Security Enhancements in Wi-Fi 7
Wi-Fi 7 introduces enhanced authentication, encryption, and protection mechanisms to ensure secure and reliable communication between a client and the Access Point. The use of Extremely High Throughput (EHT) physical layer and multiple links in the MultiLink Operation (MLO) mode require new security rules to be complied with across all the links in use. This white paper discusses the enhancements to wireless security offered by Wi-Fi 7, their significance, and challenges from the client ecosystem in supporting them. Wi-Fi 7 and 802.11be are used interchangeably in this white paper.
Image Description: A central Arista Wi-Fi 7 access point is surrounded by digital representations of security shields, data streams, and network nodes, illustrating a secure and interconnected network environment.
Authentication and Key Management
The IEEE 802.11be standard mandates the use of advanced AKM suites using group-dependent hash for client authentication. SAE authentication in Wi-Fi 7 uses AKM 24 (00-0F-AC:24), and Fast Transition (FT) authentication uses AKM 25 (00-0F-AC:25). AKM 24 and 25, introduced in the 802.11be standard, provide per-MLD (Multi-Link Device) authentication. They utilize a single PMK (Pairwise Master Key) across all links, ensuring synchronized key hierarchy and session management. These AKM suites replace PSK-based AKMs 8 & 9 from Wi-Fi 6/6E. A Wi-Fi 7 AP advertises support for multiple AKM suites in its RSN IE, allowing clients that support advanced AKMs to benefit from enhanced security. Clients not supporting advanced AKMs (Wi-Fi 6E and older) will continue to use AKM 8 & 9 for authentication.
Pair-wise Cipher Suite
Wi-Fi 7 APs and clients will use the Galois/Counter Mode Protocol with 256-bit keys (GCMP-256) as the pair-wise cipher suite, replacing AES CCMP-128. GCMP encrypts the Frame Body field of a plaintext MPDU and encapsulates the resulting ciphertext to provide data confidentiality, authentication, integrity, and replay protection. A Wi-Fi 7 AP advertises support for both older and new pair-wise cipher suites, enabling newer clients to use GCMP-256 while older clients can continue using CCMP-128 for backward compatibility.
Figure 1: AKM 24 and GCMP-256 advertisement in the RSN Information Element of Arista Wi-Fi 7 AP Beacon
Tag: RSN Information
Tag Number: RSN Information (48)
Tag length: 28
RSN Version: 1
Group Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
Pairwise Cipher Suite Count: 2
Pairwise Cipher Suite List: 00:0f:ac (Ieee 802.11) GCMP (256), 00:0f:ac (Ieee 802.11) AES (CCM)
Pairwise Cipher Suite: 00:0f:ac (Ieee 802.11) GCMP (256)
Pairwise Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
Auth Key Management (AKM) Suite Count: 2
Auth Key Management (AKM) List: 00:0f:ac (Ieee 802.11) SAE (SHA256), 00:0f:ac (Ieee 802.11) SAE (GROUP-DEPEND)
Auth Key Management (AKM) Suite: 00:0f:ac (Ieee 802.11) SAE (SHA256)
Auth Key Management (AKM) OUI: 00:0f:ac (Ieee 802.11)
Auth Key Management (AKM) type: SAE (SHA256) (8)
Auth Key Management (AKM) Suite: 00:0f:ac (Ieee 802.11) SAE (GROUP-DEPEND)
Auth Key Management (AKM) OUI: 00:0f:ac (Ieee 802.11)
Auth Key Management (AKM) type: SAE (GROUP-DEPEND) (24)
Management Frame Protection
Management Frame Protection (MFP) authenticates and encrypts unicast and broadcast management frames to protect against spoofing, denial of service, and man-in-the-middle attacks. MFP is mandatory for both single-link and multi-link operation in Wi-Fi 7. Support for MFP is indicated in the RSN IE by setting both Management Frame Protection Required (MFPR) and Management Frame Protection Capable (MFPC) fields to 1.
Figure 2: Management Frame Protection support indicated in RSN Information Element
Tag: RSN Information Tag Number: RSN Information (48) Tag length: 28 RSN Version: 1 Group Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM) Pairwise Cipher Suite Count: 2 Pairwise Cipher Suite List: 00:0f:ac (Ieee 802.11) GCMP (256), 00:0f:ac (Ieee 802.11) AES (CCM) Auth Key Management (AKM) Suite Count: 2 Auth Key Management (AKM) List: 00:0f:ac (Ieee 802.11) SAE (SHA256), 00:0f:ac (Ieee 802.11) SAE (GROUP-DEPEND) RSN Capabilities: 0x00cc .... .... ... . . . 0 = RSN Pre-Auth capabilities: Transmitter does not support pre-authentication .... .... ... . . 0. = RSN No Pairwise capabilities: Transmitter can support WEP default key 0 simultaneous .... .... .... 11.. = RSN PTKSA Replay Counter capabilities: 16 replay counters per PTKSA/GTKSA/STAKeySA .... .... . 00 .... = RSN GTKSA Replay Counter capabilities: 1 replay counter per PTKSA/GTKSA/STAKeySA (0: .... .... .1.. .... = Management Frame Protection Required: True .... .... 1.. .... = Management Frame Protection Capable: True .... ...0 .... .... = Joint Multi-band RSNA: False .... ..0. .... .... = PeerKey Enabled: False ..0. .... .... .... = Extended Key ID for Individually Addressed Frames: Not supported .0.. .... .... .... = OCVC: False
Beacon Protection
A significant vulnerability in Wi-Fi networks has been the unprotected transmission of AP capabilities and signaling in beacon information elements (IEs). This allows active attacks that alter Beacon frame IEs to cause client devices to switch to incorrect channels, lower data rates, or disconnect. The 802.11be standard mandates that APs support Beacon Protection and advertise it in their beacons. With Beacon Protection, the AP shares a Beacon Integrity Group Temporal Key (BIGTK) with the client during the WPA3 4-way handshake and adds a message integrity check (MIC) element to Beacon frames. The MIC covers all fields of the Beacon frame except the timestamp, allowing clients to verify Beacon frame integrity and detect active attacks. MFP is a prerequisite for enabling Beacon Protection. Legacy clients that do not support WPA3 and MFP ignore the Beacon Protection bit and the MIC and associate without these protection mechanisms.
Figure 3: Beacon Protection via sharing the Beacon Integrity Key during the WPA3 4-way handshake (Source: Wi-Fi Alliance Beacon Protection)
Figure 4: Beacon Protection support advertisement in Octet 11 of Extended Capabilities Tag in Arista Wi-Fi 7 AP's beacon
Tag: Extended Capabilities (13 octets) Tag Number: Extended Capabilities (127) Tag length: 13 Extended Capabilities: 0x04 (octet 1) Extended Capabilities: 0x00 (octet 2) Extended Capabilities: 0x00 (octet 3) Extended Capabilities: 0x02 (octet 4) Extended Capabilities: 0x00 (octet 5) Extended Capabilities: 0x00 (octet 6) Extended Capabilities: 0x00 (octet 7) Extended Capabilities: 0x4040 (octets 8 & 9) Extended Capabilities: 0x00 (octet 10) Extended Capabilities: 0x10 (octet 11) .... .0.. = Complete List of NonTxBSSID Profiles: False .... ..0. = SAE Password Identifiers In Use: False .... ...0. = SAE Passwords Used Exclusively: False .... .... 0... = Enhanced Multi-BSSID Advertisement Support: False .... .... 1... = Beacon Protection Enabled: True .... .... .0.. = Mirrored SCS: False .... .... ..0. = OCT: False .... .... ...0 = Local MAC Address Policy: False Extended Capabilities: 0x0c (octet 12) Extended Capabilities: 0x00 (octet 13)
Security in MLO
MLO requires coordinated security mechanisms on all participating links to ensure secure and seamless link switching and aggregation. WPA3 is mandatory on all links in MLO. WPA3 transition mode and OWE transition mode are not allowed in MLO; only WPA3 is mandated for EHT (Wi-Fi 7) operation. All links in MLO must use the same AKM suite and pairwise cipher suite.
Security modes
A major advancement in Wi-Fi 7 security is the mandate of WPA3 on all links. The table below compares security modes mandated and allowed in Wi-Fi 7 versus Wi-Fi 6E/6.
Table 1: Comparison of security features mandated in Wi-Fi 7 and Wi-Fi 6E/6
| Security mode/feature | Wi-Fi 7 | Wi-Fi 6E/6 |
| WPA3 | Mandatory | Mandatory in 6 GHz band Optional in 2.4 & 5 GHz bands |
| WPA3 Transition Mode | Not allowed | Not allowed in 6 GHz band Allowed in 2.4 & 5 GHz bands |
| OWE | Allowed | Allowed |
| OWE Transition Mode | Not allowed | Not allowed in 6 GHz band Allowed in 2.4 & 5 GHz bands |
| AKM Suites | 24, 25 | 24, 25 mandatory in 6 GHz band 8, 9 allowed in 2.4 & 5 GHz bands |
| Pair-wise cipher suite | GCMP-256 | CCMP-128 |
| Management Frame Protection | Mandatory | Mandatory in 6 GHz band Optional in 2.4 & 5 GHz bands |
| Beacon Protection | Mandatory | Mandatory in 6 GHz band Optional in 2.4 & 5 GHz bands |
Interoperability and RSN Overriding
The advertisement of multiple AKM suites and Pairwise cipher suites by a Wi-Fi 7 AP can lead to connectivity issues with clients that do not support the new authentication and cipher suites. To avoid interoperability issues, the Wi-Fi Alliance introduced the RSN overriding mechanism in the latest WPA3 standard (v3.4). In this mechanism, the AP advertises WPA2 AKMs and pairwise cipher suites in the RSNE information element. The new AKMs and cipher suites are advertised in the RSNE Override element, and AKMs and cipher suites common for all MLO links are advertised in the RSNE Override 2 element. Extended RSN capabilities are also advertised in two separate information elements—RSNXE and RSNXE Override—to facilitate interoperability with non-Wi-Fi 7 clients.
The additional information elements introduced in the RSN Overriding mechanism are depicted in Figure 5 for a 5 GHz radio configured in WPA3 Personal mode.
Figure 5: RSN Overriding IEs in 5 GHz band for WPA3 Personal security mode
Diagram Description: A hierarchical diagram showing RSN Overriding as the main category, branching into RSNE Overriding and RSNXE Overriding. RSNE Overriding is required for RSNXE Overriding. The RSNE section lists AKM 2, 4 and CCMP-128, with an RSNE Override section listing AKM 8, 11 and an RSNE Override 2 section listing AKM 24, 25 and GCMP-256. The RSNXE section details Element ID, OUI, and RSNXE Override details, including Element ID, OUI, and OUI Type Identifying this as an RSNXE Override element.
Concluding insights
The mandatory WPA3 adoption in Wi-Fi 7 radio links provides strong resistance to offline dictionary attacks, forward secrecy, and shared password protection. Advanced AKMs facilitate independent per-link key management for secure operation across multiple links in MLO. Protection of beacon and management frames ensures resilient networks that can ward off spoofing, man-in-the-middle, and denial-of-service attacks. Mandatory encryption for accessing open networks minimizes the risk of eavesdropping, which has been a deterrent for the safe use of public Wi-Fi networks. Overall, Wi-Fi 7 security enhances both user safety and network robustness.
The security features mandated in the Wi-Fi 7 standard apply when the AP and the client use the EHT PHY and/or MLO. Clients that do not support the new security features can still associate with a Wi-Fi 7 AP but will not benefit from the advanced data rates offered by EHT PHY and MLO. They will need to fall back to using older Wi-Fi protocols, such as 802.11ax.
Arista Networks Contact Information
Santa Clara—Corporate Headquarters
5453 Great America Parkway, Santa Clara, CA 95054
Phone: +1-408-547-5500
Fax: +1-408-538-8920
Email: info@arista.com
Ireland—International Headquarters
3130 Atlantic Avenue
Westpark Business Campus
Shannon, Co. Clare
Ireland
Vancouver-R&D Office
9200 Glenlyon Pkwy, Unit 300
Burnaby, British Columbia
Canada VSJ 5J8
San Francisco-R&D and Sales Office
1390 Market Street, Suite 800
San Francisco, CA 94102
India—R&D Office
Global Tech Park, Tower A & B, 11th Floor
Marathahalli Outer Ring Road
Devarabeesanahalli Village, Varthur Hobli
Bangalore, India 560103
Singapore-APAC Administrative Office
9 Temasek Boulevard
#29-01, Suntec Tower Two
Singapore 038989
Nashua-R&D Office
10 Tara Boulevard
Nashua, NH 03062
Copyright (c) 2025 Arista Networks, Inc. All rights reserved. CloudVision, and EOS are registered trademarks and Arista Networks is a trademark of Arista Networks, Inc. All other company names are trademarks of their respective holders. Information in this document is subject to change without notice. Certain features may not yet be available. Arista Networks, Inc. assumes no responsibility for any errors that may appear in this document. August 1, 2025
