With this you mean ntpd, or ntpclient?
I guess it's ntpclient to have time exactly synched?
--EDIT:
I started to dig further the time-thing and there's insteresting thread.
I don't know if it's fixed tho, but time seems to be important part of time advertisment
1 Like
I'm having a hell of a time getting devices to smoothly transition from one AP to another. All running OpenWRT 21.02, all with the same SSID and FT configured. FT actually works, but the network doesn't...
Something I learned about hostapd logging: you can turn on debug logging using
uci set wireless.radio0.log_level=1
but restarting hostapd (e.g. service hostapd restart) is not sufficient. I ended up doing service network restart and that finally regenerated the right config file so debug logging turned on.
The problem I'm having is that after my phone (pixel3a) switches to another AP it does not receive anything. It ARPs and pings (I'm running WifiMan signal mapper) and never receives a reply.
Here's what syslog says. Note "802.11: authentication OK (FT)". But 4 seconds after authenticating it disconnects and unless I'm misinterpreting something, that disconnect comes from the device.
Fri Sep 9 11:00:28 2022 daemon.err hostapd: nl80211: kernel reports: key addition failed
Fri Sep 9 11:00:28 2022 daemon.debug hostapd: wlan1: STA 58:cb:52:38:a3:bb IEEE 802.11: binding station to interface 'wlan1'
Fri Sep 9 11:00:28 2022 daemon.debug hostapd: wlan1: STA 58:cb:52:38:a3:bb IEEE 802.11: authentication OK (FT)
Fri Sep 9 11:00:28 2022 daemon.debug hostapd: wlan1: STA 58:cb:52:38:a3:bb MLME: MLME-AUTHENTICATE.indication(58:cb:52:38:a3:bb, FT)
Fri Sep 9 11:00:28 2022 daemon.debug hostapd: wlan1: STA 58:cb:52:38:a3:bb IEEE 802.11: association OK (aid 2)
Fri Sep 9 11:00:28 2022 daemon.info hostapd: wlan1: STA 58:cb:52:38:a3:bb IEEE 802.11: associated (aid 2)
Fri Sep 9 11:00:28 2022 daemon.notice hostapd: wlan1: AP-STA-CONNECTED 58:cb:52:38:a3:bb
Fri Sep 9 11:00:28 2022 daemon.debug hostapd: wlan1: STA 58:cb:52:38:a3:bb MLME: MLME-REASSOCIATE.indication(58:cb:52:38:a3:bb)
Fri Sep 9 11:00:28 2022 daemon.debug hostapd: wlan1: STA 58:cb:52:38:a3:bb IEEE 802.11: binding station to interface 'wlan1'
Fri Sep 9 11:00:28 2022 daemon.debug hostapd: wlan1: STA 58:cb:52:38:a3:bb WPA: event 6 notification
Fri Sep 9 11:00:28 2022 daemon.debug hostapd: wlan1: STA 58:cb:52:38:a3:bb WPA: FT authentication already completed - do not start 4
-way handshake
Fri Sep 9 11:00:32 2022 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED 58:cb:52:38:a3:bb
Fri Sep 9 11:00:32 2022 daemon.debug hostapd: wlan1: STA 58:cb:52:38:a3:bb WPA: event 3 notification
Fri Sep 9 11:00:32 2022 daemon.debug hostapd: wlan1: STA 58:cb:52:38:a3:bb IEEE 802.1X: unauthorizing port
Fri Sep 9 11:00:32 2022 daemon.debug hostapd: wlan1: STA 58:cb:52:38:a3:bb IEEE 802.11: deauthenticated
Fri Sep 9 11:00:32 2022 daemon.debug hostapd: wlan1: STA 58:cb:52:38:a3:bb MLME: MLME-DEAUTHENTICATE.indication(58:cb:52:38:a3:bb, 3
)
Fri Sep 9 11:00:32 2022 daemon.debug hostapd: wlan1: STA 58:cb:52:38:a3:bb MLME: MLME-DELETEKEYS.request(58:cb:52:38:a3:bb)
Fri Sep 9 11:01:00 2022 cron.err crond[1079]: USER root pid 2920 cmd /root/iwinfo_stations.sh
I've done tcpdumps on the AP and on my router and the router receives the ARP requests and replies but the replies never show up at the ethernet port of the AP. I have relatively old D-Link Gbit smart switches and I'm wondering whether they are messing something up. I'm now working my way through port mirroring on the switches to determine where the reply packets end up... I'm using VLANs which adds yet another wrinkle to everything...
If anyone has seen anything like this and has suggestions I'm all ear! I know it's slightly tangential to FT but it's still part of the larger picture of "does fast roaming from one AP to another work?"
Learn to manually configure 802.11r roaming to work with WPA2 and WPA3, You'll own nothing and you'll be happy.
Generate a 128-bit key via SSH with the following command:
dd if=/dev/random bs=16 count=1 2>/dev/null | md5sum | awk '{print $1}'
Tutorial to learn how to manually configure 802.11r roaming:
https://www.reddit.com/r/openwrt/comments/515oea/finally_got_80211r_roaming_working/
Something like this: (All AP MACs have to be lowercase letters)
Configuration for AP 1 with BSSID 11:22:33:44:55:00 (AP 1 MAC):
option ieee80211r '1'
option mobility_domain '2222'
option reassociation_deadline '20000'
option ft_over_ds '0'
option ft_psk_generate_local '0'
option nasid '112233445500'
option r1_key_holder '112233445500'
option pmk_r1_push '1'
list r0kh '11:22:33:44:55:00,112233445500,18880d5278d2eb37a744f5ab57bba6fb'
list r0kh '11:22:33:44:55:01,112233445501,18880d5278d2eb37a744f5ab57bba6fb'
list r0kh '11:22:33:44:55:02,112233445502,18880d5278d2eb37a744f5ab57bba6fb'
list r1kh '11:22:33:44:55:00,11:22:33:44:55:00,18880d5278d2eb37a744f5ab57bba6fb'
list r1kh '11:22:33:44:55:01,11:22:33:44:55:01,18880d5278d2eb37a744f5ab57bba6fb'
list r1kh '11:22:33:44:55:02,11:22:33:44:55:02,18880d5278d2eb37a744f5ab57bba6fb'
Configuration for AP 2 with BSSID 11:22:33:44:55:01 (AP 2 MAC):
option ieee80211r '1'
option mobility_domain '2222'
option reassociation_deadline '20000'
option ft_over_ds '0'
option ft_psk_generate_local '0'
option nasid '112233445501'
option r1_key_holder '112233445501'
option pmk_r1_push '1'
list r0kh '11:22:33:44:55:00,112233445500,18880d5278d2eb37a744f5ab57bba6fb'
list r0kh '11:22:33:44:55:01,112233445501,18880d5278d2eb37a744f5ab57bba6fb'
list r0kh '11:22:33:44:55:02,112233445502,18880d5278d2eb37a744f5ab57bba6fb'
list r1kh '11:22:33:44:55:00,11:22:33:44:55:00,18880d5278d2eb37a744f5ab57bba6fb'
list r1kh '11:22:33:44:55:01,11:22:33:44:55:01,18880d5278d2eb37a744f5ab57bba6fb'
list r1kh '11:22:33:44:55:02,11:22:33:44:55:02,18880d5278d2eb37a744f5ab57bba6fb'
Configuration for AP 3 with BSSID 11:22:33:44:55:02 (AP 3 MAC):
option ieee80211r '1'
option mobility_domain '2222'
option reassociation_deadline '20000'
option ft_over_ds '0'
option ft_psk_generate_local '0'
option nasid '112233445502'
option r1_key_holder '112233445502'
option pmk_r1_push '1'
list r0kh '11:22:33:44:55:00,112233445500,18880d5278d2eb37a744f5ab57bba6fb'
list r0kh '11:22:33:44:55:01,112233445501,18880d5278d2eb37a744f5ab57bba6fb'
list r0kh '11:22:33:44:55:02,112233445502,18880d5278d2eb37a744f5ab57bba6fb'
list r1kh '11:22:33:44:55:00,11:22:33:44:55:00,18880d5278d2eb37a744f5ab57bba6fb'
list r1kh '11:22:33:44:55:01,11:22:33:44:55:01,18880d5278d2eb37a744f5ab57bba6fb'
list r1kh '11:22:33:44:55:02,11:22:33:44:55:02,18880d5278d2eb37a744f5ab57bba6fb'
Or use this script to help you generate the configuration you need:
OpenWrt 802.11r FT roaming helper script:
1 Like
I do want to own things...
In the log I posted you can clearly see:
Fri Sep 9 11:00:28 2022 daemon.debug hostapd: wlan1: STA 58:cb:52:38:a3:bb IEEE 802.11: authentication OK (FT)
...
Fri Sep 9 11:00:28 2022 daemon.debug hostapd: wlan1: STA 58:cb:52:38:a3:bb WPA: FT authentication already completed - do not start 4
So FT itself works. It's just that packets are not forwarded to the new STA. See also ongoing discussion in Android device disconnects after fast roaming due to lost DHCP replies - #7 by psherman
1 Like
Updated on 02/22/2023
I'm not sure if this will help you, but you can try this.
Paste via SSH these commands ONLY on your wireless access point devices:
(Do not paste it on the device that works as a router)
# ******* #
# Dumb AP #
# ******* #
# IP address for the dumb access point
DUMB_AP_IP="192.168.1.2"
# IP address of the main router
MAIN_ROUTER_IP="192.168.1.1"
##############################################
# Change the LAN interface protocol to "Static address", set the IP address for the dumb AP and disable the DHCP/DHCPv6 server
uci set network.lan.proto="static"
uci set network.lan.ipaddr="$DUMB_AP_IP"
uci set network.lan.netmask="255.255.255.0"
uci set network.lan.gateway="$MAIN_ROUTER_IP"
uci -q del network.lan.dns
uci add_list network.lan.dns="$MAIN_ROUTER_IP"
uci set dhcp.lan.ignore="1"
uci del dhcp.lan.ra
uci del dhcp.lan.ra_flags
uci del dhcp.lan.ra_slaac
uci del dhcp.lan.dhcpv6
uci del dhcp.lan.domain
uci del dhcp.lan.ndp
# Remove WAN and WAN6 interfaces
uci del dhcp.wan
uci del network.wan
uci del network.wan6
uci del firewall.@zone[1].network
# Disable these services because they do not run on dumb APs
for i in dnsmasq firewall odhcpd; do
if /etc/init.d/"$i" enabled; then
/etc/init.d/"$i" disable
/etc/init.d/"$i" stop
fi
done
# Disable daemons persistently
cat << "EOF" > /etc/rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
# Disable these services because they do not run on dumb APs
for i in dnsmasq firewall odhcpd; do
if /etc/init.d/"$i" enabled; then
/etc/init.d/"$i" disable
/etc/init.d/"$i" stop
fi
done
exit 0
EOF
# Saving all modified values
uci commit
reload_config
Here are these guides for you to learn how to configure the dumb ap or mesh network correctly:
1 Like
I thought I'd follow up here on the resolution of my issues.
- I have 7 APs, all different models, that are now doing FT nicely.
- I do not believe the firewall/dnsmasq/odhcpd changes suggested by 72105 are necessary: 6 of my APs are running these services just fine, but what 72105 suggested caused me to rebuild the config of the problematic AP and that fixed something. My suspicion is with some VLAN stuff (it's a MicroTik hAP ac2 that has a built-in switch and some stuff is funky).
To see whether FT is working I highly recommend two things. First, turn debug logging for hostapd on:
uci set wireless.radio0.log_level=1
uci set wireless.radio1.log_level=1 // for dual-band AP
uci commit wireless
/etc/init.d/network restart
You will now see log lines where the following indicates FT:
Sat Sep 10 21:20:53 2022 [1662870053.646] daemon.debug hostapd: wlan1: STA 00:00:00:00:00:00 IEEE 802.11: authentication OK (FT)
...
Sat Sep 10 21:20:53 2022 [1662870053.696] daemon.debug hostapd: wlan1: STA 00:00:00:00:00:00 WPA: FT authentication already completed - do not start 4-way handshake
versus:
Sun Sep 11 00:31:33 2022 daemon.debug hostapd: wlan0: STA 00:00:00:00:00:00 WPA: sending 1/4 msg of 4-Way Handshake
Sun Sep 11 00:31:33 2022 daemon.debug hostapd: wlan0: STA 00:00:00:00:00:00 WPA: received EAPOL-Key frame (2/4 Pairwise)
Sun Sep 11 00:31:33 2022 daemon.debug hostapd: wlan0: STA 00:00:00:00:00:00 WPA: sending 3/4 msg of 4-Way Handshake
Sun Sep 11 00:31:33 2022 daemon.debug hostapd: wlan0: STA 00:00:00:00:00:00 WPA: received EAPOL-Key frame (4/4 Pairwise)
The second recommendation, if you have an Android phone, is to use the Ubiquiti WiFiMan app:
- When you open it, hit "wireless" bottom center. Then select your SSID and you'll see all your APs.
- Then select "signal mapper". This shows you signal strength and latency to 8.8.8.8.
- In addition, and this is the interesting part, it shows you the AP transitions at the bottom.
When the device roams from one AP to another you either see
AP1 --> AP2
which means FT, or you see
AP1 --> disconnected
disconnected --> AP2
which means 4-way-hs. You can then walk around and see where signal strength drops off and when the device roams and how it does it.
For completeness, here's a typical /etc/config/wireless interface config on my APs:
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid '*****'
option max_inactivity '20'
option encryption 'psk2+ccmp'
option key '********'
option ieee80211r '1'
option mobility_domain 'f00d'
option reassociation_deadline '20000'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'lan'
9 Likes
Thank you for sharing your findings. Although while checking with WiFi man and logs I see device 'roams', but it does it with huge signal drop and dead connection between 1st and 3rd floor, while there's AP in the middle while going on stairs fully available... So will still debug further.
You have all other options lest as default? No 802.11w/k/v blank?
And Wi-Fi channels between those 7 APs - I guess they are all different or you keep them on the same channel?
Do you use same SSID for 2.4 and 5 network?
I can also see you lack 'nasid' which is marked as required within documentation?
This setting should works for WPA2-PSK and 802.11r, it should works in most case (although not most secure)
Just share here in case someone need it.
openwrt 21.02.3
Encryption: WPA2-PSK
Cipher: Force CCMP (AES)
NAS ID (AP1): APONE
NAS ID (AP2): APTWO
Mobility Domain: bc23
Reassociation Deadline: 20000
FT Protocol: FT over the air
Generate PMK locally: True
802.11w management frame protection: optional or I suggest turn off (maximum compatibility)
KRACK protection: True
2 Likes
Everything else is default and the AP channels are relatively diverse. I use 1/6/11 and 36/42/149/157 (40Mhz). I do now inject the rrm neighbor's information into hostapd, but that's really an optimization and not necessary for basic FT functioning.
The NasID is unset 'cause I use WPA2-PSK (the UI states "Not needed with normal WPA(2)-PSK.")
I do have issues around the house entrance where taking a step around a corner ought to switch between 2 APs and sometimes the phone does and sometimes it doesn't. In your case, ensure you can FT to all the bands of all the APs before trying to deal with the problem spots.
Is this still the recommended config? Should this just be on the AP or on the main router as well?
I'm currently running it on both and still seem to have problems with an iPad connecting and maintaining a connection.
I've been trying to make 802.11r working without luck for some time... Now I write here to see if someone knows what I'm doing wrong.
I've two APs, Xiaomi AX3600, with different SSID for 5G and 2.4G. One of them have another two guests networks. I only want to make roam the main 5G SSID.
If I put this command:
ubus call hostapd.wlan5g bss_transition_request '{"addr": "xx:xx:xx:xx:xx:xx", "disassociation_imminent": false, "disassociation_timer": 1500, "validity_period": 30, "neighbors": ["xxxxxxxxxxxx"], "abridged": 1 }'
the device disconnects and connects to the other AP, but without fast transition.
I've tested several combinations of parameters, but I ended with:
- I was in mixed WPA3/WPA2, I changed to WPA2-PSK because in this thread it's not clear what configurations need the WPA3.
- I started letting all the fields (nasid, mobility domain) in blank, with generating pmk locally enabled, without luck. Tested adding custom nasid and same mobility domain for both SSID, without luck neither.
- I used the python script to generate the 802.11r config, removed the generating pmk locally, and tested. Without luck neither.
- I added the reassociation deadline, that seems fix some issues, without luck again.
- My phone, a Pixel 4, I'm not too sure if it supports 802.11r, but I tested with my wife phone, a Pixel 3a, that I've seen in this thread that it works for others.
I don't know what more to test, this is how looks my config after all the changes:
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'XXXXXX'
option ifname 'wlan5g'
option ieee80211r '1'
option bss_transition '1'
option wnm_sleep_mode '1'
option time_advertisement '2'
option time_zone 'CET-1CEST,M3.5.0,M10.5.0/3'
option ieee80211k '1'
option key 'XXXXXXXX'
option ft_over_ds '0'
option nasid 'XXXXXX'
option mobility_domain 'XXXX'
option ft_psk_generate_local '0'
option r1_key_holder 'XXXXXX'
option pmk_r1_push '1'
option reassociation_deadline '20000'
list r0kh 'XX:XX:XX:XX:XX:XX,XXXXXXXXXXXX,fe75XXXXXXXXXXXXXXXae3'
list r0kh 'XX:XX:XX:XX:XX:XX,XXXXXXXXXXXX,fe75XXXXXXXXXXXXXXXae3'
list r1kh 'XX:XX:XX:XX:XX:XX,XX:XX:XX:XX:XX:XX,feXXXXXXXXXXXXXXXXXXae3'
list r1kh 'XX:XX:XX:XX:XX:XX,XX:XX:XX:XX:XX:XX,feXXXXXXXXXXXXXXXXXXae3'
option encryption 'psk2'
option rrm_neighbor_report '1'
option rrm_beacon_report '1'
The keys were generated by the python program and I revised them and seems correct.
Some idea what to test?
I have a similar configuration:
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option dtim_period '3'
option key 'xxxxxxxxxxxxxxx
option ieee80211r '1'
option mobility_domain 'XXXX'
option reassociation_deadline '20000'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ssid 'xxxxxx'
option wpa_group_rekey '86400'
option nasid 'xxlocalmacxx'
option ieee80211v '1'
option ieee80211k '1'
option time_advertisement '2'
option time_zone 'GMT0'
option rrm_neighbor_report '1'
option rrm_beacon_report '1'
option wnm_sleep_mode '1'
option bss_transition '1'
Main difference is ft_psk_generate_local '1' (simpler)
I'm using the same mobility_domain for all AP
nasid was set to AP MAC (but I remember it was also working when it was not set)
I have few android devices roaming correctly (AP-STA-DISCONNECTED without EAPOL-4WAY-HS-COMPLETED)
other devices seem not supporting 802.11r at all (PCs for example)
3 Likes
Thanks for the answer! Yes, that is the strange thing. I've readed all the thread, and tried all the different configurations without luck.
For this reason I was thinking my Pixel 4 was not supported, but in other messages of this thread several people say the Pixel 3a of my wife must work. In my case, none of them work 
Oh man I feel your pain. In my case with 3xRT3200's I just set it up in LuCi (WPA2-PSK) with all defaults save for setting FT over air and reassociation deadline to 20000 and it just works even for Pixel 3a. I could post my config if that'd be helpful.
I do have some trouble with Apple devices getting disconnects or connectivity issues requiring manual WiFi disconnection and reconnection at the device.
May be you already know it, just put it here
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'same-ssid-5g'
option key 'samepassword'
option wpa_disable_eapol_key_retries '1'
option disassoc_low_ack '0'
option ieee80211r '1'
option mobility_domain 'a76c'
option nasid '3345B3C6F232'
option reassociation_deadline '20000'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option encryption 'psk2+ccmp'
option max_inactivity '120'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'same-ssid-5g'
option key 'samepassword'
option wpa_disable_eapol_key_retries '1'
option disassoc_low_ack '0'
option ieee80211r '1'
option mobility_domain 'a76c'
option nasid '334700DD434A'
option reassociation_deadline '20000'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option encryption 'psk2+ccmp'
option max_inactivity '120'
the key point for simplest setup is
- same ssid
- same password
- different channel
- same mobility domain
- different nasid
- reassociation deadline 20000
- generate psk locally
- ft over air
- don't set r0 and r1
- proper wifi signal strength (don't be too strong nor too weak)
2 Likes
I will try again this weekend with your steps, but in theory this was tested several times. Maybe I forgot something. Who knows. 
If you're using WPA2-PSK you shouldn't have to put in anything for NASID. Have you tried it without?
One thing that seems strange to me, I don't know if it's related...
If I list the ubus hostapd commands, I can see the bss_mgmt_enable command available:
root@router-comedor:~# ubus -v list hostapd.wlan5g
'hostapd.wlan5g' @1b0f88fe
"reload":{}
"get_clients":{}
"get_status":{}
"del_client":{"addr":"String","reason":"Integer","deauth":"Boolean","ban_time":"Integer"}
"update_airtime":{"sta":"String","weight":"Integer"}
"list_bans":{}
"wps_start":{}
"wps_status":{}
"wps_cancel":{}
"update_beacon":{}
"get_features":{}
"switch_chan":{"freq":"Integer","bcn_count":"Integer","center_freq1":"Integer","center_freq2":"Integer","bandwidth":"Integer","sec_channel_offset":"Integer","ht":"Boolean","vht":"Boolean","he":"Boolean","block_tx":"Boolean","force":"Boolean"}
"set_vendor_elements":{"vendor_elements":"String"}
"notify_response":{"notify_response":"Integer"}
"bss_mgmt_enable":{"neighbor_report":"Boolean","beacon_report":"Boolean","link_measurement":"Boolean","bss_transition":"Boolean"}
"rrm_nr_get_own":{}
"rrm_nr_list":{}
"rrm_nr_set":{"list":"Array"}
"rrm_beacon_req":{"addr":"String","mode":"Integer","op_class":"Integer","channel":"Integer","duration":"Integer","bssid":"String","ssid":"String"}
"link_measurement_req":{"addr":"String","tx-power-used":"Integer","tx-power-max":"Integer"}
"bss_transition_request":{"addr":"String","disassociation_imminent":"Boolean","disassociation_timer":"Integer","validity_period":"Integer","neighbors":"Array","abridged":"Boolean","dialog_token":"Integer","mbo_reason":"Integer","cell_pref":"Integer","reassoc_delay":"Integer"}
But if I try to execute it, I get an error of command not supported:
root@router-comedor:~# ubus call hostapd.wlan5g bss_mgmt_enable
Command failed: Operation not supported
or
root@router-comedor:~# ubus call hostapd.wlan5g bss_mgmt_enable '{"neighbor_report":true,"beacon_report":true,"link_measurement":true,"bss_transition":true}'
Command failed: Invalid command
If this expected? Am I doing something wrong?
do you have full version of wpad/hostapd installed or -basic one?