Posted: Sun Aug 29, 2021 2:06 Post subject: WPA3-Enterprise reported as WPA2?
Background: I've been using WPA3-Enterprise (without any WPA2 fallback) from older client radios (circa 2013 with 2016-17 drivers) that worked fine but reported it as WPA2. That is, in network authentication on the WRT1900ACSv1 and ACSv2 dd-wrt routers, I only have the "WPA3 Enterprise" and "CCMP-128 (AES)" checkboxes enabled for some VAPs. An even older client radio (circa 2012, which I just retired) could not connect to a WPA3-only VAP at all, but could connect to a comparable WPA2-only VAP (with 802.11w MFP set to Auto).
Upgrade: I recently replaced that older radio with a WPA3-capable Intel AX210 WIFI-6E card (with latest 2021-06-29 driver) in a Lenovo Win10 Pro laptop PC and tested r47256 with it. When I connected that PC to a WPA3-Personal VAP on either router, Windows wifi properties correctly identified the connection as "WPA3" security. So far, so good.
Problem: However, when I connected that same PC with latest radio and driver to a WPA3-Enterprise VAP on either router, Windows still identified the connection as only "WPA2" security.
EDIT: Per wikipedia, "The new standard uses an equivalent 192-bit cryptographic strength in WPA3-Enterprise mode (AES-256 in GCM mode with SHA-384 as HMAC)". I guess WPA3 Enterprise with AES-128 CCM allowed is exactly the same as WPA2 Enterprise with AES-128 CCM but also with the WPA2-optional 802.11w Management Frame Protection (MFP) required in WPA3, so there's actually no difference from the client's perspective unless it could tell that MFP is required on the AP. I assume that if the router and firmware both supported AES-256 GCM we could require that and then the client would know it must be WPA3, but since we don't have that option (yet?), it can't. Any chance of adding AES-256 GCM as an available WPA algorithm to the Marvell dd-wrt builds? If not, it seems like WPA3-Enterprise isn't truly supported on these routers, so the Intel AX210 is correctly reporting it as only WPA2 Enterprise. _________________ My DD-WRT Routers:
Linksys WRT3200ACM - Marvell
Linksys WRT1900ACS - Marvell
Netgear R9000 - Atheros
Netgear R7000 - Broadcom
PC x86-64 VM - Atheros
Thanks and understood for WPA3-Enterprise(EAP). For the record, WPA3-Personal(SAE) is working great on both of our WRT1900ACS units (v1 & v2) under r47256. _________________ My DD-WRT Routers:
Linksys WRT3200ACM - Marvell
Linksys WRT1900ACS - Marvell
Netgear R9000 - Atheros
Netgear R7000 - Broadcom
PC x86-64 VM - Atheros