Opportunistic Wireless Encryption (OWE) will hopefully start entering the market to help secure open wireless networks. We’re getting a glimpse of it through Aruba Networks and Cisco.
With the C9800-CL and C9115 AP, I was able to get basic configuration done to enable OWE Transition Mode.
OWE Transition Mode is meant to provide a sort of backwards compatibility. A transition to OWE networks.
The way OWE Transition Mode works is by utilizing two SSIDs. One is an open SSID. No security parameters at all. The second SSID is hidden, has Protected Management Frames (PMF) required and has OWE enabled under WPA parameters.
Why do you need two SSIDs for OWE Transition Mode? Because there will be devices that do not support OWE yet. In this case, the non-OWE compatible device associates with the open SSID. If an OWE-compatible device associates to the open SSID, it will be told to associate to the OWE hidden SSID.
How do we spot this within the frames?
With a frame capture, we’re looking for Beacon frames to indicate if the WLAN supports OWE.
You can use a filter to find all Beacon frames:
wlan.fc.type_subtype == 8
A WLAN support OWE Transition Mode will simply be an open SSID containing no RSN Information Element. What you should be able to find is a Wi-Fi Alliance: OWE Transition Mode Information Element.
There are a few details to go over here. For one, you see that it is a vendor specific tag that says OWE Transition Mode.
More importantly, there is a BSSID and SSID listed. If you look near the top of the image above, we’re looking at a Beacon frame for SSID McFurly-OWETM.
Within the OWE Transition Mode information element, the actual OWE SSID is identified. In this case it is McFurly-OWE. That is the hidden ssid. That piece is how we transition an OWE-compatible device to the OWE only SSID.
The Beacon of OWE
Next, we look within the Beacon frame of the hidden SSID. To secure this open SSID it will be configured with WPA parameters using AES and Opportunistic Wireless Encryption (OWE). It will also contain the OWE information element as well.
The image above is the Beacon of the hidden SSID supporting OWE. Notice the SSID parameter is.. hidden. We’ll get into how we know this is the Beacon frame we’re looking for.
We see there is an RSN information element with an AES cipher and an AKM of Opportunistic Wireless Encryption (OWE). Well, there you go. That’s clearly the SSID we’re looking for.
Looking further below, there is an OWE Transition Mode information element. The difference with this entry is the BSSID and SSID. It is referencing the open SSID.
And again, an OWE compatible device will be told to associate to this hidden SSID, named McFurly-OWE. A non-OWE compatible device will simply associate to the open SSID, McFurly-OWETM.
Great Explanation Rowell. What are the configurations that we need to do in hostapd.conf to enable transition mode OWE
When I configure OWE it demands a SSID-name for the OWE wlan. Which mean I have both SSIDs (owe and open) visible on the client.
Both types of clients can select both SSIDs. But the not-capable client fails if it select the OWE wlan
How do you configure to let the OWE wlan be a hidden SSID on 9800?