wireless: T2306: Add new cipher suites to the WiFi configuration

    Yet, VyOS knows these two encryption schemes for WiFi:

        1. CCMP = AES in Counter mode with CBC-MAC (CCMP-128)
        2. TKIP = Temporal Key Integrity Protocol

    These encryption schemes are new and especially the Galois counter mode
    cipher suites are very desirable!

        1. CCMP-256 = AES in Counter mode with CBC-MAC with 256-bit key
        2. GCMP = Galois/counter mode protocol (GCMP-128)
        3. GCMP-256 = Galois/counter mode protocol with 256-bit key

    CCMP is supported by all WPA2 compatible NICs, so this remains the
    default cipher for bidirectional and group packets while using WPA2.

    Use 'iw list' to figure out which cipher suites your cards support
    prior to configuring other cipher suites than CCMP. AP NICs and
    STA NICs must both support at least one common cipher in a given
    list in order to associate successfully.

1 files changed, 10 insertions, 0 deletions

diff --git a/data/templates/wifi/hostapd.conf.tmpl b/data/templates/wifi/hostapd.conf.tmpl
index e2fb9ca8f..d6068e4db 100644
--- a/data/templates/wifi/hostapd.conf.tmpl
+++ b/data/templates/wifi/hostapd.conf.tmpl
@@ -572,6 +572,16 @@ wpa_pairwise={{ sec_wpa_cipher | join(" ") }}
 {%- endif -%}
 {% endif %}
 
+{% if sec_wpa_group_cipher -%}
+# Optional override for automatic group cipher selection
+# This can be used to select a specific group cipher regardless of which
+# pairwise ciphers were enabled for WPA and RSN. It should be noted that
+# overriding the group cipher with an unexpected value can result in
+# interoperability issues and in general, this parameter is mainly used for
+# testing purposes.
+group_cipher={{ sec_wpa_group_cipher | join(" ") }}
+{% endif %}
+
 {% if sec_wpa_passphrase -%}
 # IEEE 802.11 specifies two authentication algorithms. hostapd can be
 # configured to allow both of these or only one. Open system authentication