Set AES-CCMP 128 for WPA3 Enterprise

Line from

# WPA3 enterprise requires the GCMP-256 cipher (technically also CCMP and GCMP are possible # but many clients/devices do not support that)

How do you switch between the three authentication methods? Any changes made to the file just breaks the ssid. Windows 10 only supports fast roaming under wpa3-aes-ccmp.

Have you replaced wpad-basic with wpad-full or another similar wpad (wpad-openssl or wpad-wolfssl)?

Thanks for the help. i am using wpad-wolfssl. it sets the wpa3 enterprise to gcmp-256. It seems the better way to handle this is to use wpa2 enterpise. Their are three options for wpa3 enterprise encryption. The issue is that gcmp-256 can cause slowdowns for certain devices. GCMP-128 does not seem to be affected. Their is the issue of windows 10 machines not fast roaming on gcmp.

An option to force this would be nice. For know i am going to use wpa2 enterpise.


WPA3-Enterprise builds upon the foundation of WPA2-Enterprise with the additional requirement of using Protected Management Frames on all WPA3 connections.

  • Authentication: multiple Extensible Authentication Protocol (EAP) methods
  • Authenticated encryption: minimum 128-bit Advanced Encryption Standard Counter Mode with Cipher Block Chaining Message Authentication (AES-CCMP 128)
  • Key derivation and confirmation: minimum 256-bit Hashed Message Authentication Mode (HMAC) with Secure Hash Algorithm (HMAC-SHA256)
  • **Robust management frame protection:**minimum 128-bit Broadcast/Multicast Integrity Protocol Cipher-based Message Authentication Code (BIP-CMAC-128)

Yea, I use WPA2-AES for my SSID’s and WPA3-AES for 802.11s with no issues (except the bug for WPA3 encryption on mesh point showing as none in Luci even though it’s working). Setting up 802.11kv in your wireless config if your hardware supports it will help the client decide to roam.

Thanks for the help.

Wpa2 enterprise has fast roaming working.
Wpa3 Enterprise AES-CCMP 128 does not seem supported on OpenWrt currently.
Wpa3 Gcmp-256 windows will not support fast roaming.

I was hoping by editing I could allow Wpa3 Enterprise AES-CCMP 128.

I think I remember seeing something about WPA3 in the newest kernel (could be wrong though), but that kernel isn’t in the current stable or snapshot releases. If they did add additional support and it included WPA3 Enterprise, as of now, you’d have to custom build the firmware to include the newest kernel in order to use it. You’ll have to check the kernel logs if that’s something you’re interested in pursuing.