When will we be able to disable EAPOL retries per SSID to protect unpatched devices against KRACK?

  • 1
  • Question
  • Updated 3 years ago
  • Answered
  • (Edited)
When will we be able to disable EAPOL retries to protect unpatched devices from KRACK?

People can do this on Cisco APs:


Even cheap APs running LEDE support this:


It is ridiculous that devices connected to a $50 Linksys would be more secure than devices connected to a $1000 Ruckus.
I know that the WIPS helps, but that only checks every N seconds. That gives plenty of time for exploit scripts to run and penetrate deeper. I can imagine my wireless smart outlets being manipulated to run up electric bills, among other nefarious things.

Do I really need to deploy a $50 Linksys running third party firmware to protect my vulnerable devices? If Ruckus either cannot or will give us this mitigation, could it at least enable a competent third party like LEDE to provide firmware for their APs? Management would be a pain, but at least the connected client devices would be secure.
Photo of Richard


  • 13 Posts
  • 3 Reply Likes

Posted 3 years ago

  • 1
Photo of Michael Brado

Michael Brado, Official Rep

  • 3298 Posts
  • 523 Reply Likes
Hello Richard,

   Please see most recent update details on our WPA2 KRACK Support resource center page:

and in the Release Notes for KRACK Vulnerabilty Fix:

pointing CUs to the SZ 3.1.2 - 3.6 Software Release AP CLI Scripts (WPA2 KRACK patch):

Which allow you to disable EAPOL retries, and protect non-updated clients.
Photo of Richard


  • 13 Posts
  • 3 Reply Likes
I am running Ruckus unleashed, which is why I marked this post as applying to Ruckus unleashed. How do the scripts for smart zone apply to that?