes-ccm-128 with Opmode transition Disabled. WPA2 Clients can connect to WPA3-AES-CCM-128 despite Opmode transition being Disabled. 

We found this document that recommended upgrading to version 8.11.2.1 or later. We upgraded to 8.12.0.5, but still have the same issue.

Any ideas what the problem is?

Thanks for your support.

Hello schmelzle,

Thanks for your reply.

These are the protocols supported by the client.

If the client is capable of AKM:5, it will be able to connect. WPA3-AES-CCM-128 on 8.11 and newer with TM disabled prevents AKM:1 (SHA-1 over .1X) from being used. The best way to confirm this is via OTA pcap during association to see what AKM is being used during association. If AKM:3 (if 802.11r/FT is enabled) or AKM:5 is used by the client, the client will be able to connect and use WPA3. It could be possible the client is actually capable of the WPA3 security parameters?

Original Message:
Sent: Jul 09, 2025 09:11 AM
From: Ahmed suliman
Subject: WPA2-only Capable Client able to connect to wpa3-aes-ccm-128 despite Opmode transition: Disabled

Hello Dears,

We have a strange behavior here.

We have an SSID that uses 802.1x authentication and WPA3-enterprise encryption.

We only want the WPA3 encryption type to be used; we use WPA3-aes-ccm-128 with Opmode transition Disabled. WPA2 Clients can connect to WPA3-AES-CCM-128 despite Opmode transition being Disabled. 

We found this document that recommended upgrading to version 8.11.2.1 or later. We upgraded to 8.12.0.5, but still have the same issue.

Any ideas what the problem is?

Thanks for your support.

Thanks for the screenshot. I still advise verifying with OTA pcap what AKM the client is actually associating with. AKM:3 and AKM:5 have been around for a long time. AKM:3 is actually shared between WPA2 and WPA3 for FT since AKM:3 already uses SHA-256. We need a packet capture.

Hello schmelzle,

Thanks for your reply.

These are the protocols supported by the client.

If the client is capable of AKM:5, it will be able to connect. WPA3-AES-CCM-128 on 8.11 and newer with TM disabled prevents AKM:1 (SHA-1 over .1X) from being used. The best way to confirm this is via OTA pcap during association to see what AKM is being used during association. If AKM:3 (if 802.11r/FT is enabled) or AKM:5 is used by the client, the client will be able to connect and use WPA3. It could be possible the client is actually capable of the WPA3 security parameters?

Original Message:
Sent: Jul 09, 2025 09:11 AM
From: Ahmed suliman
Subject: WPA2-only Capable Client able to connect to wpa3-aes-ccm-128 despite Opmode transition: Disabled

Hello Dears,

We have a strange behavior here.

We have an SSID that uses 802.1x authentication and WPA3-enterprise encryption.

We only want the WPA3 encryption type to be used; we use WPA3-aes-ccm-128 with Opmode transition Disabled. WPA2 Clients can connect to WPA3-AES-CCM-128 despite Opmode transition being Disabled. 

We found this document that recommended upgrading to version 8.11.2.1 or later. We upgraded to 8.12.0.5, but still have the same issue.

Any ideas what the problem is?

Thanks for your support.

Unfortunately, we can't do the  OTA pcap now.

But I want to ask what if this is the case {the client advertising AKM:5 or AKM:3}.  We want a way to prevent these clients from connecting.

Thanks for the screenshot. I still advise verifying with OTA pcap what AKM the client is actually associating with. AKM:3 and AKM:5 have been around for a long time. AKM:3 is actually shared between WPA2 and WPA3 for FT since AKM:3 already uses SHA-256. We need a packet capture.

Hello schmelzle,

Thanks for your reply.

These are the protocols supported by the client.

If the client is capable of AKM:5, it will be able to connect. WPA3-AES-CCM-128 on 8.11 and newer with TM disabled prevents AKM:1 (SHA-1 over .1X) from being used. The best way to confirm this is via OTA pcap during association to see what AKM is being used during association. If AKM:3 (if 802.11r/FT is enabled) or AKM:5 is used by the client, the client will be able to connect and use WPA3. It could be possible the client is actually capable of the WPA3 security parameters?

Original Message:
Sent: Jul 09, 2025 09:11 AM
From: Ahmed suliman
Subject: WPA2-only Capable Client able to connect to wpa3-aes-ccm-128 despite Opmode transition: Disabled

Hello Dears,

We have a strange behavior here.

We have an SSID that uses 802.1x authentication and WPA3-enterprise encryption.

We only want the WPA3 encryption type to be used; we use WPA3-aes-ccm-128 with Opmode transition Disabled. WPA2 Clients can connect to WPA3-AES-CCM-128 despite Opmode transition being Disabled. 

We found this document that recommended upgrading to version 8.11.2.1 or later. We upgraded to 8.12.0.5, but still have the same issue.

Any ideas what the problem is?

Thanks for your support.

If you don't want to allow WPA3 Enterprise AKMs (AKM:3/AKM:5) you could try switching to WPA3-Enterprise 192-bit (CNSA).

Unfortunately, we can't do the  OTA pcap now.

But I want to ask what if this is the case {the client advertising AKM:5 or AKM:3}.  We want a way to prevent these clients from connecting.

Thanks for the screenshot. I still advise verifying with OTA pcap what AKM the client is actually associating with. AKM:3 and AKM:5 have been around for a long time. AKM:3 is actually shared between WPA2 and WPA3 for FT since AKM:3 already uses SHA-256. We need a packet capture.

Hello schmelzle,

Thanks for your reply.

These are the protocols supported by the client.

If the client is capable of AKM:5, it will be able to connect. WPA3-AES-CCM-128 on 8.11 and newer with TM disabled prevents AKM:1 (SHA-1 over .1X) from being used. The best way to confirm this is via OTA pcap during association to see what AKM is being used during association. If AKM:3 (if 802.11r/FT is enabled) or AKM:5 is used by the client, the client will be able to connect and use WPA3. It could be possible the client is actually capable of the WPA3 security parameters?

Original Message:
Sent: Jul 09, 2025 09:11 AM
From: Ahmed suliman
Subject: WPA2-only Capable Client able to connect to wpa3-aes-ccm-128 despite Opmode transition: Disabled

Hello Dears,

We have a strange behavior here.

We have an SSID that uses 802.1x authentication and WPA3-enterprise encryption.

We only want the WPA3 encryption type to be used; we use WPA3-aes-ccm-128 with Opmode transition Disabled. WPA2 Clients can connect to WPA3-AES-CCM-128 despite Opmode transition being Disabled. 

We found this document that recommended upgrading to version 8.11.2.1 or later. We upgraded to 8.12.0.5, but still have the same issue.

Any ideas what the problem is?

Thanks for your support.

we are using 802.1x EAP PEAP authentication. WPA3-Enterprise 192-bit (CNSA) will work for use or do we must use EAP-TLS ?

If you don't want to allow WPA3 Enterprise AKMs (AKM:3/AKM:5) you could try switching to WPA3-Enterprise 192-bit (CNSA).

Unfortunately, we can't do the  OTA pcap now.

But I want to ask what if this is the case {the client advertising AKM:5 or AKM:3}.  We want a way to prevent these clients from connecting.

Thanks for the screenshot. I still advise verifying with OTA pcap what AKM the client is actually associating with. AKM:3 and AKM:5 have been around for a long time. AKM:3 is actually shared between WPA2 and WPA3 for FT since AKM:3 already uses SHA-256. We need a packet capture.

Hello schmelzle,

Thanks for your reply.

These are the protocols supported by the client.

If the client is capable of AKM:5, it will be able to connect. WPA3-AES-CCM-128 on 8.11 and newer with TM disabled prevents AKM:1 (SHA-1 over .1X) from being used. The best way to confirm this is via OTA pcap during association to see what AKM is being used during association. If AKM:3 (if 802.11r/FT is enabled) or AKM:5 is used by the client, the client will be able to connect and use WPA3. It could be possible the client is actually capable of the WPA3 security parameters?

Original Message:
Sent: Jul 09, 2025 09:11 AM
From: Ahmed suliman
Subject: WPA2-only Capable Client able to connect to wpa3-aes-ccm-128 despite Opmode transition: Disabled

Hello Dears,

We have a strange behavior here.

We have an SSID that uses 802.1x authentication and WPA3-enterprise encryption.

We only want the WPA3 encryption type to be used; we use WPA3-aes-ccm-128 with Opmode transition Disabled. WPA2 Clients can connect to WPA3-AES-CCM-128 despite Opmode transition being Disabled. 

We found this document that recommended upgrading to version 8.11.2.1 or later. We upgraded to 8.12.0.5, but still have the same issue.

Any ideas what the problem is?

Thanks for your support.

That's correct. WPA3-Enterprise 192-bit (CNSA) requires EAP-TLS.

we are using 802.1x EAP PEAP authentication. WPA3-Enterprise 192-bit (CNSA) will work for use or do we must use EAP-TLS ?

If you don't want to allow WPA3 Enterprise AKMs (AKM:3/AKM:5) you could try switching to WPA3-Enterprise 192-bit (CNSA).

Unfortunately, we can't do the  OTA pcap now.

But I want to ask what if this is the case {the client advertising AKM:5 or AKM:3}.  We want a way to prevent these clients from connecting.

Thanks for the screenshot. I still advise verifying with OTA pcap what AKM the client is actually associating with. AKM:3 and AKM:5 have been around for a long time. AKM:3 is actually shared between WPA2 and WPA3 for FT since AKM:3 already uses SHA-256. We need a packet capture.

Hello schmelzle,

Thanks for your reply.

These are the protocols supported by the client.

If the client is capable of AKM:5, it will be able to connect. WPA3-AES-CCM-128 on 8.11 and newer with TM disabled prevents AKM:1 (SHA-1 over .1X) from being used. The best way to confirm this is via OTA pcap during association to see what AKM is being used during association. If AKM:3 (if 802.11r/FT is enabled) or AKM:5 is used by the client, the client will be able to connect and use WPA3. It could be possible the client is actually capable of the WPA3 security parameters?

Original Message:
Sent: Jul 09, 2025 09:11 AM
From: Ahmed suliman
Subject: WPA2-only Capable Client able to connect to wpa3-aes-ccm-128 despite Opmode transition: Disabled

Hello Dears,

We have a strange behavior here.

We have an SSID that uses 802.1x authentication and WPA3-enterprise encryption.

We only want the WPA3 encryption type to be used; we use WPA3-aes-ccm-128 with Opmode transition Disabled. WPA2 Clients can connect to WPA3-AES-CCM-128 despite Opmode transition being Disabled. 

We found this document that recommended upgrading to version 8.11.2.1 or later. We upgraded to 8.12.0.5, but still have the same issue.

Any ideas what the problem is?

Thanks for your support.

ok thank you so much for your support.

one last question :D when i choose  wpa3-aes-ccm-256 is asks me for preshared key on the cleints devices why this happens ?

That's correct. WPA3-Enterprise 192-bit (CNSA) requires EAP-TLS.

we are using 802.1x EAP PEAP authentication. WPA3-Enterprise 192-bit (CNSA) will work for use or do we must use EAP-TLS ?

If you don't want to allow WPA3 Enterprise AKMs (AKM:3/AKM:5) you could try switching to WPA3-Enterprise 192-bit (CNSA).

Unfortunately, we can't do the  OTA pcap now.

But I want to ask what if this is the case {the client advertising AKM:5 or AKM:3}.  We want a way to prevent these clients from connecting.

Thanks for the screenshot. I still advise verifying with OTA pcap what AKM the client is actually associating with. AKM:3 and AKM:5 have been around for a long time. AKM:3 is actually shared between WPA2 and WPA3 for FT since AKM:3 already uses SHA-256. We need a packet capture.

Hello schmelzle,

Thanks for your reply.

These are the protocols supported by the client.

If the client is capable of AKM:5, it will be able to connect. WPA3-AES-CCM-128 on 8.11 and newer with TM disabled prevents AKM:1 (SHA-1 over .1X) from being used. The best way to confirm this is via OTA pcap during association to see what AKM is being used during association. If AKM:3 (if 802.11r/FT is enabled) or AKM:5 is used by the client, the client will be able to connect and use WPA3. It could be possible the client is actually capable of the WPA3 security parameters?

Original Message:
Sent: Jul 09, 2025 09:11 AM
From: Ahmed suliman
Subject: WPA2-only Capable Client able to connect to wpa3-aes-ccm-128 despite Opmode transition: Disabled

Hello Dears,

We have a strange behavior here.

We have an SSID that uses 802.1x authentication and WPA3-enterprise encryption.

We only want the WPA3 encryption type to be used; we use WPA3-aes-ccm-128 with Opmode transition Disabled. WPA2 Clients can connect to WPA3-AES-CCM-128 despite Opmode transition being Disabled. 

We found this document that recommended upgrading to version 8.11.2.1 or later. We upgraded to 8.12.0.5, but still have the same issue.

Any ideas what the problem is?

Thanks for your support.

That happens when the client doesn't support the AKM or ciphers and then falls back to something the client knows. We have seen this years ago with other opmodes at their inceptions but isn't so much a problem anymore. 

ok thank you so much for your support.

one last question :D when i choose  wpa3-aes-ccm-256 is asks me for preshared key on the cleints devices why this happens ?

That's correct. WPA3-Enterprise 192-bit (CNSA) requires EAP-TLS.

we are using 802.1x EAP PEAP authentication. WPA3-Enterprise 192-bit (CNSA) will work for use or do we must use EAP-TLS ?

If you don't want to allow WPA3 Enterprise AKMs (AKM:3/AKM:5) you could try switching to WPA3-Enterprise 192-bit (CNSA).

Unfortunately, we can't do the  OTA pcap now.

But I want to ask what if this is the case {the client advertising AKM:5 or AKM:3}.  We want a way to prevent these clients from connecting.

Thanks for the screenshot. I still advise verifying with OTA pcap what AKM the client is actually associating with. AKM:3 and AKM:5 have been around for a long time. AKM:3 is actually shared between WPA2 and WPA3 for FT since AKM:3 already uses SHA-256. We need a packet capture.

Hello schmelzle,

Thanks for your reply.

These are the protocols supported by the client.

If the client is capable of AKM:5, it will be able to connect. WPA3-AES-CCM-128 on 8.11 and newer with TM disabled prevents AKM:1 (SHA-1 over .1X) from being used. The best way to confirm this is via OTA pcap during association to see what AKM is being used during association. If AKM:3 (if 802.11r/FT is enabled) or AKM:5 is used by the client, the client will be able to connect and use WPA3. It could be possible the client is actually capable of the WPA3 security parameters?

Original Message:
Sent: Jul 09, 2025 09:11 AM
From: Ahmed suliman
Subject: WPA2-only Capable Client able to connect to wpa3-aes-ccm-128 despite Opmode transition: Disabled

Hello Dears,

We have a strange behavior here.

We have an SSID that uses 802.1x authentication and WPA3-enterprise encryption.

We only want the WPA3 encryption type to be used; we use WPA3-aes-ccm-128 with Opmode transition Disabled. WPA2 Clients can connect to WPA3-AES-CCM-128 despite Opmode transition being Disabled. 

We found this document that recommended upgrading to version 8.11.2.1 or later. We upgraded to 8.12.0.5, but still have the same issue.

Any ideas what the problem is?

Thanks for your support.

So this Snap means that my PC does not support wpa3-aes-gcm-256 encryption?

That happens when the client doesn't support the AKM or ciphers and then falls back to something the client knows. We have seen this years ago with other opmodes at their inceptions but isn't so much a problem anymore. 

ok thank you so much for your support.

one last question :D when i choose  wpa3-aes-ccm-256 is asks me for preshared key on the cleints devices why this happens ?

That's correct. WPA3-Enterprise 192-bit (CNSA) requires EAP-TLS.

we are using 802.1x EAP PEAP authentication. WPA3-Enterprise 192-bit (CNSA) will work for use or do we must use EAP-TLS ?

If you don't want to allow WPA3 Enterprise AKMs (AKM:3/AKM:5) you could try switching to WPA3-Enterprise 192-bit (CNSA).

Unfortunately, we can't do the  OTA pcap now.

But I want to ask what if this is the case {the client advertising AKM:5 or AKM:3}.  We want a way to prevent these clients from connecting.

Thanks for the screenshot. I still advise verifying with OTA pcap what AKM the client is actually associating with. AKM:3 and AKM:5 have been around for a long time. AKM:3 is actually shared between WPA2 and WPA3 for FT since AKM:3 already uses SHA-256. We need a packet capture.

Hello schmelzle,

Thanks for your reply.

These are the protocols supported by the client.

If the client is capable of AKM:5, it will be able to connect. WPA3-AES-CCM-128 on 8.11 and newer with TM disabled prevents AKM:1 (SHA-1 over .1X) from being used. The best way to confirm this is via OTA pcap during association to see what AKM is being used during association. If AKM:3 (if 802.11r/FT is enabled) or AKM:5 is used by the client, the client will be able to connect and use WPA3. It could be possible the client is actually capable of the WPA3 security parameters?

Original Message:
Sent: Jul 09, 2025 09:11 AM
From: Ahmed suliman
Subject: WPA2-only Capable Client able to connect to wpa3-aes-ccm-128 despite Opmode transition: Disabled

Hello Dears,

We have a strange behavior here.

We have an SSID that uses 802.1x authentication and WPA3-enterprise encryption.

We only want the WPA3 encryption type to be used; we use WPA3-aes-ccm-128 with Opmode transition Disabled. WPA2 Clients can connect to WPA3-AES-CCM-128 despite Opmode transition being Disabled. 

We found this document that recommended upgrading to version 8.11.2.1 or later. We upgraded to 8.12.0.5, but still have the same issue.

Any ideas what the problem is?

Thanks for your support.

That's correct. The security parameters for WPA3-Enterprise (GCM-256) Non-CNSA are not widely supported by clients. It's a mode for specific customers and scenarios.

So this Snap means that my PC does not support wpa3-aes-gcm-256 encryption?

That happens when the client doesn't support the AKM or ciphers and then falls back to something the client knows. We have seen this years ago with other opmodes at their inceptions but isn't so much a problem anymore. 

ok thank you so much for your support.

one last question :D when i choose  wpa3-aes-ccm-256 is asks me for preshared key on the cleints devices why this happens ?

That's correct. WPA3-Enterprise 192-bit (CNSA) requires EAP-TLS.

we are using 802.1x EAP PEAP authentication. WPA3-Enterprise 192-bit (CNSA) will work for use or do we must use EAP-TLS ?

If you don't want to allow WPA3 Enterprise AKMs (AKM:3/AKM:5) you could try switching to WPA3-Enterprise 192-bit (CNSA).

Unfortunately, we can't do the  OTA pcap now.

But I want to ask what if this is the case {the client advertising AKM:5 or AKM:3}.  We want a way to prevent these clients from connecting.

Thanks for the screenshot. I still advise verifying with OTA pcap what AKM the client is actually associating with. AKM:3 and AKM:5 have been around for a long time. AKM:3 is actually shared between WPA2 and WPA3 for FT since AKM:3 already uses SHA-256. We need a packet capture.

Hello schmelzle,

Thanks for your reply.

These are the protocols supported by the client.

If the client is capable of AKM:5, it will be able to connect. WPA3-AES-CCM-128 on 8.11 and newer with TM disabled prevents AKM:1 (SHA-1 over .1X) from being used. The best way to confirm this is via OTA pcap during association to see what AKM is being used during association. If AKM:3 (if 802.11r/FT is enabled) or AKM:5 is used by the client, the client will be able to connect and use WPA3. It could be possible the client is actually capable of the WPA3 security parameters?

Original Message:
Sent: Jul 09, 2025 09:11 AM
From: Ahmed suliman
Subject: WPA2-only Capable Client able to connect to wpa3-aes-ccm-128 despite Opmode transition: Disabled

Hello Dears,

We have a strange behavior here.

We have an SSID that uses 802.1x authentication and WPA3-enterprise encryption.

We only want the WPA3 encryption type to be used; we use WPA3-aes-ccm-128 with Opmode transition Disabled. WPA2 Clients can connect to WPA3-AES-CCM-128 despite Opmode transition being Disabled. 

We found this document that recommended upgrading to version 8.11.2.1 or later. We upgraded to 8.12.0.5, but still have the same issue.

Any ideas what the problem is?

Thanks for your support.

Hello Dears,

We have a strange behavior here.

We have an SSID that uses 802.1x authentication and WPA3-enterprise encryption.

We only want the WPA3 encryption type to be used; we use WPA3-aes-ccm-128 with Opmode transition Disabled. WPA2 Clients can connect to WPA3-AES-CCM-128 despite Opmode transition being Disabled. 

We found this document that recommended upgrading to version 8.11.2.1 or later. We upgraded to 8.12.0.5, but still have the same issue.

Any ideas what the problem is?

Thanks for your support.