[PATCH] netifd: fix WPA3 enterprise ciphers

Nick Lowe nick.lowe at gmail.com
Sun Jun 26 11:41:49 PDT 2022 

Hi Joerg,

Where is this stated?

If I check the following Cisco link, this is not constrained in this
way on their products:

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html

If I check the Wi-Fi alliance spec at
https://www.wi-fi.org/file/wpa3-specification , this states the
following, and a requirement for GCMP does not appear to be mentioned:

3
WPA3-Enterprise
WPA3-Enterprise applies to enterprise network settings.

3.1
Modes of operation
WPA3-Enterprise modes are defined as follows:
• WPA3-Enterprise only mode
• WPA3-Enterprise transition mode
• WPA3-Enterprise 192-bit mode

3.2
WPA3-Enterprise only mode
When operating in WPA3-Enterprise only mode:
• An AP shall enable at least AKM suite selector 00-0F-AC:5 (IEEE
802.1X with SHA-256) in the BSS
• A STA shall allow at least AKM suite selector 00-0F-AC:5 to be
selected for an association
• An AP shall not enable AKM suite selector: 00-0F-AC:1 (IEEE 802.1X with SHA-1)
• A STA shall not allow AKM suite selector 00-0F-AC:1 to be selected
for an association
• An AP shall set MFPC to 1, MFPR to 1
• A STA shall set MFPC to 1, MFPR to 1
• A STA shall not enable WEP and TKIP

3.3
WPA3-Enterprise transition mode
When operating in WPA3-Enterprise transition mode:
• An AP shall enable at least AKM suite selectors 00-0F-AC:1 (IEEE
802.1X with SHA-1) and 00-0F-AC:5 (IEEE 802.1X with SHA-256) in the
BSS
• A STA shall allow at least AKM suite selectors 00-0F-AC:1 and
00-0F-AC:5 to be selected for an association
• An AP shall set MFPC to 1, MFPR to 0
• A STA shall set MFPC to 1, MFPR to 0

3.4
Additional Requirements on WPA3-Enterprise modes
The following additional requirements apply to all WPA3-Enterprise modes:
1. An AP shall not enable WPA version 1 on the same BSS with WPA3-Enterprise
2. An AP shall not enable WEP and TKIP on the same BSS as WPA3-Enterprise

3.5
WPA3-Enterprise 192-bit mode
WPA3-Enterprise 192-bit mode is well suited for deployments in
sensitive enterprise environments to further protect Wi- Fi® networks
with higher security requirements such as government, defense, and
industrial.
When operating in WPA3-Enterprise 192-bit mode:
1. When WPA3-Enterprise 192-bit mode is used by an AP, PMF shall be
set to required (MFPR bit in the RSN Capabilities field shall be set
to 1 in the RSNE transmitted by the AP).
2. When WPA3-Enterprise 192-bit mode is used by a STA, PMF shall be
set to required (MFPR bit in the RSN Capabilities field shall be set
to 1 in the RSNE transmitted by the STA).
3. Permitted EAP cipher suites for use with WPA3-Enterprise 192-bit mode are:
▪ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- ECDHE and ECDSA using the 384-bit prime modulus curve P-384
▪ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- ECDHE using the 384-bit prime modulus curve P-384
- RSA ≥ 3072-bit modulus
▪ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- RSA ≥ 3072-bit modulus - DHE ≥ 3072-bit modulus

More information about the openwrt-devel mailing list