Have a Question?
< All Topics
Print

Configure WIFI Network with WPA3 Security with Aruba Instant AP

Steps to configure WIFI Network with WPA3 Security with Aruba Instant AP

WPA3 (Wi-Fi Protected Access) security improvements include:

  • Simultaneous Authentication of Equals (SAE)—Replaces WPA2-PSK with password-based authentication that is resistant to dictionary attacks

  • WPA3-Enterprise 192-Bit Mode—Brings Suite-B 192-bit security suite that is aligned with Commercial National Security Algorithm (CNSA) for enterprise network

Windows 10 version 1903 and above with Intel® Wireless Adapters support WPA3-Personal (aka WPA3-SAE) and WPA3- Enterprise

Define DHCP Pool for Virtual Controller

Internal DHCP Pool used by Virtual Controller to assign IP Address to WIFI Client when VLAN GUEST is selected

IAP315 (config) # ip dhcp pool
    subnet 172.16.10.0
    subnet-mask 255.255.255.0
    dns-server 192.168.1.230
    domain-name aventislab.com
    lease-time 60

WIFI Network with WPA3 Security (WIFI Profile)

  • Opmode wpa3-sae-aes – WPA3 Personal
  • vlan guest – Client IP Assignment managed by Virtual Controller
IAP315 (config) # wlan ssid-profile WPA3
 enable
 type employee
 essid WPA3
 wpa-passphrase 0ad9ca4e493fa6c43d3268d0247c2d909fef6eba09abdfb5
 opmode wpa3-sae-aes
 vlan guest

Client connected to VLAN GUEST will accesing Internet via the NATed IP (192.168.1.125 VLAN3333) of br0 interface

IAP315# show ip interface brief
Interface                         IP Address / IP Netmask       Admin  Protocol
br0                            192.168.1.125 / 255.255.255.0    up     up
br0.3333                         172.16.10.1 / 255.255.255.0    up     up

IAP315# show datapath route
Route Table Entries
-------------------

Flags: L - Local, P - Permanent,  T - Tunnel, I - IPsec, M - Mobile, A - ARP, D - Drop, U - Use Default Gateway, G - PPPoE/3G/4G Gateway

       IP             Mask           Gateway       Cost  VLAN  Flags
---------------  ---------------  ---------------  ----  ----  -----
0.0.0.0          0.0.0.0          192.168.1.1         0     0
172.16.10.0      255.255.255.0    172.16.10.1         0  3333  D
192.168.1.0      255.255.255.0    192.168.1.125       0     1  L
192.168.1.240    255.255.255.255  192.168.1.240       0     1  LP

IAP315# show datapath nat-pool

Datapath NAT Pool Entries
-------------------------
ID  Begin Source IP  End Source IP  Destination IP  Flags
--  ---------------  -------------  --------------  -----
0   192.168.1.125    192.168.1.125  192.168.1.125   -
63  172.16.10.2      172.16.10.2    172.16.10.1     -
64  192.168.1.125    192.168.1.125  0.0.0.0         -
81  192.168.1.240    192.168.1.240  192.168.1.240   -

IAP315# show datapath session

Source IP         Destination IP  Prot SPort Dport Cntr Prio ToS Age Destination TAge Packets Bytes Flags  Offload flags
----------------  --------------  ---- ----- ----- ---- ---- --- --- ----------- ---- ------- ----- ------ -------------
172.16.10.194     40.100.18.18    6    55056 443   0    0    0   27  dev25       84c  0       0     SC
172.16.10.194     54.196.137.11   6    55203 443   0    0    0   1   dev25       18   1       29    SC

Using existing DHCP Server

Existing DHCP Server in our FortiGate 60E can be used to assign IP to WIFI Client by using VLAN 10

Refer to the diagram below for more information

WIFI network with wpa3 security

IAP315 (config) # wlan ssid-profile WPA3
 enable
 type employee
 essid WPA3
 wpa-passphrase 0ad9ca4e493fa6c43d3268d0247c2d909fef6eba09abdfb5
 opmode wpa3-sae-aes
 vlan 10

User Role for the new WIFI Profile

Every client in the Instant network is associated with a user role that determines the network privileges for a client, the frequency of reauthentication, and the applicable bandwidth contracts.

Default Access Rule for a new WIFI Profile is DENY all outgoing traffic

wlan access-rule WPA3
   rule any any match any any any deny

Change to Unrestricted Full Access by adding a new rule with full access and delete the default DENY All

IAP315 (config) # wlan access-rule WPA3
    rule any any match any any any permit
    no rule any any match any any any deny

Bandwidth Contract per SSID or Users

Bandwidth Contract per SSID

IAP315 (config) # wlan access-rule WPA3
    bandwidth-limit downstream 1024
    bandwidth-limit upstream 1024

Bandwidth Contract per User

IAP315 (config) # wlan access-rule WPA3
    bandwidth-limit peruser downstream 1024
    bandwidth-limit peruser upstream 1024

Windows 10 version 1909 is connected to WIFI with WPA3 and accessing Internet now

Reference link

  1. Aruba Instant 8.6.0.x User Guide
Table of Contents
Scroll to Top