802.11r Fast Transition how to understand that FT works?

Who manufactures the tablet? Android has always been very iffy when it comes to 802.11r support.

It is Samsung Galaxy Tab S5e
(Otherwise a great tablet)

Ah, ok. Samsung is actually pretty good with 802.11r, but only their very newest kit supports FT-SAE I believe.

Here's my actual config.

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wmac'
        option country 'BR'
        option band '2g'
        option channel '1'
        option txpower '20'
        option htmode 'HT20'
        option log_level '1'

config wifi-iface 'Cote_radio0'
        option device 'radio0'
        option ifname 'wlan2g'
        option network 'lan'
        option mode 'ap'
        option ssid 'SSID'
        option encryption 'sae'
        option key '***KEY***'
        option ieee80211w '2'
        option ieee80211r '1'
        option ft_psk_generate_local '0'
        option ft_over_ds '0'
        option reassociation_deadline '20000'
        option ieee80211k '1'
        option bss_transition '0'
        option ieee80211v '1'
        option dtim_period '4'
        option disassoc_low_ack '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option country 'BR'
        option band '5g'
        option channel '149'
        option htmode 'HE80'
        option he_bss_color '31'
        option he_su_beamformee '1'
        option log_level '1'

config wifi-iface 'Cote_radio1'
        option device 'radio1'
        option ifname 'wlan5g'
        option network 'lan'
        option mode 'ap'
        option ssid 'SSID'
        option encryption 'sae'
        option key '***KEY***'
        option ieee80211w '2'
        option ieee80211r '1'
        option ft_psk_generate_local '0'
        option ft_over_ds '0'
        option reassociation_deadline '20000'
        option ieee80211k '1'
        option bss_transition '0'
        option ieee80211v '1'
        option dtim_period '4'
        option disassoc_low_ack '0'

Here's my openwrt_release

DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='cote-2023-01'
DISTRIB_REVISION='r21780+20-feeec1e14f'
DISTRIB_TARGET='mediatek/mt7622'
DISTRIB_ARCH='aarch64_cortex-a53'
DISTRIB_DESCRIPTION='OpenWrt cote-2023-01 r21780+20-feeec1e14f'
DISTRIB_TAINTS='busybox'

My custom changes should not affect anything configured above. I haven't tested with iOS devices hands-on, but I haven't received any complaints for a while now.

Cheers,

Good to hear that WPA3 roaming works for you with so simple config (without manual r0kh and r1kh settings)

Am I mistaken in thinking that this won't work with some older devices like simpler 2.4GHz smart plugs?

Good question - maybe for those who has more senstive (older ;-)) devices sae-mixed would be better?

You're right. Older devices do not support WPA3.
And surprisingly new devices may have trouble with WPA3+802.11r

Generally the mixed WPA2/WPA3 may cause problems compared to plain WPA3. Some devices react badly especially to the 802.11w=optional setting. So it might be better to have pure WPA2 SSID and pure WPA3 SSID.

Continuing this aspect - would you rather recommend having same SSID (on same channel) with WPA2 and WPA3 or you are suggesting totally different SSID?

Don't use the same ESSID for different access credentials or encryption methods (wpa2-only and wpa3-only are not compatible).

It works with 22.03 and master. See

It will generate a default value for mobility_domain from the md5 of the ssid, and the key from the combination mobility_domain and PSK (or the EAP auth secret, if set). So this will work across routers, and it is good enough.

The caveat is that OpenWrt 21.02 will silently work with this setup, but it does not use the PSK to generate the FT key. So the key would be trivially calculated from the SSID alone That's why I do not usually advertise this setup.

One more question regarding your config. You've set bss_color - is it the same on all APs?
Do you use different channel per APs for both 2.4 and 5G devices?

Currently I use different channel for each AP (on 2.4 and 5) and those options are missing from config (so on default values - 1 and 0 respectively)

he_bss_color should be different among the APs.

How to choose the bss color value?

+1 to color question - I guess it can be random tho (between 1-32 values)

Regarding config you've posted, main differences I see between our configs:
option bss_transition '1'
it's same as
option ieee80211v '1'
regarding to docs:

but as I remember it was throwing error few months ago.

You use HT20 instead of HE20 for 2.4GHz - why?
Docs says HE is for 'ax' networks

I also have:

        option time_advertisement '2'
        option time_zone '[my TZ]'
        option wnm_sleep_mode '1'

added.

I'm digging as I'd like to try fine-tune my config.
Do you use any roaming assistant like usteer or DAWN?
And wpad-openssl or wpad-wolfssl, does it matter?

case "$auth_type" in
psk|sae|psk-sae)

Seeing this code, it searchs for psk, sae or psk-sae. I can't find psk-sae in the valid options for OpenWrt. Maybe it is sae-mixed? Or is some old option?

I use dawn, but currently only for populating neighbor reports; I turn it on sometimes. Most of my clients roam OK on their own. ieee80211v is a noop currently. I should have removed it from the config.

You can manually set he_bss_color from 1-63. If you set it >=64, then a random one will be used. A value of 0 disables it. If unset, OpenWrt defaults to 128.

I set that way:

Main router:
2.4 ghz - bss_color=8
5 ghz - bss_color=16

AP:
2.4 ghz - bss_color=24
5 ghz - bss_color=32

Is that ok ?

I believe so.