If you have a wireless network or an SSID that is mainly used for visitors and guest accounts one of the things you can do for this particular type of open network to increase your security is enable OWE.
OWE - what is that?
OWE stands for Opportunistic Wireless Encryption - this is a new WPA security standard for open, non-password-protected networks - this particular technology is part of WPA3
This network provides encryption, but does not provide authentication, this option is set on the security of the SSID as below:
OWE can cause issues with legacy/older laptops
If you have enabled those OWE on the network that is specifically set up to be open and allow guest or visitor devices on your network - then you may notice not all these devices will be running the latest hardware so they may be unable to connect to the new open SSID with OWE enabled.
Open network becomes unusable!
Considered for a moment, you have a contractor or a guest in your business, they are running an older Apple MacBook Air M1 from 2020 - for this example, let’s run with Apple laptops and phones
The Apple device that support OWE include:
- iPhone 12 models or later
- iPhone SE (3rd generation) or later
- iPad Pro 13-inch (M4)
- iPad Pro 12-inch (5th generation) or later
- iPad Pro 11-inch (3rd generation) or later
- iPad Air (4th generation) or later
- iPad mini (6th generation) or later
- All Mac models with the M3 series chip
- All Mac models with the M2 series chip
- Mac models with the M1 series chip:
- Mac Studio (2022)
- MacBook Pro (14-inch, 2021)
- MacBook Pro (16-inch, 2021)
However these devices do not support OWE, although they do support 802.11ax and iOS 16, iPad OS 16.1, or macOS 13:
- iPhone 11
- iPhone SE 2nd generation
- iPad Pro 12.9 inch 4th generation
- iPad Pro 11 inch 2nd generation
- M1 MacBook Air
This means our poor MacBook Air M1 Completely out I will simply get an error saying that unable to connect to this network, regardless of the version of macOS or iOS.
What are the options for legacy/older devices?
Well, the hardware does not support OWE then the only option you have is to use another SSID I should hardware is using the dedicated guest access.
You have successfully secured your open network for guest/visitors but now any device devices that do not support OWA are unable to connect - which sounds a little counterproductive to me - usually the response “ You need a newer device” is not very practical in the moment.
Hold the party poppers before breaking out the security champagne……
Access still required!
You still have a contractor or guest that has an older laptop that still needs to access the Wi-Fi?
This leaves, you only one other option with OWE enabled, that to put that designated guest/visitor on another ID that gives them more access than visitor.
Usually, you have more than one SSID, especially when it comes to organizations, there is also quite a high chance that you have the good old PSK (pre-shared key) network that you can just pop that visit on laptop on?
OWE : Maybe disable it, and think about it!
While, like in many things linked to security, it seems to offer you a great leap forward in your open SSID - however you failed to factor in that many people will not have cutting edge devices, so you essentially stopped them connecting to that designated open network.
OWE still enabled and access being prevented means you will make another questionable decision about allowing that guest/visitor onto your more secure and internal Wi-Fi.
This means it would appear enabling OWE without thinking of the consequences has then caused another bad security decision by allowing that guest/visitor on a private SID that more sensitive devices are using.
Checking for OWE support
Rough trying to go down the rabbit hole trying to figure out why they can’t connect to your Wi-Fi. You can simply issue the following command below in the various platforms to see if this device support OWE.
If the device does not support OWE regardless of what is updated in the software the hardware needs to support this feature for a successful connection.
If the hardware does not support OWE and it’s enabled on your open visitor/guest network, you need to find another network for that older legacy laptop to connect to, simples.
Check OWE support for Windows: netsh wlan show wirelesscapabilities
Check OWE support for Linux : iw phy | grep -i owe