Datto Networking Manager: Wireless encryption methods

Topic

This article discusses the wireless encryption methods used by Datto Networking Appliances.

Environment

Datto Networking Appliances

Description

When deploying a new wireless network or troubleshooting device connectivity problems, it is important to understand the encryption modes available to you in Network Manager. The encryption option will not only have an impact on the security of the network, but it will also impact the compatibility of client devices as well. Outlined below are the different WPA enterprise encryption modes available in the network manager.

WPA Enterprise Encryption Modes

WPA2/WPA Mixed Encryption

The weakest level of encryption strength available in Network Manager. This configuration includes first-generation WPA encryption support. This level of encryption is considered weak and not recommended. Only use this if you have clients that do not support strong encryption, such as WPA2 or WPA3.

WPA2 Only Encryption

The baseline encryption strength is available in Network Manager. This configuration will work with almost all modern WiFi-enabled devices. This level of encryption provides more robust protection than WPA-Personal authentication while preserving compatibility with many devices.

WPA3/WPA2 Mixed Encryption

The second strongest level of encryption available in Network Manager. This encryption type allows for stronger encryption methods and supports Management Frame Protection (MFP). With MFP, all management frames sent to and from a client device to the Access Point (AP) are encrypted. This can protect against malicious actors from de-authenticating devices from your network. Whether or not a client device connects with MFP is up to the discretion of the client device. WPA2/3 Mixed encryption is a good option if your networks have a mix of devices with varying levels of WPA3 support. This encryption mode provides some of the features of WPA3 Only without providing WPA3 Suite-B 192-bit encryption.

WPA3 Only Encryption

The strongest level of encryption available in Network Manager. This encryption type uses the most powerful encryption defined in the WiFi specification, WPA3 Suite-B 192-bit encryption. This level of protection is required for Military wireless networks, Government wireless networks, and Banks. WPA3 Only Encryption also requires that devices use MFP.

MFP Availability with Different Encryption Settings

Encryption Mode	MFP Available	MFP Required
WPA2/WPA Mixed	No	No
WPA2 Only	No	No
WPA2/3 Mixed	Yes	No
WPA3 Only	Yes	Yes

Interoperability Issues with Different Encryption Modes

WPA3 Only is not compatible with WPA3/WPA2 Mixed SSIDs.

WPA3 Only uses the strongest level of encryption available in Network Manager, WPA3 Enterprise Suite-B 192-bit encryption. This security mode is not compatible with WPA3/WPA2 mixed SSIDs by design. The WiFi alliance WPA3 specification requires this encryption method not to be backward-compatible with WPA3/WPA2 mixed networks to avoid security level downgrade attacks.

The known issue with WPA3 Enterprise on Microsoft Windows

Windows 10 and 11 requires device administrators to configure WPA3 Only Enterprise networks explicitly. In doing so, an administrator must select “WPA3-Enterprise 192-bit mode” as the security type. If the network name matches an SSID that is set up with WPA3/WPA2 mixed encryption, the client device will be unable to connect to that SSID. But if the administrator does not explicitly configure the device, the client device should be able to connect to the SSID.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.