Community discussions

MikroTik App
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Sun Jan 29, 2023 1:38 pm

Dear friends,

On the hAP AX3, I would like to restrict to WPA3 and not WPA2/WPA3 transitional mode.
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=all .width=20/40/80mhz configuration.country=France .mode=ap \
.ssid=XXXXXXXXXXXXXXXX disabled=no security.authentication-types=wpa3-psk .disable-pmkid=yes .encryption=ccmp,gcmp,ccmp-256,gcmp-256 \
.management-protection=required .wps=disable

The hap AX3 is seen as a wpa2/wpa3 transitional mode AP:
sudo iwlist wlp59s0 is used on my Debian with Intel ax200 and correct driver.

Cell 16 - Address: XXXXXXXXXXXXXXXX
Channel:149
Frequency:5.745 GHz
Quality=32/70 Signal level=-78 dBm
Encryption key:on
ESSID:"XXXXXXXXXXXXXXXXXXX"
Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s
36 Mb/s; 48 Mb/s; 54 Mb/s
Mode:Master
Extra:tsf=0000003663acf32d
Extra: Last beacon: 128ms ago
IE: Unknown: 000B4F69736561752D3567687A
IE: Unknown: 01088C129824B048606C
IE: Unknown: 030195
IE: Unknown: 07544652202401172801172C01173001173401173801173C011740011764011E68011E6C011E70011E74011E78011E7C011E80011E84011E88011E8C011E90011E95010E99010E9D010EA1010EA5010EA9010EAD010E
IE: Unknown: 200100
IE: Unknown: 23020800
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : CCMP
Pairwise Ciphers (4) : CCMP unknown (8) unknown (10) unknown (9)
Authentication Suites (1) : unknown (8)
IE: Unknown: 0B050100030000
IE: Unknown: 460573D000000C
IE: Unknown: 2D1AEF0903FFFF000000000000000000000100000000000000000000
IE: Unknown: 3D1695050400000000000000000000000000000000000000
IE: Unknown: 7F0A04000F00000000400040
IE: Unknown: BF0CB2798933FAFF0000FAFF0000
IE: Unknown: C005019B00FCFF
IE: Unknown: C304021C1C1C
IE: Unknown: FF1C230D01081A4010047048881F418104110800FAFFFAFF391CC7711C07
IE: Unknown: FF0724F43F0008FCFF
IE: Unknown: FF022703
IE: Unknown: FF0E260403A4FF27A4FF4243FF6232FF
IE: Unknown: F40120
IE: Unknown: DD178CFDF00101020100020101030301010004010109020000
IE: Unknown: DD180050F2020101840003A4000027A4000042435E0062322F00
IE: Unknown: DD168CFDF0040000494C51030209720100000000FDFF0000
IE: Unknown: DD078CFDF004010100
What are the correct setting to disable WPA2/WP3 transitional mode.

I also want to keep only AC and AX and disable all the rest.

Is this possible?

Kind regards,
FF
Last edited by ffries on Mon Jan 30, 2023 11:44 am, edited 1 time in total.
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode

Mon Jan 30, 2023 11:39 am

Dear Friends,

I restricted my settings to CCMP and WPA3-PSK and the AP is still seen as a WPA2 AP:

Settings:
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=all .width=20/40/80mhz configuration.country=France .mode=ap .ssid=XXXXXX disabled=no \
security.authentication-types=wpa3-psk .disable-pmkid=yes .encryption=ccmp .management-protection=required .wps=disable
Still seen as a WPA2 AP:
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : CCMP
Pairwise Ciphers (1) : CCMP
Authentication Suites (1) : unknown (8)
I think this is important for the community to understand how to restrict to WPA3 and WPA2/WPA3 transitional mode is broken "by design".
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Mon Jan 30, 2023 11:44 am

It could be my Debian station returning false information about the AP.
The WPA3 only I guess, not WPA2/WP3 transitional.
 
frengo
just joined
Posts: 20
Joined: Fri Jan 20, 2023 12:17 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Tue Dec 26, 2023 4:20 pm

Hello everyone. I have just purchased 2 Mikrotik NetMetal triple radio module devices (one mod. RB921UAGS-5SHPACT-NM and one RB922UAGS-5SHPACT-NM (I don't know the differences between the two, I think minimal)) with the aim of replacing one of my old radiolinks Mikrotik with WPA2 encryption that is continuously disconnected every 30 seconds or so perhaps due to a deauther attack.
I have never configured a wifi5 link with WPA3 so far (only WPA2) and I would like to know how to set anti-attack parameters that protect me as much as possible, unlike what happens with WPA2.

What do you recommend?

Do I also need to enable some new parameter or function that didn't exist with WPA2?

Thanks in advance and sorry for my inexperience....
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Tue Dec 26, 2023 11:00 pm

I think that difference between is that 922 has miniPCIe slot and SIM card slot while 921 doesn't.

As to WPA3: I believe suppport for WPA3 in ROS is in wave2/wifi ... and that one is not supported on MIPSBE architecture which your NetMetals are ... so unfortunately no dice.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Tue Dec 26, 2023 11:19 pm

As to WPA3: I believe suppport for WPA3 in ROS is in wave2/wifi
Correct.
 
frengo
just joined
Posts: 20
Joined: Fri Jan 20, 2023 12:17 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Wed Dec 27, 2023 1:16 am

What ?

So even if I create the link with these devices that have 802.11ac, would the connection suffer deauthering?

I searched the site for "deauther" and read that a link to resist this type of attack should support:

1) 802.11ac or ...
2) 802.11w or ...
3) WPA3 or ...
4) WifiWave2 or ...
5) Wifi5 or Wifi6 or ...
6) Management Frame Protection or ...
7) Tkip or CCMP or ...
8) Must not have MIPSBE or...
9) other or ...

I DON'T UNDERSTAND ANYTHING ANYMORE!!

What should a Mikrotik apparatus have to resist deauther attacks?

Thanks to the expert Mikrotik resellers who recommended the NetMetal triples RB921UAGS-5SHPACT-NM and RB922UAGS-5SHPACT-NM because 802.11ac (they told me) made me burn over $350.

Is it possible that these devices have no way of resisting these attacks?? I can understand the 921 being out of production but the 922 is quite recent.

What equipment should I use instead of mine?
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Wed Dec 27, 2023 10:20 am

What equipment should I use instead of mine?
To give you actionable advice, you have not provided any information about the radiolink.
You have purchased devices with 3 channels. Does that mean you have special antennas for them with 3 polarizations?
If you don't look into the situation and answer the way the equipment salesman answers. Get a NetMetal ac² or hAP ax³ with an additional sealed box.
Understand that first the radio engineer in your person should determine the necessary requirements for the equipment, and then already contact the seller.
 
frengo
just joined
Posts: 20
Joined: Fri Jan 20, 2023 12:17 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Wed Dec 27, 2023 12:24 pm

All I need is a very simple point-to-point link with a radio module and with the other 2 radios to create another 2 point-to-multipoint links.

The exact same thing on the other side where the 922 is.

What is there to specify?

The distances are from 6 to 15 km.
I use the various radio modules separately or not.
It's NOT throughput or triple polarization that I'm interested in. I don't need dual band 2.4 & 5.6 gHz. I don't need 866 MB of traffic. I can also go to 5 mHz channel width and exchange a few kB per second.

The only thing I need is that the links must not be the victim of deauther attacks.
That's all.

Basically, the Netmetal 802.11ac I have are vulnerable and the Nemetal ac2 are not?
Where is this written on the datasheet?

With the purchase of 802.11ac devices I thought I had solved it because they are WIFI5 generation, but instead....

https://blog.spacehuhn.com/5ghz-deauthe ... cehuhn.com


I still haven't understood what makes them resistant to these attacks.... WPA3, ac2, 802.11w, MFP, Wifi5 class?
 
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Wed Dec 27, 2023 1:53 pm

I still haven't understood what makes them resistant to these attacks.... WPA3, ac2, 802.11w, MFP, Wifi5 class?
Screenshot_27.jpg

Based on your description, I can draw 3 conclusions
1. You have low qualification as a radio engineer. You have a very poor understanding of the settings of the radio link that you are operating and trying to modernize
2. You do not pay any attention to very important parameters of the radiolink. I can judge from the description you give. Because links at 6-15 km is quite a difficult task, without good knowledge it is difficult to create them qualitatively.
3. I am 85% sure that the problem is not in deauthentication attacks.
Therefore, I suggest opening a new topic where we can understand your problems.
Earlier you wrote that you use RB493 with three radio modules, I want to say that 5SHPACT devices can not replace them as they have one radio module with three chains. It is not the same thing.
Mikrotik recognized his mistake to use several radio modules in one device and almost all of them were removed from production. This is due to the fact that it is impossible to provide quality isolation of radio modules one from another.
You do not have the required permissions to view the files attached to this post.
 
frengo
just joined
Posts: 20
Joined: Fri Jan 20, 2023 12:17 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Wed Dec 27, 2023 1:53 pm

This is the first thing I enabled on my old Metal 5Shp 802.11a/n but absolutely nothing has changed.
That's why I switched to NetMetal 802.11ac
but the latter you tell me doesn't have WPA3.

What I do ? Should I buy Netmetal 802.11ac2?
Didn't I read in the brochure that NetMetal 802.11ac2 has WPA3?

Who should insure it for me?

Will I make another wrong purchase?
 
frengo
just joined
Posts: 20
Joined: Fri Jan 20, 2023 12:17 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Wed Dec 27, 2023 2:08 pm

Image
I still haven't understood what makes them resistant to these attacks.... WPA3, ac2, 802.11w, MFP, Wifi5 class?
Screenshot_27.jpg


Based on your description, I can draw 3 conclusions
1. You have low qualification as a radio engineer. You have a very poor understanding of the settings of the radio link that you are operating and trying to modernize
2. You do not pay any attention to very important parameters of the radiolink. I can judge from the description you give. Because links at 6-15 km is quite a difficult task, without good knowledge it is difficult to create them qualitatively.
3. I am 85% sure that the problem is not in deauthentication attacks.
Therefore, I suggest opening a new topic where we can understand your problems.
Earlier you wrote that you use RB493 with three radio modules, I want to say that 5SHPACT devices can not replace them as they have one radio module with three chains. It is not the same thing.
Mikrotik recognized his mistake to use several radio modules in one device and almost all of them were removed from production. This is due to the fact that it is impossible to provide quality isolation of radio modules one from another.
Now that there are some conclusions, I'll tell you all about it so that the various users will be able to draw better conclusions.

Let's look at the only link that doesn't work for me. This link of 10 (ten) km. it worked perfectly for months until a few weeks ago with minimum settings and WPA2 PSK and WPA2 EAP with aes ccm on both Unicast and Group and Management Protection disabled.
The signal was around -80 dBm on both sides and the throughput at 10 mHz bandwidth allowed a 10 MB file to be transferred in just over a minute between client and AP and vice versa.

All of a sudden from one Saturday afternoon onwards the link disconnected and reconnected every 30 seconds or so and there was no way to make it work anymore. This thing has been happening for several weeks.

I tried ANY CHANNEL, even those from Bolivia: NOTHING TO DO.

NO ONE changed any other settings

What could it be?
You do not have the required permissions to view the files attached to this post.
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Wed Dec 27, 2023 2:23 pm

What could it be?
There are approximately 256 reasons.
Open a new topic.
The -80 signal is very weak.
We'll figure out what's going on.
Show me
1. The settings of each point
2. Scanning the air from each point.

PS The first thing I suggest on this unit is to downgrade the ROS version to 6.49.10 Long-term, ROS7 is not suitable for them.
PPS Similar error was on AX in ROS 7.9-7.11 in 7.13 changed driver, at this stage the probable cause is ROS version
 
frengo
just joined
Posts: 20
Joined: Fri Jan 20, 2023 12:17 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Wed Dec 27, 2023 2:54 pm

What could it be?
There are approximately 256 reasons.
Open a new topic.
The -80 signal is very weak.
We'll figure out what's going on.
Show me
1. The settings of each point
2. Scanning the air from each point.

PS The first thing I suggest on this unit is to downgrade the ROS version to 6.49.10 Long-term, ROS7 is not suitable for them.
PPS Similar error was on AX in ROS 7.9-7.11 in 7.13 changed driver, at this stage the probable cause is ROS version
I sure hope you're right. During the day I will immediately downgrade and post the result.
Except that on the official website there are 6.49.9 and 6.49.11. There is no 6.49.10.
What do I do ? Do I download it from an unofficial site or do you have a secure link?
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Wed Dec 27, 2023 3:01 pm

:wink:
You do not have the required permissions to view the files attached to this post.
 
frengo
just joined
Posts: 20
Joined: Fri Jan 20, 2023 12:17 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Wed Dec 27, 2023 3:06 pm

Okay, okay. A thousand thanks.

I'll install it now. Obviously both Main and extra, right?
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Wed Dec 27, 2023 3:11 pm

Obviously both Main and extra, right?
I haven't seen your configuration so I can't say. You should only install the extra package if you use it, and then only the necessary packages.
PS Usually one main package is enough
 
frengo
just joined
Posts: 20
Joined: Fri Jan 20, 2023 12:17 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Wed Dec 27, 2023 4:00 pm

I have 7.13 and it won't uninstall. There are also extras packages.
I tried uninstalling those first but nothing.

I still have 7.13 left even if I just want to move to 7.12.1
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Wed Dec 27, 2023 4:33 pm

I'm not a psychic.
Tell me in detail how you do the downgrade.
In general, search here on the forum many times written in detail how to downgrade the firmware version.
Since 7.13 changes the configuration of the radio. I would recommend to use the Backup that you made before upgrading to 7.13 or better to set up again manually.
The best option is Netinstall and manual settings from the default config.
 
frengo
just joined
Posts: 20
Joined: Fri Jan 20, 2023 12:17 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Thu Dec 28, 2023 2:58 am

I wasted the whole afternoon trying to get down from 7.13 but there was no way, not even to 7.12.1 and so I had to use Netinstall (which I had never managed to use until the procedure was completed) ....

I posted post n.424 in the specific section on Thursday 28 December 2023 at 2.08am with the downgrade procedure in detail if it can be useful to anyone, given that both I and someone else spent a few hours trying to carry out the downgrade from 7.13:

viewtopic.php?p=1044763#p1044763
Last edited by frengo on Thu Dec 28, 2023 3:15 am, edited 1 time in total.
 
whatever
Member
Member
Posts: 351
Joined: Thu Jun 21, 2018 9:29 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Thu Dec 28, 2023 11:17 am

I wasted the whole afternoon trying to get down from 7.13 but there was no way, not even to 7.12.1
Issue on layer 8
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Thu Dec 28, 2023 11:30 am

@frengo
It's certainly good that you posted your paraphrase of the netinstall instructions, but that's not what we're interested in.
Did downgrading the ROS version to 6 fix the authentication problem or not?

PS
I wasted the whole afternoon trying to get down from 7.13 but there was no way, not even to 7.12.1
We have a habit of reading instructions on the second day :lol:
https://help.mikrotik.com/docs/display/ ... g+RouterOS
 
frengo
just joined
Posts: 20
Joined: Fri Jan 20, 2023 12:17 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Thu Dec 28, 2023 12:57 pm

@frengo
It's certainly good that you posted your paraphrase of the netinstall instructions, but that's not what we're interested in.
Did downgrading the ROS version to 6 fix the authentication problem or not?
During these holidays here in Italy, unfortunately before 12/30/2023 I cannot have physical access to the device to be reset with Netinstall, given that I need to press the button on the Routerboard.

Don't worry, as soon as I have completed the downgrade to 6.49.10 as you tell me I will post the response immediately.

If it really does work again (I hope so) it would be interesting to test by reinstalling version 7 (or 7.13) to understand if it is actually a version problem....

I'll post everything here
@frengo
PS
I wasted the whole afternoon trying to get down from 7.13 but there was no way, not even to 7.12.1
We have a habit of reading instructions on the second day :lol:
https://help.mikrotik.com/docs/display/ ... g+RouterOS
I made dozens of attempts following this guide but when I restarted it ALWAYS remained 7.13. Seeing is believing. I also followed the red errors in the Log. Once it told me that the System was missing, then I also put the System on and it told me that the Wireless was missing. The next time it told me that another package was missing, I put it in and nothing happened. Everything always remained at 7.13 - No problem anyway. With Netinstall I solved it and went back to 6.49.10. Now I'm waiting for them to give me the site keys to do the same operation on the other device....

Stay tuned
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Thu Dec 28, 2023 2:45 pm

Is there no change in the logs now? Show me.
To downgrade to 7.12, you must first remove the Wireless package and only then downgrade.
If you have wifi access, you can't do that. If you access the device via cable, you don't have to press the button to netinstall.
 
frengo
just joined
Posts: 20
Joined: Fri Jan 20, 2023 12:17 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Thu Dec 28, 2023 4:15 pm

If you access the device via cable, you don't have to press the button to netinstall.
Possible ? And how do you use Netinstall without pressing reset? I followed the instructions in the official Mikrotik video here:

https://www.youtube.com/watch?v=gzlLbIf3Dbk&t=30s

and only shows the procedure by pressing the button.

How do you do it without reaching the button? Do you have a link or video on the topic?

Thank you
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Thu Dec 28, 2023 4:20 pm

https://help.mikrotik.com/docs/pages/vi ... Id=1409054

Use system Routerboard / Settings / Boot device = try ethernet once then NAND.
Then reboot using winbox / ssh / cli / ... whatever.
It should first go looking for a netinstall server then.
No press on any button needed.

But ... you need to have a netinstall server ready in the same network segment then.
Unless I missed something on that process.
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Thu Dec 28, 2023 8:31 pm

Screenshot_29.jpg
Then the system reboots
You do not have the required permissions to view the files attached to this post.
 
frengo
just joined
Posts: 20
Joined: Fri Jan 20, 2023 12:17 pm

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Mon Jan 01, 2024 11:44 pm

Finally today I managed to access the remote site and also downgrade the other device from 7.13 to 6.49.10 as you recommended but unfortunately nothing has changed.

I just noticed something strange and curious. Having seen so far the duration of the connection which every time before it breaks is about 30 seconds, as soon as I downgraded and put the connection back on which had been down for several days I noticed that the first attempt lasted almost 90 seconds and I had already deluded myself that everything was back in operation. Instead, unfortunately, the subsequent associations lasted less and less until at the fourth or fifth time the association attempt with the remote AP went back to lasting a maximum of 30 seconds (as can be seen from the log)... and some pings.

BBOOOOHHH!!
You do not have the required permissions to view the files attached to this post.
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: How to configure WPA3 only not WPA2/WPA3 transitional mode (fixed)

Tue Jan 02, 2024 4:27 pm

Well, you didn't want to open a separate topic, so we'll continue here.
Let's look at the only link that doesn't work for me. This link of 10 (ten) km.
The signal was around -80 dBm on both sides and the throughput at 10 mHz bandwidth
You said that only one radio link is not working. But in your last post you show data from another radio link on the same frequency, but with a different SSID.
If you want help
Show me
1. The settings of each point
2. Scanning the air from each point.
3.The status tab of the wifi interface on each side.
4.Signal tab from the registration tab on the access point

Who is online

Users browsing this forum: GoogleOther [Bot], infabo, lmeira and 40 guests