This is crazy that it's not available on enterprise equipment, I have a Deco mesh that's supports it. 

I am happy to have WPA2 on old devices or IoT that are on different SSIDs and VLANs to isolate the risk, failback is a terrible idea to be forced.

  @jelmervdmeer / @Mjimsas I tried some testing with this by making the change. The Omada interface does show WPA3 only instead of WPA2/WPA3, but it does seem to be rather misleading. I noticed WPA2 kept being announced as a capability ([WPA2-PSK-CCMP-128][RSN-PSK+SAE-CCMP-128][ESS][MFPR][MFPC]). Just to be sure I forced a connection using WPA2 and... it worked. in spite of the controller stating WPA3 only.

If anyone has found the result to be different it's entirely possible of course. This is just what my Controller / AP combination ended up doing.

Controller is an OC200 running 1.37.11. APs are EAP615(EU) (1.5.4) and EAP610(EU) (1.4.4)

On windows I performed

1. netsh wlan export profile name="<wifi name>" folder=C:\temp
2. Changed  <authentication>WPA3SAE</authentication> to  <authentication>WPA2PSK</authentication>
   As per https://learn.microsoft.com/en-us/windows/win32/nativewifi/wlan-profileschema-authencryption-security-element
3. netsh wlan add profile filename="C:\temp\<filename>.xml"
4. (Re)connect to Wifi network
5. Wlan Properties in windows (Wifi -> Click on "Properties").
6. Scroll down to Properties - Security Type shows WPA2-Personal