One of the more common friction points I’m seeing lately with a few of my customers is the concept or mindset of leaving WPA3 “Transition Mode” enabled indefinitely, while, on the side, they created a dedicated WPA3 Enterprise SSID with SAE, PMF, GCMP-256, etc. The problem overall lies with a lack of the basic understanding of the 802.11 technology itself. However, I still have to talk more about why device compatibility and roaming issues linked to “Transition Mode” are a real thing, verses just moving off the feature set and trying to look at “AKM segmentation,” if you will (I made that up).
What “Transition Mode” means on WPA3-Enterprise
On an 802.1X (Enterprise) SSID, Transition Mode typically means the BSSID advertises multiple 802.11 RSN AKMs, such as the 802.1X / WPA2-Enterprise (legacy AKM) suite and the 802.1X with WPA3-Enterprise suite (RSN IE parameters aligned with WPA3 with stricter crypto/PMF expectations).
In plain terms, we have built one SSID with two security lanes. Some clients will take the modern lane. Others will cling to the legacy lane, even when they could do better, because chipsets and drivers aren’t all built the same.
My problem and main issue is the downgrading of AKM suites. If a WPA2-Enterprise SSID remains available on the same SSID with WPA3, you’ve preserved the legacy attack surface where older crypto still exists for a STA to negotiate. The “WPA3” SSID isn’t purely WPA3. It’s “WPA2-or-WPA3 depending on whatever the client feels like today.”
Roaming and device compatibility roaming, inconsistent PMF support with the “optional” flag set, and the “optional” and supplicant edge cases show up as sticky failures and unpredictable re-associations.
Leave a Reply