How to know if your iphone is using wpa3 or wpa2


 Share

Recommended Posts

+BudMan

So unifi finally released support for WPA3 via controller 6.1.51 and firmware 5.43+ on many of their APs

 

So I was playing with that yesterday.  And sure set a ssid to only be wpa3, and phone (iphone XR running 14.4) connected.. So yeah it works - but was wondering how do you know your using wpa3 on a ssid that is set for wpa2/wpa3 because some devices on that network don't yet support wpa3.. Iot devices for sure many do not support such new features, or for that matter even 5ghz for wifi. be it n or ac..

 

The controller doesn't have a way to show if a device is using wpa2 or wpa3.. At least not yet.  So you really have to do it on the client device.  Well apple in their infinite wisdom clearly don't see the point of their users actually seeing any decent info about the connection ;)

 

Unless you install the developers wifi profile for debugging.. Why and F is this just not part of a stand features I have no idea.

 

You can find it here

https://developer.apple.com/bug-reporting/profiles-and-logs/

 

You have to agree to the developers agreement after you sign in with your apple id.

 

You can then install the profile, and now under your wifi your connected to there will be a diagnostic menu..

 

wifi.thumb.png.acd8d769e1df5c4e20cf63343fb9da6b.png

 

This provides lots of good info.. Actual channel your connected to, the VHT.  Actual signal strength.. If your wpa2 or wpa3.. Actual BSSID which can be useful when you have more than 1 AP..   I wish they also would show you actual PHY (connection rate) for both tx and rx.. But hey it got the info I was looking for specifically..  But you can get the connection rate from the controller if your running unifi stuff.

 

Hope this helps someone..

  • Like 1
  • Thanks 2
Link to post
Share on other sites

  • 1 month later...
Zyphrax

Thank you for this! Today I enabled WPA2/WPA3 mode and I had no clue how I could tell if my iPhone was actually using WPA3. This helped out a lot!

Link to post
Share on other sites

+BudMan

Glad it helped someone else.. On side note wpa3 enterprise is now working as well ;)

 

ent.thumb.png.30d75fc51867f1bc379fbace2a5346c8.png

 

 

Now the question is when will iot devices support wpa3 - prob around the time wpa4 is getting old ;)

 

Link to post
Share on other sites

adrynalyne

Excellent. Didn’t know about that profile. 

Link to post
Share on other sites

  • 2 months later...
Brons2

I was excited to see the option for WPA3 with my controller upgrade , but then sadly I discovered the AC-AP-PRO does not have firmware on the 5.x branch.  Some of the other AC class APs have 5.4.x, but mine doesn't, which is strange to me because it's the "Pro" model.

 

Nevertheless, I did install the developer profile you suggested and that did confirm that it is indeed connecting with WPA2 when I put it in WPA2/WPA3 mode.  If you put it in WPA3 Only Mode it doesn't connect, probably because of the AP firmware. 

 

The tool itself is pretty cool and I thank you for that.

Link to post
Share on other sites

+BudMan
18 hours ago, Brons2 said:

but then sadly I discovered the AC-AP-PRO does not have firmware on the 5.x branch

I have a AC pro and works fine on the 5.x branch of firmware.

 

ssh to your Pro and do an info..

info.png.dcab290bc55ed74eb8d61cbc21bd06f6.png

 

You sure you have a PRO?  And not a AC gen1 - the square model?

 

What version of the controller software are you running?  I am currently on 6.2.26 (Build: atag_6.2.26_15319)

 

edit:  Just noticed I was on 5.63.0 vs .3 - so just updated all of them to latest

63.png.7bdf2bbd5f1cef3dd317abb5cb8e012c.png

 

behind.png.9af5beb2521a357dd0586e215d19ea95.png

 

and just validated that my iphone is connected to the uap-ac-pro and ssid that is wpa2/wpa3 mode and connects via wpa3

 

hallway.thumb.png.d24b04aad3715df8bac2968b7a10559a.png

Link to post
Share on other sites

Brons2
On 12/06/2021 at 05:51, BudMan said:

You sure you have a PRO?  And not a AC gen1 - the square model?

Yes 100% have AC-Pro.   I realized that I needed to allow it to load Beta firmware in order to get the 5.63 branch.  If you only allow it to access the "release" firmware it only gave me options for 4.23 firmware.  At least on my setup anyway.

 

Since I am on controller 6.2.2.5, it allows you to change the firmware setting for Beta in the GUI now.  [edit] Link didn't work, guess because I am new.  Here is a screenshot of how to set the release channel through the GUI:

 

image.png.24a0ec8aefc565df2eac31a18a807b9f.png

 

Have gone through the upgrades on my 2 AP-Pro and my US-60W switch and now have WPA3 running on the desired SSID.  Thanks for getting me going in the right direction.

 

 

Edited by Brons2
link either didn't work or wasn't allowed, added screenshot instead.
Link to post
Share on other sites

Brandon H

slightly off topic but I'm curious. I haven't had a chance to look into WPA3 much yet as my devices don't support it yet but I'm wondering how much of an improvement and/or how much more secure is it compared to WPA2?

Link to post
Share on other sites

+BudMan

Yeah the problem with wpa3 is going to be support from older devices, and when if iot devices will start to support it.  I find it highly unlikely that old iot devices like lightbulbs and such will be able to just get a firmware upgrade and support it.  And who is going to want to switch out all their old iot just to support wpa3... They can add up in cost.  I have like 16 light bulbs.. I got them for good prices.. But even at $10 each your talking 160$ and then all the setup time to replace them all.. Yeah prob not going to happen ;)  They will get replaced when they fail most likely..  So hopefully years down the road.

 

As to how much more secure..  From a wpa2 enterprise setup to wpa3 or wpa3 enteprise, not really all that much to be honest.  Problem is iot type devices normally do not support enterprise..

 

The big thing with wpa3 is enforces use of Protected Management Frames (PMF).

 

Also it uses Simultaneous Authentication of Equals (SAE), vs the wpa2 PSK..  With wpa3 offline dictionary attacks are pretty much gone - any attack would have to be done in real time.

 

The biggest drawback with changes in wifi, is until such time you can move all your devices to the new whatever - your still going to be open to the old security issues.  You could completely isolate your networks so that anything on the wpa2 doesn't have access to anything on your wired or wpa3 wireless networks.  This is pretty much the case with my iot stuff.. The 2 vlans I have for say roku's and alexa stuff has no access into the rest of my network.. Other than plex on port 32400..

 

My trusted wifi network which is now using wpa3 enterprise, and eap-tls.. Is fine all my devices that I allow to access that network support it.  But I was hoping to move my guest wifi to wpa3, but sadly guest devices are not up to speed yet.  Nephew brought over his laptop, and couldn't get on my guest network, had to switch it to wpa2/wpa3 mode for him to get on.

 

edit: Another little problem which I hope they address at some point, is in the unifi controller there is no way to see if a client used wpa2 or wpa3.. So hard to even know if your iot devices would work.. Only way to know would be to switch to wpa3 only and see what doesn't connect ;)  At some point hope they show you what the client used in the controller.

 

Another thing is if you were using QR codes for your guests to scan, as of yet I don't think there is a way to do this with just wpa3 network.

  • Thanks 1
Link to post
Share on other sites

Brons2

Budman,

 

Are you having any roaming issues with this 5.6.x firmware?  Spent most of the weekend at the back of the house (living, kitchen, master) but my office is at the front of the house and when I came up here this morning realized both my work and personal phones were constantly dropping and reconnecting when on the WPA3 enabled network which is 5G only.  I grabbed my PC from my night stand and brought it up here to the front of the house and it stayed connected but I realized it did not roam from the back of the house AP to the front of the house AP per the Ubiquiti management portal.  Even though I'm practically right under the front of the house AP, it's still connected to the back of the house AP.  It's just that the laptops have more ability to stay connected to a 5Ghz AP that is farther away.

 

After further experimentation I realized that nothing is roaming from whatever AP it originally connects to.  The phones stay connected if I move them over to my mixed 2.4G/5G SSID, but that is because of the longer reach of 2.4.  They don't roam off the AP they originally joined even on 2.4.

 

Non-roaming noticed on:

iPhones

iPads

Windows PCs

Linux PCs

Android phones/tablets.

IoT things - smart speakers, light switches, the ones that are kind of in the middle are just offline altogether.

Link to post
Share on other sites

Brons2

I rolled back to the "Release Candidate", AP roaming is now working.  Installed version on APs 5.43.36.12724.

Link to post
Share on other sites

+BudMan

The only devices I have on my wpa3 network are mine and wife's iphones, and ipad..  They roam just fine.. This is an wpa3-enterprise network...

 

Here just walked from one end of the house to other - see on guestroom AP, then moved to Kitchen AP.. You can see in the event log on the controller as I moved it transitioned to the hallway for a bit as walked between the 2 areas

 

Have not noticed any sort of issues with the 5.60, and now the 5.60.3 firmware running..  If I recall there might of been one beta firmware between that had some issues but that was like one of the first that rolled out after 5.43, where I rolled back 5.43.. But ran on 5.60 for very long time, and just recently moved to the 5.60.3

 

 

roam.thumb.png.490d018180c96d30fef7fac74fabcf22.png

 

As to issues with your IOT things - quite possible they do not support wpa3.. And possible could even have issues with transition mode wpa2/3

 

But I have my all of my other vlans in wpa2/3 mode and everything is connected fine, and haven't noticed any flakyness in connections, etc.

 

vlan.png.8fe0610f3741b8f26bcdef0112b9b4de.png

 

I do have PMF set to optional on these ssids.

 

edit:

Let me do the same test after connecting to one of my other ssids, and moving about.  BRB

 

Yeah, moved to the wpa2/wpa3 ssid and it seems to be working fine.. It transitioned across all 3 of my APs as I walked across the house.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.