By Lee Wright CWNE, Redway Networks, WiFi Specialist- September 2025
WiFi 7 comes with many great new promises, MLO even faster data rates, and to take advantage of these, you need three things: A WiFi 7 Access Point, a WiFi 7 Client device, and you must adhere to the rule of WiFi 7 Security as defined by the WiFi Alliance. If you fail to do so, your WiFi 7-capable network may downgrade to WiFi 6. However, before we delve into the rules of WiFi 7 Security, let us first cover two key terms that we’ll be using throughout this post.
Authentication and Key Management (AKMs) and Cipher Suites
AKMs as the name suggests, are responsible for authentication and the key exchange. Cipher suites are responsible for encryption and integrity. And when comparing the relationship between the two, a good analogy is a safe, where your AKM is a bit like your combination lock, it’s how you get in, and it ensures that only users with valid credentials are able to gain access. The metal enclosure is a bit like your cipher suite; this is what provides the actual protection. But it’s a combination of the two that completes the overall security solution. When we talk about WPA2 and WPA3 what we’re really talking about is a combination of an AKM and a cipher suite.
Enterprise WiFi Security
Let’s start by looking at enterprise modes of WiFi Security. The WiFi Alliance set some constraints for WiFi 7 devices. Firstly, AKM 1, one of the original AKM usually associated with WPA2-Enterprise, is forbidden. Also, GCMP-256 is mandatory. GCMP-256 isn’t new for WiFi 7, but it’s the first time it’s been mandatory for all Enterprise connections. GCMP is often touted as providing better security and performance. For WiFi, one of the biggest security benefits is that we’re moving to 256-bit encryption, whereas CCMP is typically deployed with 128-bit encryption. The performance is sometimes misunderstood; GCMP doesn't make the WiFi data rate faster, but it does reduce computational overhead, which can lead to reduced processing delays, especially in low-powered devices, and in that way, GCMP can outperform CCMP.
So, what does this all mean for us engineers as we’re configuring SSIDs, well, if you have a WiFi client device, a WiFi 7 Access Point and your SSID is configured to use WPA2-enterprise, you can expect to negotiate a Wi-Fi 6 connection and be limited to the 2.4 and 5GHz frequencies. However, if you use WPA3-Enterprise or WPA3-Enterprise Transition Mode, you can unlock WiFi 7 data rates and 6GHz with 6GHz operating only as WPA3-Enterprise.
Personal WiFi Security
With Personal modes of operation, things get a bit more interesting as we now have two brand new AKMs, AKM 24 and AKM 25. AKM 24 is SAE with a group-dependent hash, and AKM 25 is the same thing with the addition of fast transition, part of 802.11r fast roaming. And when comparing these new AKMs with the previous AKMs we’ve used for SAE, the key difference is that the hash algorithm is no longer fixed at 256 bits but is now variable depending on the Diffie-Hellman (DH) group that is used. For example, if you use Diffie-Hellman Group 21, your hash algorithm is increased to 512-bits. In addition, Hash-to-Element is enforced on all frequency band; previously, it was only enforced on the 6GHz band.
Just like enterprise modes of operation, the Wi-Fi Alliance set some constraints for Wi-Fi 7 devices using personal modes of operation. Any form of PSK AKM, which is basically WPA2-Personal, is no longer permitted. AKM 24, our new AKM is now mandatory, and again, the cipher suite GCMP-256 is also mandatory.
So, if you have a WiFi 7 capable access point or client device and your SSID is configured to use WPA2-Personal, you can expect to negotiate a WiFi 6 connection and be limited to the 2.4 and 5GHz frequencies. However, if you use WPA3-Personal or WPA3-Personal transition mode, you’re able to unlock WiFi 7 and the 6GHz, with 6GHz operating only as WPA3-Personal.
Open and OWE
With Open and OWE we have some interesting constraints. Firstly and probably unsurprisingly, legacy open is forbidden. OWE Transition mode is also forbidden, and again, the cipher suite GCMP-256 is mandatory. So that means if your WiFi 7 capable network is using Open or OWE Transition mode, you can expect to negotiate a WiFi 6 connection and it’s only when you use pure OWE that you’re able to unlock Wi-Fi 7.
AP Beacon Protection
One item we’ve yet to cover is AP Beacon Protection, and AP Beacon Protection works by adding a MIC to the beacon frame. This allows client devices to verify the integrity of the Beacon frame, thus protecting against forged and modified beacon frames. And this is mandatory for all WiFi 7 connections, regardless of the security type.
Backward Compatibility
So far I’ve only spoken about WiFi 7 Clients connecting to WiFi 7 APs, but as we all know, WiFi 7 APs will have to service previous generations of Wi-Fi clients. And that actually creates a problem, as these new AKMs are not backwards compatible, and not all clients support GCMP-256. But thankfully, we have a solution: configure your SSID with multiple AKMs and multiple cipher suites.
Real-world data
And as part of this blog post, I wanted to recommend which AKMs and which cipher suites we should be using.
And to do that, I needed to gather some real-world data, so I could understand what AKMs are currently in use and also understand how WiFi 7 Networks are being deployed today. To do that, I took a trip to London and jumped on one of those open-top buses, starting to capture beacon frames.
I captured over 39000 unique BSSIDs, of which just over 1000 were WiFi 7. And to my surprise and disappointment, none of them met the requirements for WiFi 7. They were failing for different reasons; just over half of the SSIDs were configured to use WPA2 or Open, which is an immediate fail, only one BSSID was using GCMP-256 and no WiFi 7 SSID used AP beacon protection. Now my initial reaction when I saw this was, does that mean none of these WiFi 7 SSID will ever negotiate a WiFi 7 connection? But it turns out a WiFi 7 connection can sometimes still be formed even if you don’t exactly follow the rules of WiFi 7 security. Let me explain.
The WiFi alliance forbids some security types, Open and WPA2, for example, and for the most part, I don’t expect a WiFi 7 connection to form if you’re using one of these forbidden security types. Then, on the other hand, you have your mandatory security requirements, such as AKM24, GCMP-256 and Beacon Protection, but as we already saw, many SSIDs are not using these mandatory security types. But then you have this middle ground of AKMs and Cipher Suites that are neither forbidden nor mandatory; they’re optional. And it turns out a lot of the WiFi 7 BSSIDs I found were using these optional AKMs and cipher suites. And it turns out some client devices will negotiate a WiFi 7 connection if you’re using one of these optional security types. I do think that we will start to see greater adoption of these mandatory security features, but in these early days of Wi-Fi 7, I do think there has been some hesitancy from vendors and administrators in enabling these new features. But like WPA3 I think we’ll slowly start to see greater adoption.
Looking at all the data collected, not just the WiFi 7 data. Here are the different AKMs I found:
I won’t labour the point too much, but there were no great surprises here. AKMs associated with WPA2 are still very popular, but AKMs associated with WPA3 are starting to gain some traction. For cipher suites, CCMP-128 is very popular; there were some SSIDs using CCMP-256, but I only ever saw this on Hidden SSIDs from Cisco Meraki, which I later found out was used for meshing, but I didn’t find any client-facing SSIDs using this cipher suite.
AKM/Cipher Suite Cheat Sheets
So, taking all of this real-world data and all of the guidance from the WiFi Alliance, I’ve created an AKM Cipher Suite cheat sheet. Basically how this works is you choose the type of SSID you’re configuring, for example, WPA2/3 Personal transition mode, and below will be different AKMs and Cipher Suites that different generations of client devices will negotiate.
*AKM 6 is also valid but much less common
And if you’re using 802.11r fast roaming, you’ll need to use a different set of AKMs, which is listed here.
MLO and roaming
MLO has an interesting relationship with AKMs. For MLO to work, all frequency bands must use the same AKM.
Roaming also has an interesting relationship with AKMs and cipher suites, specifically when you have a deployment of WiFi 7 and non-WiFi 7 APs. And in that scenario you may find that your WiFi 7 APs broadcast one set of AKMs and cipher suites that are different to the non- WiFi 7 APs. Your WiFi 7 client devices will connect using the best AKM and cipher suite. But when they want to connect to a different AP, they’re not able to continue using that AKM and cipher suite, forcing the client to disconnect and reconnect.
We have two ways to solve this problem: one is to reduce the capabilities of your WiFi 7 APs so the AKMs and cipher suites match. While this solves the problem, it’s not my favourite option as it reduces the security and performance of your WiFi 7 devices. A better option if your vendor supports it is to add these new AKMs and cipher suites to your non- WiFi 7 APs, and I’m pleased to say I’ve seen a few different vendors do this, and if your vendor supports these options, this is my preferred choice.
Validating AKMs and Cipher Suites
I think an important skill for us engineers to have is being able to validate the AKMs and cipher suites. Unfortunately, it’s not always easy from a GUI to know which AKMs and cipher suites are actually in use, but thankfully, the packets don’t lie. And within the beacon frame of each SSID, if you look under the tag RSN information, you can see the cipher suites and AKMs in use. And in this example we have an SSID with 2 cipher suites, the first being GCMP-256, the second being CCMP-128, or AES CCM as it’s listed here in Wireshark. This SSID also had two AKMs, AKM 8, note the 8 in brackets, that is the AKM number, and also AKM24 our new Wi-Fi 7 AKM.
Being able to validate the AKMs and cipher suites in use on your network not only ensures that you retain client compatibility but also ensures that you’re getting the most out of your WiFi 7 devices as well.
At Redway Networks, we work with enterprises, schools, and warehouses to design future-proof WiFi solutions that combine cutting-edge performance with enterprise-grade security. Whether you’re planning your first WiFi 7 deployment or strengthening your current wireless infrastructure, we can help you stay connected — and protected.
Final Thought
WiFi 7 is here. The question isn’t whether you’re ready for the speed — it’s whether your security is ready to keep up.
Taking the time to plan your wireless network carefully is an investment in the future productivity of your business, and cutting corners now will cost you significantly later on. We offer a range of wireless site surveys to assist with the planning and design of your wireless network.
contact our expert team today on 01908 046400