From db3934d2f740bdfe8537933741f71b439a109422 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Thu, 31 Aug 2023 11:19:04 +0200 Subject: [PATCH] scripts/netifd-wireless.sh: properly fix WPA3 Enterprise support Support the following values for the different WPA3 Enterprise modes: - wpa3-mixed: WPA3 Enterprise transitional mode This supports EAP with both SHA1 and SHA-256, with optional MFP - wpa3: WPA3 Enterprise only mode This supports only SHA256 with mandatory MFP - wpa3-192: WPA3 Enterprise with mandatory 192 bit support This uses only GCMP-256 ciphers Disable 192 bit support and GCMP-256 ciphers for the regular "wpa3" mode. It seems that even leaving in optional 192 bit support breaks auth on some clients, including iOS devices. Signed-off-by: Felix Fietkau --- scripts/netifd-wireless.sh | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/scripts/netifd-wireless.sh b/scripts/netifd-wireless.sh index 5779751..2e600c1 100644 --- a/scripts/netifd-wireless.sh +++ b/scripts/netifd-wireless.sh @@ -216,13 +216,6 @@ wireless_vif_parse_encryption() { wpa_cipher="CCMP" fi - # WPA3 enterprise requires the GCMP-256 cipher (technically also CCMP and GCMP are possible - # but many clients/devices do not support that) - case "$encryption" in - wpa3-mixed*) wpa_cipher="${wpa_cipher} GCMP-256";; - wpa3*) wpa_cipher="GCMP-256";; - esac - case "$encryption" in *tkip+aes|*tkip+ccmp|*aes+tkip|*ccmp+tkip) wpa_cipher="CCMP TKIP";; *ccmp256) wpa_cipher="CCMP-256";; @@ -230,6 +223,7 @@ wireless_vif_parse_encryption() { *tkip) wpa_cipher="TKIP";; *gcmp256) wpa_cipher="GCMP-256";; *gcmp) wpa_cipher="GCMP";; + wpa3-192*) wpa_cipher="GCMP-256";; esac # 802.11n requires CCMP for WPA @@ -261,11 +255,14 @@ wireless_vif_parse_encryption() { owe*) auth_type=owe ;; + wpa3-192*) + auth_type=eap192 + ;; wpa3-mixed*) - auth_type=eap-eap192 + auth_type=eap-eap2 ;; wpa3*) - auth_type=eap192 + auth_type=eap2 ;; psk3-mixed*|sae-mixed*) auth_type=psk-sae -- 2.30.2