Hi Joerg, Where is this stated?
If I check the following Cisco link, this is not constrained in this way on their products: https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wpa3-dep-guide-og.html If I check the Wi-Fi alliance spec at https://www.wi-fi.org/file/wpa3-specification , this states the following, and a requirement for GCMP does not appear to be mentioned: 3 WPA3-Enterprise WPA3-Enterprise applies to enterprise network settings. 3.1 Modes of operation WPA3-Enterprise modes are defined as follows: • WPA3-Enterprise only mode • WPA3-Enterprise transition mode • WPA3-Enterprise 192-bit mode 3.2 WPA3-Enterprise only mode When operating in WPA3-Enterprise only mode: • An AP shall enable at least AKM suite selector 00-0F-AC:5 (IEEE 802.1X with SHA-256) in the BSS • A STA shall allow at least AKM suite selector 00-0F-AC:5 to be selected for an association • An AP shall not enable AKM suite selector: 00-0F-AC:1 (IEEE 802.1X with SHA-1) • A STA shall not allow AKM suite selector 00-0F-AC:1 to be selected for an association • An AP shall set MFPC to 1, MFPR to 1 • A STA shall set MFPC to 1, MFPR to 1 • A STA shall not enable WEP and TKIP 3.3 WPA3-Enterprise transition mode When operating in WPA3-Enterprise transition mode: • An AP shall enable at least AKM suite selectors 00-0F-AC:1 (IEEE 802.1X with SHA-1) and 00-0F-AC:5 (IEEE 802.1X with SHA-256) in the BSS • A STA shall allow at least AKM suite selectors 00-0F-AC:1 and 00-0F-AC:5 to be selected for an association • An AP shall set MFPC to 1, MFPR to 0 • A STA shall set MFPC to 1, MFPR to 0 3.4 Additional Requirements on WPA3-Enterprise modes The following additional requirements apply to all WPA3-Enterprise modes: 1. An AP shall not enable WPA version 1 on the same BSS with WPA3-Enterprise 2. An AP shall not enable WEP and TKIP on the same BSS as WPA3-Enterprise 3.5 WPA3-Enterprise 192-bit mode WPA3-Enterprise 192-bit mode is well suited for deployments in sensitive enterprise environments to further protect Wi- Fi® networks with higher security requirements such as government, defense, and industrial. When operating in WPA3-Enterprise 192-bit mode: 1. When WPA3-Enterprise 192-bit mode is used by an AP, PMF shall be set to required (MFPR bit in the RSN Capabilities field shall be set to 1 in the RSNE transmitted by the AP). 2. When WPA3-Enterprise 192-bit mode is used by a STA, PMF shall be set to required (MFPR bit in the RSN Capabilities field shall be set to 1 in the RSNE transmitted by the STA). 3. Permitted EAP cipher suites for use with WPA3-Enterprise 192-bit mode are: ▪ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - ECDHE and ECDSA using the 384-bit prime modulus curve P-384 ▪ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - ECDHE using the 384-bit prime modulus curve P-384 - RSA ≥ 3072-bit modulus ▪ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - RSA ≥ 3072-bit modulus - DHE ≥ 3072-bit modulus _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
