Support the following values for the different WPA3 Enterprise modes:
- wpa3-mixed: WPA3 Enterprise transitional mode
This supports EAP with both SHA1 and SHA-256, with optional MFP
- wpa3: WPA3 Enterprise only mode
This supports only SHA256 with mandatory MFP
- wpa3-192: WPA3 Enterprise with mandatory 192 bit support
This uses only GCMP-256 ciphers
Disable 192 bit support and GCMP-256 ciphers for the regular "wpa3" mode.
It seems that even leaving in optional 192 bit support breaks auth on some
clients, including iOS devices.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
wpa_cipher="CCMP"
fi
- # WPA3 enterprise requires the GCMP-256 cipher (technically also CCMP and GCMP are possible
- # but many clients/devices do not support that)
- case "$encryption" in
- wpa3-mixed*) wpa_cipher="${wpa_cipher} GCMP-256";;
- wpa3*) wpa_cipher="GCMP-256";;
- esac
-
case "$encryption" in
*tkip+aes|*tkip+ccmp|*aes+tkip|*ccmp+tkip) wpa_cipher="CCMP TKIP";;
*ccmp256) wpa_cipher="CCMP-256";;
*tkip) wpa_cipher="TKIP";;
*gcmp256) wpa_cipher="GCMP-256";;
*gcmp) wpa_cipher="GCMP";;
+ wpa3-192*) wpa_cipher="GCMP-256";;
esac
# 802.11n requires CCMP for WPA
owe*)
auth_type=owe
;;
+ wpa3-192*)
+ auth_type=eap192
+ ;;
wpa3-mixed*)
- auth_type=eap-eap192
+ auth_type=eap-eap2
;;
wpa3*)
- auth_type=eap192
+ auth_type=eap2
;;
psk3-mixed*|sae-mixed*)
auth_type=psk-sae
projects / project / netifd.git / commitdiff