scripts/netifd-wireless.sh: properly fix WPA3 Enterprise support

Support the following values for the different WPA3 Enterprise modes:

- wpa3-mixed: WPA3 Enterprise transitional mode
	This supports EAP with both SHA1 and SHA-256, with optional MFP
- wpa3: WPA3 Enterprise only mode
	This supports only SHA256 with mandatory MFP
- wpa3-192: WPA3 Enterprise with mandatory 192 bit support
	This uses only GCMP-256 ciphers

Disable 192 bit support and GCMP-256 ciphers for the regular "wpa3" mode.
It seems that even leaving in optional 192 bit support breaks auth on some
clients, including iOS devices.

Signed-off-by: Felix Fietkau <nbd@nbd.name>

1 files changed, 6 insertions, 9 deletions

diff --git a/scripts/netifd-wireless.sh b/scripts/netifd-wireless.sh
index 5779751..2e600c1 100644
--- a/scripts/netifd-wireless.sh
+++ b/scripts/netifd-wireless.sh
@@ -216,13 +216,6 @@ wireless_vif_parse_encryption() {
 		wpa_cipher="CCMP"
 	fi
 
-	# WPA3 enterprise requires the GCMP-256 cipher (technically also CCMP and GCMP are possible
-	# but many clients/devices do not support that)
-	case "$encryption" in
-		wpa3-mixed*) wpa_cipher="${wpa_cipher} GCMP-256";;
-		wpa3*) wpa_cipher="GCMP-256";;
-	esac
-
 	case "$encryption" in
 		*tkip+aes|*tkip+ccmp|*aes+tkip|*ccmp+tkip) wpa_cipher="CCMP TKIP";;
 		*ccmp256) wpa_cipher="CCMP-256";;
@@ -230,6 +223,7 @@ wireless_vif_parse_encryption() {
 		*tkip) wpa_cipher="TKIP";;
 		*gcmp256) wpa_cipher="GCMP-256";;
 		*gcmp) wpa_cipher="GCMP";;
+		wpa3-192*) wpa_cipher="GCMP-256";;
 	esac
 
 	# 802.11n requires CCMP for WPA
@@ -261,11 +255,14 @@ wireless_vif_parse_encryption() {
 		owe*)
 			auth_type=owe
 		;;
+		wpa3-192*)
+			auth_type=eap192
+		;;
 		wpa3-mixed*)
-			auth_type=eap-eap192
+			auth_type=eap-eap2
 		;;
 		wpa3*)
-			auth_type=eap192
+			auth_type=eap2
 		;;
 		psk3-mixed*|sae-mixed*)
 			auth_type=psk-sae