With the introduction of Wi-Fi 6E/6GHz, the available RF space has significantly increased. For my non-technical readers, Wi-Fi 6 and Wi-Fi 6E are not the same, Wi-Fi 6E brings the new 6GHz frequency which you can read more about in my previous article discussing Wi-Fi 6E Advancements.

 This expansion enhances performance and reduces sources of interference and noise, paving the way for more reliable and high-quality wireless connections. However, this advancement also necessitates new and improved security measures for WLAN/SSID configurations.

The new 6GHz standard enforces security protocols to enhance wireless communications. Devices operating in the 6GHz band must comply with the following security standards:

• WPA3: Mandates the use of Protected Management Frames (PMF/802.11w) to enhance protection against attacks on management frames.

• Opportunistic Wireless Encryption (OWE): Replaces “Open SSID” by providing encryption without requiring authentication, ensuring data privacy even on open networks commonly found in cafes.

• Simultaneous Authentication of Equals (SAE): Substitutes Pre-Shared Key (PSK) methods, offering robust resistance to offline password attacks through improved cryptographic algorithms.

Additionally, more advanced encryption methods, such as WPA3 Enterprise-192, are supported. Certain legacy protocols and configurations, such as PMF disabled/optional, TKIP, and WEP, are explicitly prohibited.

In an ideal scenario of a greenfield 6GHz deployment, the new security standards would be implemented seamlessly, offering enhanced security by default. However, most deployments will involve integrating the new 6GHz networks with existing 2.4GHz and 5GHz networks. This coexistence poses several challenges:

• Security Incompatibility: Existing WLAN/SSID configurations, particularly those using WPA2 Enterprise (802.1x), Webauth, or WPA2-PSK, will not meet the new security requirements for 6GHz. Consequently, these networks cannot be broadcasted directly in the new band and will require updates to comply with the new standards.

• Planning and Testing: Migrating to the new security standards will necessitate careful planning and thorough testing to ensure a smooth transition without disrupting existing services.

• Backward Compatibility: Older devices that do not support the new security protocols may face compatibility issues, making the migration process more complex than simply updating configurations.

Despite the challenges, various strategies can facilitate the coexistence of new 6GHz access points and clients with older devices and standards:

• Mixed-Mode Deployment: Implement a mixed-mode deployment where new access points and clients support WPA3 and 6GHz, while older devices continue to operate under WPA2 or earlier standards.

• Gradual Migration: Gradually migrate existing networks by upgrading devices and configurations in phases, ensuring compatibility and minimizing disruption.

• Comprehensive Planning: Develop a detailed migration plan that includes timelines, testing protocols, and contingency measures to address potential issues during the transition.

By understanding and addressing these challenges, organizations can successfully migrate their WLAN/SSID configurations to take full advantage of the benefits offered by 6GHz networks while maintaining robust security and compatibility.

Some may suggest using WPA2/WPA3 transition mode to simplify the migration to 6GHz networks. Unfortunately, this approach, designed for introducing WPA3 into legacy bands, it should not be used as it will cause you more headaches than it’s worth and doesn’t resolve the underlying security issue of leaving WPA2 enabled.

Understanding WPA3 Transition Mode

WPA3 transition mode allows a hybrid scenario where WPA2 and WPA3 coexist, with Protected Management Frames (PMF) set to optional and the group key using legacy encryption. However, 6GHz networks require strict adherence to WPA3 standards, prohibiting the use of transition mode. This means you can't simply switch an existing WLAN from WPA2 to transition mode for 6GHz—it’s not supported in the new band.

Transition mode is effective for easing into WPA3 in legacy bands, enabling older devices to coexist with new ones supporting WPA3 and PMF. However, this approach can lead to erratic behavior or connectivity issues for multiple clients, and it does not meet the stringent security requirements of 6GHz.

Transition Disable

While beneficial for security, this feature can cause connectivity issues in networks with mixed security settings across different locations, as clients may fail to connect to WPA2-only areas after migration.

While there are more than just three migration strategies, the ones I’ll cover further in detail is what has worked best for me in real work, and non of the options include using WPA3-Transition mode. 

Full Migration to WPA3

This approach involves moving all SSIDs to WPA3, SAE, or OWE, with a single SSID across all bands, eliminating legacy security support. This is the quickest way but can create the largest number of support cases due to the lift and shift nature. There is a large list of compatibility issues regarding some of the requirements, and implementing this option will lead to compatibility issues as soon as any older device tries to connect Migrating the SSID profile on clients may be problematic, depending on operating systems. Several devices will use right away the higher security offerings, others will need to be adjusted.

Drawbacks:

• Compatibility issues with older devices.

• Potentially problematic SSID profile migration on clients.

• Requires absolute control over all client devices.

• Users especially on Apple products will be prompted with a security message, leveraging an MDM platform can help mitigate this pesky prompt message

Positives:

• No need for additional SSIDs.

• Eliminates low-security SSIDs.

Create a New Broadcasting SSID Network

Create new SSIDs specifically for 6GHz, optionally broadcasted in other bands, maximizing backward compatibility by leaving existing networks untouched.

Example:

• Legacy SSID: AOMIT, broadcasted on 5 GHz only supporting WPA2 Enterprise

• Guest SSID: AOMIT-GUEST, supporting webauth in 2.4/5 GHz

• IoT: AOMIT-IOT, with WPA2-PSK, for restricted sensor/camera devices in 2.4 GHz

• What we would add: Wi-Fi 6 specific SSID: AOMITNG, broadcasted on 5 and 6GHz, using WPA3 with 802.1x authentication and PMF

Drawbacks:

• Need for new SSID creation and broadcast.

• Additional profile configuration is required for devices.

• Sensitive SSID naming considerations.

Positives:

• No impact on existing networks.

• Gradual migration of devices to new security standards.

• Supports fast roaming between bands for the same WLAN.

Same SSID, Two WLAN Profiles (No Transition, Duplicate SSID)

Leave the existing profile untouched and add a 6GHz-specific WLAN profile. Really create a duplicate SSID? While this seems extremely odd and I was hesitant initially this actually has proven to be my favorite migration method, but it doesn’t address the primary security concerns for the 2.4/5GHz frequency bands as they will be left on WPA2 or open authentication for guest.

Example:

• Legacy SSID: AOMIT, broadcasted on 5 GHz only. Modified now to support WPA2 Enterprise

• Guest SSID: AOMIT-GUEST, supporting webauth in 2.4/5 GHz

• IoT: AOMIT-IOT, with WPA2-PSK, for restricted sensor/cameras devices in 2.4 GHz

• Add a Wi-Fi 6 specific WLAN profile: same AOMIT, SSID, with different profile name, AOMITNG broadcasted on 6GHz, using WPA3 with 802.1x authentication and PMF

Drawbacks:

• Potential client issues with the same SSID having different security settings.

• No roaming support across different WLANs.

• Legacy bands remain on lower security protocols.

Positives:

• No new SSIDs for clients to manage.

• Clients can fallback to 2.4GHz/5GHz if needed.

• Avoids interoperability issues with transition mode.

Client Device Requirement Features:

• The device has a WiFi-6E Radio

Each migration option comes with its own set of benefits and drawbacks, and the best choice depends on your organization’s and end users' willingness to adapt to change. Implementing this migration is not a quick process and can lead to significant issues if not properly planned and communicated to staff. For more compatibility information, refer to this Juniper Mist article that digs into client compatibility.