[Resending due to previous response being rejected by the list due to being an HTML e-mail]
Hi NIck, take a look at the Cisco link you have sent, there is an interoperability table at the end. GCMP with Suite B 1x is basically supported by none of the STA. If you use wpa3 as the encryption setting in OpenWRT, in the code we'll set auth_type=eap192, which in turn will set wpa_key_mgmt=WPA-EAP-SUITE-B-192 in hostapd.conf. So it enables Suite B with 192bit, which in turn requires wpa-cipher=GCMP-256. Aruba says something similar here: https://www.arubanetworks.com/techdocs/Instant_86_WebHelp/Content/instant-ug/authentication/wpa3.htm Best Regards, Joerg On Sun, Jun 26, 2022 at 8:39 PM Nick Lowe <[email protected]> wrote: > > Hi Joerg, > > Where is this stated? > > If I check the following Cisco link, this is not constrained in this way on > their products: > > https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html > > If I check the Wi-Fi alliance spec at > https://www.wi-fi.org/file/wpa3-specification , this states the following, > and a requirement for GCMP does not appear to be mentioned: > > 3 > WPA3-Enterprise > WPA3-Enterprise applies to enterprise network settings. > > 3.1 > Modes of operation > WPA3-Enterprise modes are defined as follows: > • WPA3-Enterprise only mode > • WPA3-Enterprise transition mode > • WPA3-Enterprise 192-bit mode > > 3.2 > WPA3-Enterprise only mode > When operating in WPA3-Enterprise only mode: > • An AP shall enable at least AKM suite selector 00-0F-AC:5 (IEEE 802.1X with > SHA-256) in the BSS > • A STA shall allow at least AKM suite selector 00-0F-AC:5 to be selected for > an association > • An AP shall not enable AKM suite selector: 00-0F-AC:1 (IEEE 802.1X with > SHA-1) > • A STA shall not allow AKM suite selector 00-0F-AC:1 to be selected for an > association > • An AP shall set MFPC to 1, MFPR to 1 > • A STA shall set MFPC to 1, MFPR to 1 > • A STA shall not enable WEP and TKIP > > 3.3 > WPA3-Enterprise transition mode > When operating in WPA3-Enterprise transition mode: > • An AP shall enable at least AKM suite selectors 00-0F-AC:1 (IEEE 802.1X > with SHA-1) and 00-0F-AC:5 (IEEE 802.1X with SHA-256) in the BSS > • A STA shall allow at least AKM suite selectors 00-0F-AC:1 and 00-0F-AC:5 to > be selected for an association > • An AP shall set MFPC to 1, MFPR to 0 > • A STA shall set MFPC to 1, MFPR to 0 > > 3.4 > Additional Requirements on WPA3-Enterprise modes > The following additional requirements apply to all WPA3-Enterprise modes: > 1. An AP shall not enable WPA version 1 on the same BSS with WPA3-Enterprise > 2. An AP shall not enable WEP and TKIP on the same BSS as WPA3-Enterprise > > 3.5 > WPA3-Enterprise 192-bit mode > WPA3-Enterprise 192-bit mode is well suited for deployments in sensitive > enterprise environments to further protect Wi- Fi® networks with higher > security requirements such as government, defense, and industrial. > When operating in WPA3-Enterprise 192-bit mode: > 1. When WPA3-Enterprise 192-bit mode is used by an AP, PMF shall be set to > required (MFPR bit in the RSN Capabilities field shall be set to 1 in the > RSNE transmitted by the AP). > 2. When WPA3-Enterprise 192-bit mode is used by a STA, PMF shall be set to > required (MFPR bit in the RSN Capabilities field shall be set to 1 in the > RSNE transmitted by the STA). > 3. Permitted EAP cipher suites for use with WPA3-Enterprise 192-bit mode are: > ▪ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 > - ECDHE and ECDSA using the 384-bit prime modulus curve P-384 > ▪ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > - ECDHE using the 384-bit prime modulus curve P-384 > - RSA ≥ 3072-bit modulus > ▪ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > - RSA ≥ 3072-bit modulus - DHE ≥ 3072-bit modulus _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
