From: Felix Fietkau Date: Thu, 31 Aug 2023 09:19:04 +0000 (+0200) Subject: scripts/netifd-wireless.sh: properly fix WPA3 Enterprise support X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=db3934d2f740bdfe8537933741f71b439a109422;p=project%2Fnetifd.git scripts/netifd-wireless.sh: properly fix WPA3 Enterprise support Support the following values for the different WPA3 Enterprise modes: - wpa3-mixed: WPA3 Enterprise transitional mode This supports EAP with both SHA1 and SHA-256, with optional MFP - wpa3: WPA3 Enterprise only mode This supports only SHA256 with mandatory MFP - wpa3-192: WPA3 Enterprise with mandatory 192 bit support This uses only GCMP-256 ciphers Disable 192 bit support and GCMP-256 ciphers for the regular "wpa3" mode. It seems that even leaving in optional 192 bit support breaks auth on some clients, including iOS devices. Signed-off-by: Felix Fietkau --- diff --git a/scripts/netifd-wireless.sh b/scripts/netifd-wireless.sh index 5779751..2e600c1 100644 --- a/scripts/netifd-wireless.sh +++ b/scripts/netifd-wireless.sh @@ -216,13 +216,6 @@ wireless_vif_parse_encryption() { wpa_cipher="CCMP" fi - # WPA3 enterprise requires the GCMP-256 cipher (technically also CCMP and GCMP are possible - # but many clients/devices do not support that) - case "$encryption" in - wpa3-mixed*) wpa_cipher="${wpa_cipher} GCMP-256";; - wpa3*) wpa_cipher="GCMP-256";; - esac - case "$encryption" in *tkip+aes|*tkip+ccmp|*aes+tkip|*ccmp+tkip) wpa_cipher="CCMP TKIP";; *ccmp256) wpa_cipher="CCMP-256";; @@ -230,6 +223,7 @@ wireless_vif_parse_encryption() { *tkip) wpa_cipher="TKIP";; *gcmp256) wpa_cipher="GCMP-256";; *gcmp) wpa_cipher="GCMP";; + wpa3-192*) wpa_cipher="GCMP-256";; esac # 802.11n requires CCMP for WPA @@ -261,11 +255,14 @@ wireless_vif_parse_encryption() { owe*) auth_type=owe ;; + wpa3-192*) + auth_type=eap192 + ;; wpa3-mixed*) - auth_type=eap-eap192 + auth_type=eap-eap2 ;; wpa3*) - auth_type=eap192 + auth_type=eap2 ;; psk3-mixed*|sae-mixed*) auth_type=psk-sae