Apple Devices showing Hidden OWE SSID Name after 17.4.1 update
TL;DR: Apple devices are now displaying the name of the hidden OWE SSID, when it is supposed to be hidden and not visible to users. This is not per WiFi Alliance spec and is causing confusion for users and network admins. This started shortly after 17.4.1 was released.
I have several customers who run Cisco wireless APs and controllers. No changes to either of these wireless systems in the past 6 months.
For guest SSIDs in these environments, a standard open SSID is created "Guest", and it is marked as an OWE Transition SSID that points to the WPA3-OWE secured SSID that is hidden, and has the name "Guest_OWE".
A WPA3-OWE SSID is created and is hidden, and is marked OWE Transition SSID for the open "Guest" SSID. This is a guide on how to do such for Cisco wireless environments, and has worked well for the past 10-12 months across our customers. This section of the guide clearly articulates how this is supposed to work, and it has worked on all devices, Apple included, well up until a few months ago.
This requires configuration of two SSIDs - one hidden SSID to support OWE and a second SSID that is Open and is broadcasted.
The Opportunistic Wireless Encryption (OWE) transition mode enables OWE and non-OWE STAs to connect to the same SSID simultaneously. When all the OWE STAs see an SSID in OWE transition mode, they connect with the OWE.
Windows and Android clients will associate to "Guest" SSID, but will be actually connected to the Guest_OWE SSID and using WPA3-OWE encryption over the air. This process is hidden to the user, and the user's device only tells them that they are connected to "Guest" and may indicate that it is secured.. Windows 10 calls this "Open - Enhanced" and Android called it "Open - Secured".
This process is defined under WiFi Alliance's OWE Spec v1.1:, section 2.2.1, part 6:
- An OWE STA shall only display to the user in the list of available networks the SSID of the Open BSS of an OWE AP operating in OWE Transition Mode, and shall suppress the display of the OWE BSS SSID of that OWE AP. An OWE STA shall only associate with the OWE BSS of an OWE AP in OWE Transition Mode and shall associate using the procedure defined in [2].
However, shortly after the iOS/iPad OS 17.4.1 release 2 months ago, we are seeing devices that when we specify them to connect to "Guest", they do indeed connect to Guest for a moment, then immediately show they are connected to "Guest_OWE". This was not happening before, and this is not per the OWE spec. The client STA should not see the name of the SSID, and this is causing confusion for users and concerns for those who think an SSID is now being spoofed in the environment.
Is anyone else having issues like this? It is only limited to Apple devices at this moment, and it has only become an issue in the past 6-8 weeks for a few of my customers.
