Aruba's early implementation of WPA3, mixed mode

Aruba has released for general availability ArubaOS 8.4, which includes WPA3-PSK:

Understandably, I was pretty excited to try it out and promptly upgraded my instant cluster, contained within the "safe zone" of my home lab. It was running before, and the upgrade required me to stand up an HTTP server to distribute binaries. The one-click upgrade worked with no issues and took ~10 minutes for both APs with no client-side downtime.

I'll try not to gush too much here, but this is a pretty wicked software release. The virtual controller UI is vastly improved and had a few new options:

ArubaOS 8

Configuring WPA3-SAE was also pretty easy:

WPA3 Setup

Once configured, I was able to connect to the WPA3 SSID I had created.

Wait, WHAT? Windows 10 doesn't have any WPA3 support yet! Digging a little deeper, I found that I was connected to an SSID that supported WPA2-Personal.

WPA3 Windows 10

It'd appear that we have the capability to run both WPA2 and 3 at the same time. Of course, we can trust but verify with a packet capture. This is not normally feasible without a software-defined radio, but Aruba provides a tool (PEEKREMOTE) that will let you remotely pull a packet capture. If you're interested in doing this yourself, the guide on how is at the end of this article. There are some important steps to follow when decoding the PCAP.

Here's what I found on the RSN IE portion of the 802.11 beacon frame:


From the looks of it, the RSN IEs allow for multiple cipher suites and AKMs. This isn't surprising, as this was how WPA1/2 works in mixed mode. From the PCAP, I would surmise that 00:0f:ac:08 is the 802.11i designation for SAE.

WPA2 & 3 Differences, courtesy of Ruckus Networks:
802.11i Robust Security Network Information Elements:
Airheads announcement:
Details on WPA3 and why it matters (not a light read):
InstantOS Packet Captures: