CISCO logo

Embedded Wireless Controller Catalyst Access Points
User Guide

Contents hide
1 Embedded Wireless Controller Catalyst Access Points
2 Hash-to-Element (H2E)
3 YANG (RPC model)
4 Configuring WPA3 SAE H2E
5 Verifying WPA3 SAE H2E Support in WLAN
6 Documents / Resources
6.1 References

Embedded Wireless Controller Catalyst Access Points

CISCO Embedded Wireless Controller Catalyst Access PointsCISCO Embedded Wireless Controller Catalyst Access Points - figSupport for Hash-to-Element for Password Element in SAE Authentication

 

  • Hash-to-Element (H2E), on page 1
  • YANG (RPC model), on page 1
  • Configuring WPA3 SAE H2E, on page 2
  • Verifying WPA3 SAE H2E Support in WLAN, on page 4

Hash-to-Element (H2E)

Hash-to-Element (H2E) is a new SAE Password Element (PWE) method. In this method, the secret PWE used in the SAE protocol is generated from a password.
When a STA that supports H2E initiates SAE with an AP, it checks whether AP supports H2E. If yes, the AP uses the H2E to derive the PWE by using a newly defined Status Code value in the SAE Commit message.
If STA uses Hunting-and-Pecking, the entire SAE exchange remains unchanged.
While using the H2E, the PWE derivation is divided into the following components:

  • Derivation of a secret intermediary element PT from the password. This can be performed offline when the password is initially configured on the device for each supported group.
  • Derivation of the PWE from the stored PT. This depends on the negotiated group and MAC addresses of peers. This is performed in real-time during the SAE exchange.

CISCO Embedded Wireless Controller Catalyst Access Points - icon Note

  • The H2E method also incorporates protection against the Group Downgrade man-in-the-middle attacks. During the SAE exchange, the peers exchange lists of rejected groups banded into the PMK derivation. Each peer compares the  received list with the list of groups supported, any discrepancy detects a downgrade attack and terminates the authentication.

YANG (RPC model)

To create an RPC for SAE Password Element (PWE) mode, use the following RPC model:CISCO Embedded Wireless Controller Catalyst Access Points - fig1
CISCO Embedded Wireless Controller Catalyst Access Points - icon Note

The delete operation performs one action at a time due to the current infra limitation. That is, in YANG module, the delete operation on multiple nodes are not supported.

Configuring WPA3 SAE H2E

Procedure Command or Action Purpose
Step 1 configure terminal
Example:
Device# configure terminal		 Enters global configuration mode.
Step 2 wan wan-name waned SSID-name Example:
Device(config)# wan WPA3 1 WPA3		 Enters the WLAN configuration sub-mode.
Step 3 no security wpa akm dot1x
Example:
Device(config-wlan)# no security wpaakm dot1x		 Disables security AKM for dot1x.
Step 4 no security ft over-the-ds Example:
Device(config-wlan)# no security ft over-the-ds		 Disables fast transition over the data source on the WLAN.
Step 5 no security ft Example:
Device(config-wlan)# no security ft		 Disables 802.11r fast transition on the WLAN.
Step 6 no security wpa wpa2 Example:
Device(config-wlan)# no security wpa wpa2		 Disables WPA2 security. PMF is disabled now.
Step 7 security wpa wpa2 ciphers aes
Example:
Device(config-wlan)# security wpa wpa2 ciphers aes		 Configures WPA2 cipher.
Note You can check whether cipher is configured using no security  wpa wpa2 ciphers aes command. If cipher is not reset, configure the
cipher.
Step 8 security wpa psk set-key ascii value preshared-key Example:
Device(config-wlan)# security wpa psk set-key ascii 0 Cisco123		 Specifies a presaged key.
Step 9 security wpa wpa3 Example:
Device(config-wlan)# security wpa wpa3		 Enables WPA3 support.
Step 10 security wpa akm sae Example:
Device(config-wlan)# security wpa akm sae		 Enables AKM SAE support.
Step 11 security wpa akm sae pwe {h2e | hnp | both-h2e-hnp}
Example:
Device(config-wlan)# security wpa akm sae pwe		 Enables AKM SAE PWE support.
PWE supports the following options:
• h2e—Hash-to-Element only; disables Hnp.
• hnp—Hunting and Pecking only; disables H2E.
• Both-h2e-hnp—Both Hash-to-Element and Hunting and Pecking  support (Is the default option).
Step 12 no shutdown Example:
Device(config-wlan)# no shutdown		 Enables the WLAN.
Step 13 end Example:
Device(config-wlan)# end		 Returns to the privileged EXEC mode.

Verifying WPA3 SAE H2E Support in WLAN

To view the WLAN properties (PWE method) based on the WLAN ID, use the following command:

CISCO Embedded Wireless Controller Catalyst Access Points - fig2

CISCO Embedded Wireless Controller Catalyst Access Points - fig3
CISCO Embedded Wireless Controller Catalyst Access Points - fig4

To verify the client association who have used the PWE method as H2E or Hnp, use the following command:
CISCO Embedded Wireless Controller Catalyst Access Points - fig5
CISCO Embedded Wireless Controller Catalyst Access Points - fig6

CISCO Embedded Wireless Controller Catalyst Access Points - fig7
To view the number of SAE authentications using the H2E and HnP, use the following command:

CISCO Embedded Wireless Controller Catalyst Access Points - fig8CISCO Embedded Wireless Controller Catalyst Access Points - fig9

Support for Hash-to-Element for Password Element in SAE AuthenticationCISCO logo

Documents / Resources

CISCO Embedded Wireless Controller Catalyst Access Points [pdf] User Guide
Embedded Wireless Controller Catalyst Access Points, Wireless Controller Catalyst Access Points, Controller Catalyst Access Points, Catalyst Access Points, Access Points, Points

References

Leave a comment

Your email address will not be published. Required fields are marked *