15.2 AES-256 Encryption FAQ

So, I hear Cambium are changing the encryption options on Canopy in the 15.2 release, what's going on?

In release 15.2 AES-256 support is being introduced (behind a Feature Key) and DES support is being removed. This means that Canopy equipment that is restricted to Plain Text or DES on loads earlier than 15.2 will be restricted to PT-only on 15.2 and later. PMP430 SMs will not support encryption in 15.2 and later.

How do I upgrade my network.

There are 2 approaches:

1 - Carefully does it:

  1. Make the decision of what encryption configuration you want your network to have (PT or AES) before any upgrade is attempted; and put this configuration in place. This may require both ends of a link to be rebooted, if so reboot them. This step can be done well ahead of the upgrade. NOTE: If the decision is that DES is desired (e.g. because PMP430 SMs are present), do not upgrade.
  2. If the decision is “AES-256”, acquire and apply a Feature Key to enable it for each AP in question. SMs will not require a new Feature Key to use AES-256 with an enabled AP.
  3. Ensure that the network is running and stable on this new configuration, i.e. give it some time to confirm that the network is as expected.
  4. Upgrade the network from the outside in (SMs first then APs). The SMs will reconnect OK after their upgrade and before the AP's
  5. Depending on the encryption and authentication settings, each SM will reconnect using one of PT, AES-128 or AES-256.

See below for further changes that can be made to authentication settings.

2 - I don't care about the rules / I know what I am doing:

  1. Make the decision of what encryption configuration you want your network to have (PT or AES) before any upgrade is attempted and, at the time of the upgrade, put this configuration in place but do not reboot.
  2. Upgrade the whole network from the outside in
  3. If you got the configuration correct on all units, the network should re-form as before. If the network was previously running DES and had not been re-configured, it will now be running PT.

What if I don’t have a AES-256 Feature Key?

Upgraded APs will continue to provide AES-128 connectivity to compatible SMs. Upon application of a Feature Key to enable it, AES-256 will become available also and will automatically be used when linked to an SM that supports it.

How do I configure my network to use AES-256 (as opposed to AES-128)

Depending on your authentication settings, you may not have to do anything. If the network was running AES-128 prior to the upgrade, the links should start running AES-256 as both ends of a link become capable of AES-256. The exception to this is when PSK authentication is being used; AES-128 will continue to be used until a new 256-bit PSK is configured at both ends of the link.

Note: Answers to questions below assume that APs have been Feature Keyed to enable AES-256

My SM is saying "The encryption setting configured prior to upgrade is no longer supported, radio links are not encrypted" after the upgrade, what do I do.

Your SM is not configured to use AES when its available, go to the configuration->security web GUI page and save it (notice that the AES setting is the only option). Saving this page has too effects: (1) it configures the SM to use AES upon downgrade of the software, this is desirable since the AP will also have been configured to use AES and the configurations will survive a downgrade; and (2) as an operator you are aware that the configuration have been changed on the SM, i.e. that a downgrade back to DES (directly) is no longer possible.

I am using Radius to authenticate my SMs, what do I have to do for the upgrade?

Nothing. The SMs and AP will be given a 256-bit encryption key automatically and form an AES-256-bit link once both are on 15.2 or later (assuming encryption is enabled). Note though that if the authentication method is not forced on the SMs, there is nothing to stop them attempting to register to a rogue AP.

I am using PSK to authenticate my SMs, what do I have to do for the upgrade?

  1. Taking into account the recommendations for upgrade above, upgrade the network
  2. When any one unit is running 15.2, the options to configure a 256-bit PSK will be available on the configuration->security web page.
  3. Once both ends of any one link is configured with (the same) 256-bit PSK that will be used (in preference to a 128-bit PSK) to form a AES-256 link.
  4. On networks that were previously running AES-128 with a 128-bit PSK, the 128-bit key should not be deleted since this can still be used if connecting to a unit that can only do AES-128 (or is not yet configured with a 256-bit key)
  5. Once the entire network has been configured to AES-256 and an audit has been done to confirm no devices were missed, the "Disable AES-128" option can be enabled to prevent the shorter algorithm being used.

Note: unless it becomes compromised, it is recommended to maintain the 128-bit PSK configuration since downgrading a unit will cause it to revert to using that key for authentication, and so the unit that it would connect to would also try to use its (matching) 128-bit PSK

Note also: If the "Disable AES-128" is invoked on a particular unit, that unit will be prevented from downgrade to earlier than 15.2. Disregarding the warnings associated with this option could lead to stranded SMs

I have upgraded to 15.2 and my PMP430 SMs are not registering, what's going on?

PMP430s do not, and will never, support AES encryption, if that is enabled on the AP, they will not register. Disable AES to get them back. If the network is already at PT, the issue is not with encryption configuration.

My network is running DES and I have SMs configured already (with a load earlier than 15.2) offline in a box waiting to be installed. What do I do?

A SM with a load earlier than 15.2 will connect to a AP in Plain Text mode (i.e. encryption disabled). Your options are

  1. run the network in PT until all such SMs have been connected. Or
  2. Recall all such SMs and put them through configuration again (upgrading as you go) Or
  3. configure each one to AES upon installation (an extra step for the installer), configuring any required authentication setting also. This will allow a AES-128 connection from a (say) 15.1.3 SM to a 15.2 AP. Then upgrade the SM and reconfigure up to AES-256 as given above
1 Like