1. Documentation
  3. Wireless
  5. Design Guides and Best Practices
  7. Practical Considerations for Deploying Wi-Fi…

Practical Considerations for Deploying Wi-Fi 6E

Modified on

This guide will provide suggestions around how to adopt and deploy Wi-Fi 6E (6 GHz Wi-Fi)

Cliff Notes

Read this section if you want just the tips, read the rest of the doc if you want the full context:

  • WPA3 or OWE required for 6 GHz
    • For many customers, simply enabling WPA3 on your existing Enterprise/802.1X to enable 6 GHz is low risk. You can use transition mode which would be the safest.
    • For personal/PSK WLANs with modern devices, WPA3-Personal is safe. If you have older devices you may have interoperability issues and may be best suited to have a legacy/IoT SSID.
    • For Open/Guest networks, device support of OWE is recent, so you will most likely need to use OWE Transition, or don’t offer your open SSID on 6 GHz
    • You can also use 6 GHz as an opportunity to reimagine your SSIDs, their functions, and which bands they are assigned to.
  • From a design perspective, 6 GHz requires slightly higher AP density than 5 GHz

SSIDs/Security

First and foremost, WPA3 or OWE are mandatory in 6 GHz.  So for many customers to adopt 6 GHz, also means adopting WPA3.  This isn’t as daunting as it may seem, but there is some nuance to consider.  You should understand the devices on your network the best you can, as well as driver versions.  In some environments, especially with a large bring-your-own-device population, this may not be entirely feasible.  You should also think about your existing SSIDs and maybe use Wi-Fi 6E as an opportunity to reimagine your SSIDs.  There’s no right or wrong way to do your SSIDs, ultimately it will come down to what fits your organization.

Please note within Mist, the 6 GHz band needs to be explicitly enabled on each WLAN.  It is not enabled on existing WLANs, and not yet enabled by default on new WLANs.

When adopting WPA3, there is some nuance between WPA3-Enterprise, WPA3-Personal, and OWE.

  • WPA3-Enterprise is very similar to WPA2-Enterprise under-the-hood, so it turns out to be low risk in many instances to adopt WPA3-Enterprise.
  • WPA3-Personal has excellent device support, you could run into older devices that don’t like seeing WPA3-Personal AKM on transition or non-transition SSIDs. There are also downgrade protections built in, which prevent roaming back down to WPA2 and can come into play in mixed environments.  In 6 GHz, H2E is also mandatory to mitigate some of the early vulnerabilities found with WPA3-Personal.
  • OWE has the most recent device support. Apple (MacOS and iOS) was the last of the major device manufactures to add OWE support starting in iOS 16, iPadOS 16.1, and macOS 13.  It is most common to deploy OWE Transition for maximum compatibility.

SSID Strategies

With the WPA3 and OWE requirements of 6 GHz, adopting 6 GHz could serve as a good opportunity to re-evaluate your SSID strategies.  There are many options, and ultimately it will come to what is best for your organization based on the constraints you may have such as client mix.

Options include:

    1. Do nothing, and do not enable 6 GHz on your new 6 GHz APs (yet)
      • Pro: Postpones making changes
      • Con: You aren’t leveraging the full potential of the APs you just bought.
    2. Spin up 6 GHz only SSIDs
      • Pro: Mitigates potential risk of changing existing SSIDs.
      • Con: Users need to “learn” a new SSID.  Need to have 6 GHz clients
    3. Band specific SSIDs
      • Say 2.4 and 5+6 or 2.4+5 and 5+6
      • This could be corporate on 5+6 GHz and IoT/Guest on 2.4+5 GHz
      • Pro: “Right sizing” of your SSIDs
      • Con: Requires thought and changing from the norm.
    4. Bite the bullet and move to WPA3
      • Pro: “Rip off the bandaid approach”
      • Con: Potentially most disruption
    5. Turn on transition mode for your existing SSIDs
      • Pro: Generally low risk approach to enabling WPA3
      • Con: You are enabling transition modes, which at some point you will want to migrate off of, just like we have moved away from WPA.
    6. Mist is not recommending different security by band with same SSID name (Example WPA2 on 5 GHz and WPA3 on 6 GHz) due to potential roaming incompatibilities outlined below.
    7. For higher education customers, or customers who use eduroam.  Eduroam has provided guidance on 6E here
    8. Please note. Mist does not support MPSK on WPA3 at this time.  This remains an area of exploration.

Regarding Transition Modes

Transition modes can help ease adoption to WPA3 and OWE.  What they do in effect is delay the migration to WPA3 by still offering existing security types.

      • WPA3-Enterprise is mostly WPA2-Enterprise + Protected Management Frames (PMF). When you enable WPA3-Enterprise transition, the same AKM (5) is used, but PMF is changed from mandatory with WPA3-Enterprise, to capable.  Legacy AKM 1 is also dropped with WPA3.  Device support of PMF is good.  Feedback thus far from our customers has been good around enabling both WPA3-Enterise and WPA3-Enterprise Transition.  This will obviously vary based on the devices and device drivers in your network.
      • Comparison between WPA3-Enterprise and WPA3-Enterprise Transition
      • For WPA3-Personal Transition with the PSK and SAE AKMs are advertised. We have seen some older devices such as Android 9 and older and older Microsoft Surface devices with Marvell chipsets in them not like to connect to WPA3-Personal Transition networks.  So it’s important to understand your device mix, and you may want to consider a legacy or IoT SSID with WPA2 on 2.4 and/or 5 GHz to support your older devices.
      • For OWE Transition, realistically for guest use cases due to recent device support you will need to deploy OWE Transition if you would like to enable your “open” network on 6 GHz. The other option is to simply keep the open network on 2.4 and/or 5 GHz.  OWE Transition actually creates a second hidden SSID.  The open network continues to broadcast, a new information element is added to the beacon to indicate the presence of an OWE SSID, which is broadcast as hidden.  Here is what the IE looks like.  In Mist, when you configure OWE Transition, we automatically create the hidden OWE SSID, and append -OWE to the end of the SSID name.

A Note on Mist’s Implementation of Transition Mode with 6 GHz

Mist allows you to configure WPA3/OWE Transition modes on 6 GHz multiband SSIDs, in order to allow for easier adoption of Transition mode SSIDs.  Now behind the scenes we follow the rules so we actually configure the transition mode on 2.4/5 GHz and non transition on 6 GHz.  This eliminates the need to create two separate SSIDs which would break fast roaming if enabled and would display as two SSIDs with potentially the same name in the UI.

Roaming between security types

In mixed environments, it’s good to understand device behavior when roaming between different security types.  Here is what we have observed in our testing:

BSS1 BSS2 Result
Open OWE Fail
OWE Transition OWE Fail
WPA2 Personal WPA3 Personal Fail
WPA3 Personal Transition WPA3 Personal Works if the client is connected via WPA3 on BSS1
WPA2 Enterprise WPA3 Enterprise Works both ways
WPA3 Enterprise Transition WPA3 Enterprise Works both ways

Client Device Support of OWE and WPA3

WPA3 OWE
Android

  • Version 10 and above
 Android

  • Version 10 and above
Apple (iPhone 6, 2013+ MacBook (802.11ac), iPad 5)

  • iOS 13 and above
  • MacOS Catalina and above
 Apple (iPhone SE, iPhone 12, iPad mini 6th gen, iPad Air 4th gen, iPad Pro 11 3rd gen, iPad Pro 12 5th gen, Apple Silicon Macs
Windows

  • WPA3 Enterprise – Windows 10 (2004)
    • For Intel NICs: 9260 or newer and driver 21.90.3.X or later
  • WPA3 Personal – Windows 10 (1903)
    • For Intel NICs 9260 or newer and driver 21.10.X or later
    • H2E Supported on Windows 10 21H2 or Windows 11
      • W10 Intel Driver = 22.70.x or Later, W11 Intel Driver = 22.100.x or Later
 Windows

  • Windows 10 (2004)
    • For Intel NICs: 9260 or newer and driver 21.90.3.X or later
ChromeOS

  • Support added in 2020
 ChromeOS

  • Not Supported

Sources:

Client Provisioning Considerations

In larger environments, it’s often necessary to rely upon provisioning tools such as MDM, group policy, or other tools which can push configuration profiles to devices.  In these tools you are able to pre-configure SSIDs, install certificates, etc.  One consideration is in the SSID profiles you need to define the security type.

      • For Enterprise security networks, you can define WPA2-Enterpise as the security type. This will generally allow the device to connect to WPA3-Enterprise networks as well, if the device supports it. Whereas if you configure a higher security, and the device does not support it, the profile may fail to install.
      • Screenshot of security options from Apple Configurator 

RF Design

Let’s shift to design considerations

5 GHz and 6 GHz from a free space path loss (FSPL) perspective have a 1-2 dB difference depending on which frequencies you are comparing.  Where you will see difference is 5 GHz and 6 GHz may attenuate differently through different material types.  There may also be max AP Tx power differences, especially with Low Power Indoor mode (LPI).  However from our testing the biggest difference between 5 GHz and 6 GHz from a design perspective are driven from reduced 6 GHz client Tx power.

Our general guidance is 6 GHz will require slightly higher AP density than 5 GHz.  We recommend a proper RF design for 6 GHz.  However in some environments this may not be feasible.  So this is where knowing your environment is useful.  If you already have capacity based 5 GHz designs, you may not need to change much from a density perspective.  Based on your wall materials, you may find it necessary to add an AP specifically into a conference room where you previously did not have one for 5 GHz.

Indeed, if you look in the popular planning tools out there, you will find similar coverage between 5 GHz and 6 GHz.

Impact of uplink

But this only illustrates downstream coverage, when you look at upstream direction, clients are Tx power limited depending on the regulatory domain.  In the US clients are limited to -1 dBm / MHz.  In realworld tests, we see between 3-10 dB of difference between 5 GHz and 6 GHz.

RRM/Power/Channel Bandwidths

Preferred Scan Channels (PSCs)

Out of the box, Mist defaults to 80 MHz in 6 GHz.  80 MHz is recommended because it allows for a higher maximum EIRP and it lines up with Primary Scan Channels (PSCs) which clients have an easier time discovering.  After testing of the major client operating systems, the use of non-PSCs as the primary channel is generally ok.  Previously we recommended using PSCs only because we didn’t have a full picture of the client ecosystem.  In environments where you may want to utilize 20 or 40 MHz channel bandwidth, such as the Europe with only 500 MHz of spectrum, or high density environments it would be useful to utilize non PSCs.  Our testing has shown Windows, Android, iOS, and MacOS clients connect to APs utilizing non PSCs leveraging out of band discovery mechanisms such as reduced neighbor reports or 802.11k neighbor reports.  In environments where you may need channel narrow channels, it may be useful to view the 6 GHz spectrum as an extension of the 5 GHz spectrum.  Thus your SSID should be configured to utilize both the 5 and 6 GHz bands.  This provides the added benefit that if ever there is a 6 GHz discovery issue, clients can fall back to the 5 GHz band.

Mist RRM will use PSCs unless configured not to.  When Automatic is selected for channels PSCs will be used as the primary channel.  When Set allowable channels is selected which ever channels are selected will be used as primary channels.

From a transmit power perspective – minimum power and maximum power, for most environments you can keep the 6 GHz minimum power same as 5 GHz.  For maximum power you generally do not need to restrict the maximum 6 GHz power.

PoE Requirements

For PoE, Mist Wi-Fi 6E APs need at least 802.3at power.  802.3bt is generally recommended.  The AP45 requires 802.3bt power for full functionality.  The AP34 has full Wi-Fi functionality on 802.3at power.

      • The AP45 on 802.3at has dynamic functionality based on what is configured
        • The AP will do 4×4 on any two data radios, or 2×2 on 2.4 GHz, 4×4 on 5 GHz, and 2×2 on 6 GHz with three data radios enabled. For example:
          • If your WLAN configuration only has two bands configured, the AP will operate as 4×4 on both of the data radios.
          • If WLAN configuration has three bands configured, which means all three data radios are active, then the AP will operate as 2×2 on 2.4 GHz, 4×4 on 5 GHz, and 2×2 on 6 GHz
          • Note: If Dual 5 GHz is enabled, that also means all three data radio are active and the AP will operate the same as the previous scenario (2×2+4×4+2×2).
        • The dedicated scan radio and BLE are always active regardless of power.
      • The AP34 has full Wi-Fi functionality on 802.3at power

mGig

For Wi-Fi 6E APs, does 1 GbE versus multigigabit matter?  The answer is it depends.  With Wi-Fi 6E, there are realworld situations where you could see more than a gig per second on a single AP.

Generally you need at least 100 MHz of spectrum to exceed 1 Gbps of throughput.  With three data radio triband APs you realistically could have 120-140 MHz of spectrum used by an AP.  If you have 20 MHz on 2.4, 20/40 MHz on 5 GHz, and 80 MHz on 6 GHz.  In such cases it would be feasible to achieve greater than 1 Gbps.  Granted this could be burst traffic and is not necessarily sustained.