Continuing the WPA3-Enterprise 192-bit mode investigation.
Switched to all-ECC/SHA384 keys&certs, Android doesn't fail with that error anymore, it just does nothing (as if the Java stuff is just not telling wpa_supplicant to do anything, WTF) but…
I made it work with Windows 10! \o/ The best article about W10 config is here but to make it work, OpenWrt modifications were required.
So turns out, basically the
/lib/netifd / UCI stuff does not generate valid configs for WPA3-Enterprise 192-bit mode AT ALL:
eap192 is set,
wpa_pairwise MUST be set to
group_mgmt_cipher=AES-128-CMAC. It MUST be
- nothing generates
openssl_ciphers=SUITEB192. This doesn't seem mandatory, my Windows machine connected anyway. But it is present in various examples e.g. here.
- nothing enforces 11w management frame protection being set to mandatory for this 192-bit mode.
P.S. Argh, why does nothing give good debug output for this stuff?! e.g. if 11w is not set to mandatory, the only indication Windows gives you that that's the problem is a log message with "Matching security capabilities of IE in M3 failed (RSN/WPA)".