Fwd: [PATCH] netifd: fix WPA3 enterprise ciphers

Jörg Werner schreibubi at gmail.com
Sun Jun 26 23:16:44 PDT 2022


[Resending due to previous response being rejected by the list due to
being an HTML e-mail]

Hi NIck,

take a look at the Cisco link you have sent, there is an
interoperability table at the end. GCMP with Suite B 1x is basically
supported by none of the STA. If you use wpa3 as the encryption
setting in OpenWRT, in the code we'll set auth_type=eap192, which in
turn will set wpa_key_mgmt=WPA-EAP-SUITE-B-192 in hostapd.conf. So it
enables Suite B with 192bit, which in turn requires
wpa-cipher=GCMP-256.

Aruba says something similar here:
https://www.arubanetworks.com/techdocs/Instant_86_WebHelp/Content/instant-ug/authentication/wpa3.htm

Best Regards,

Joerg

On Sun, Jun 26, 2022 at 8:39 PM Nick Lowe <nick.lowe at gmail.com> wrote:
>
> Hi Joerg,
>
> Where is this stated?
>
> If I check the following Cisco link, this is not constrained in this way on their products:
>
> https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html
>
> If I check the Wi-Fi alliance spec at https://www.wi-fi.org/file/wpa3-specification , this states the following, and a requirement for GCMP does not appear to be mentioned:
>
> 3
> WPA3-Enterprise
> WPA3-Enterprise applies to enterprise network settings.
>
> 3.1
> Modes of operation
> WPA3-Enterprise modes are defined as follows:
> • WPA3-Enterprise only mode
> • WPA3-Enterprise transition mode
> • WPA3-Enterprise 192-bit mode
>
> 3.2
> WPA3-Enterprise only mode
> When operating in WPA3-Enterprise only mode:
> • An AP shall enable at least AKM suite selector 00-0F-AC:5 (IEEE 802.1X with SHA-256) in the BSS
> • A STA shall allow at least AKM suite selector 00-0F-AC:5 to be selected for an association
> • An AP shall not enable AKM suite selector: 00-0F-AC:1 (IEEE 802.1X with SHA-1)
> • A STA shall not allow AKM suite selector 00-0F-AC:1 to be selected for an association
> • An AP shall set MFPC to 1, MFPR to 1
> • A STA shall set MFPC to 1, MFPR to 1
> • A STA shall not enable WEP and TKIP
>
> 3.3
> WPA3-Enterprise transition mode
> When operating in WPA3-Enterprise transition mode:
> • An AP shall enable at least AKM suite selectors 00-0F-AC:1 (IEEE 802.1X with SHA-1) and 00-0F-AC:5 (IEEE 802.1X with SHA-256) in the BSS
> • A STA shall allow at least AKM suite selectors 00-0F-AC:1 and 00-0F-AC:5 to be selected for an association
> • An AP shall set MFPC to 1, MFPR to 0
> • A STA shall set MFPC to 1, MFPR to 0
>
> 3.4
> Additional Requirements on WPA3-Enterprise modes
> The following additional requirements apply to all WPA3-Enterprise modes:
> 1. An AP shall not enable WPA version 1 on the same BSS with WPA3-Enterprise
> 2. An AP shall not enable WEP and TKIP on the same BSS as WPA3-Enterprise
>
> 3.5
> WPA3-Enterprise 192-bit mode
> WPA3-Enterprise 192-bit mode is well suited for deployments in sensitive enterprise environments to further protect Wi- Fi® networks with higher security requirements such as government, defense, and industrial.
> When operating in WPA3-Enterprise 192-bit mode:
> 1. When WPA3-Enterprise 192-bit mode is used by an AP, PMF shall be set to required (MFPR bit in the RSN Capabilities field shall be set to 1 in the RSNE transmitted by the AP).
> 2. When WPA3-Enterprise 192-bit mode is used by a STA, PMF shall be set to required (MFPR bit in the RSN Capabilities field shall be set to 1 in the RSNE transmitted by the STA).
> 3. Permitted EAP cipher suites for use with WPA3-Enterprise 192-bit mode are:
> ▪ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> - ECDHE and ECDSA using the 384-bit prime modulus curve P-384
> ▪ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> - ECDHE using the 384-bit prime modulus curve P-384
> - RSA ≥ 3072-bit modulus
> ▪ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> - RSA ≥ 3072-bit modulus - DHE ≥ 3072-bit modulus



More information about the openwrt-devel mailing list