Hello Attila
Happy New Year to you too!
The GCMP encryption option is listed under WPA2 Encryption in the WLC settings because some WPA2 implementations, particularly those used in 802.11ac and 802.11ax (Wi-Fi 5 and Wi-Fi 6) can actually use GCMP. It’s not common, but it is possible, hence its inclusion in the options. However, it’s more commonly used with WPA3, as you’ve rightly pointed out.
No officially, WPA2 should not support GCMP, and according to the Wi-Fi Alliance, which has published the WPA2 and WPA3 standards, WPA2 does not support it. However, because many manufacturers use IEEE standards that do support it, they must indicate this in some way on their interfaces. I believe that this is what happened here, where the GCMP option was placed under the WPA2 encryption section.
Remember, vendors don’t always conform exactly to the standards they deliver, and I believe that this is a case where Cisco has chosen to adhere more to the 802.11ac and ax standards rather than the WPA2 standard.
The “combo” option of any type doesn’t mean that both security definitions are used simultaneously on a client. It simply means that the AP can connect to clients using either WPA2 or WPA3. It’s really providing backward compatibility with older devices that may only support WPA2, while also offering the enhanced security features of WPA3 for newer devices. You’re right, they could have also included a WPA+WPA3 combo. I believe that it is technically possible, but I can’t think of any situation in which you would want to choose such an option. So I believe that it was more of a design choice of the WLC engineers rather than a technical impossibility.
If you’re in an environment where WPA3 is available, you wouldn’t want to use WPA. In fact, it is best practice not to use it ever.
I hope this has been helpful!
Laz