Controllerless Networks

Good afternoon All,

I've been running some tests on our production network regarding the idea of migrating our corporate wireless from WPA2-Enterprise to WPA3-Enterprise. We have several AP535s in our production environment, managed by one of them acting as the Virtual Controller, and we are using Windows NPS with EAP-TLS for Radius authentication. 

When trying to complete this process, I noticed that Aruba offers three different operation modes for implementing WPA3-Enterprise:

Since I had no information on the difference between these operation modes, I did some online research and found the information below:
WPA3-Enterprise (CCM 128) - Transition mode, that allows WPA2-only capable clients to connect.
WPA3-Enterprise (GCM 256) - Only WPA3. Does not support WPA2 clients.
WPA3-Enterprise (CNSA) - 192-bit mode. WPA3 only and enforces specific EAP certificate ciphers. 

I created a test SSID and tested the three operation modes, and these are the results:
CCM 128 - I am able to connect, but even WPA3-capable devices always negotiate WPA2-Enterprise as the type of security.
GCM 256 - I tested with several devices that support WPA3, but I am unable to connect at all.
CNSA - I was able to connect, and the tested laptops show "WPA3-Enterprise" as the security mode. 

My doubts are as follow:
- I understand CCM 128 supports backward compatibility with WPA2 devices, but why does it also force devices that supports WPA3-Enterprise to use WPA2-Enterprise instead?
-Not sure if the reason that the tested laptops reject "GCM 256" is simply because they don't support this type of operation mode or if I am missing some specific configuration on my NPS server. Whenever the authentication is completed by server-client certificates, it fails and ends up asking me for credentials that don't exist, as they are not supposed to be used by this type of authentication (EAP-TLS).
-CNSA provides "WPA3-Enterprise" as the type of security to the tested laptops. However, I'm not sure if this operation mode would support WPA2-only capable devices.

I have the impression that the connection problem and even the downgrading experience when using CCM 128 could have been related to the fact that the laptops only support CNSA:

Below is the full encryption type as listed by the Aruba Virtual Controller:
CCM 128GCM 256
CNSA

What would be the recommended operation mode to use? Also, would the first option work at all by allowing both WPA3 and WPA2-capable devices to connect based on their compatibility? Or am I misunderstand the way this operation mode actually works?

Sorry if I my question got too long. I wanted to make sure I provided all the acquired information, and I asked the right questions that will guide me towards the best implementation of WPA3-Enterprise on Aruba APs. 

Thanks in advance for your time.

Good morning. Here is a good reference for WPA3 from the WiFi Alliance. 

https://www.wi-fi.org/discover-wi-fi/security

From my testing, when using WPA3-AES-CCM-128, without Transition Mode enabled (Will not allow fallback to WPA2), Windows does connect and it also show as it is connected via WPA2. However if you look at the Controller, the client it is indeed using WPA3. 

I am not certain any clients (maybe Linux) support the GCM-256 encryption method. None the clients I tested worked.