Do check logs to confirm that FT works. Can't do this by "feeling".
Users in WLAN that i manage also roam and don't complain, but i know that FT does not work for them. 
I was able to get some FTs (Samsung Galaxy A02 as a client, Linksys E8450 and Netgear WAX202 as access points), but won't say that it is reliable. Most of the time, the client just lingers on one AP.
Yes, totally sure by log:
Sun Feb 5 09:56:12 2023 daemon.notice hostapd: wlantest2: AP-STA-CONNECTED xx:xx:xx:xx:xx:xx auth_alg=ft
I've tried to do the same with only one AX3600, one 2.4 and one 5.4Ghz sid, and the fast roaming has worked perfectly. Now I need to investigate why it does not work between two different APs.
Here is my wirelss config in case this helps:
root@OpenWrt:~/cake-autorate# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/18000000.wmac'
option channel '1'
option band '2g'
option htmode 'HT40'
option country 'GB'
option noscan '1'
option cell_density '2'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option wds '1'
option ssid 'XXX'
option encryption 'psk2'
option key 'XXX'
option ieee80211r '1'
option reassociation_deadline '20000'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'guest'
option dtim_period '3'
config wifi-device 'radio1'
option type 'mac80211'
option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'HE80'
option country 'GB'
option he_bss_color '8'
option he_su_beamformee '1'
option cell_density '2'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option wds '1'
option ssid 'XXX'
option encryption 'psk2'
option key 'XXX'
option ieee80211r '1'
option reassociation_deadline '20000'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'XXX'
option encryption 'psk2'
option key 'XXX'
option ieee80211r '1'
option reassociation_deadline '20000'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'lan'
option dtim_period '3'
Pixel 3a and Windows laptops transition fine between 3x RT3200's connected via WDS. Apple devices have always been a little problematic. I'm not sure if this is an FT problem or something else but there are quite a few reports of issues on this forum - see e.g. :
Finally I have it working, but I don't know why...
I added a test SSID at both APs, and for my surprise the FT worked at first attempt. I compared the configurations for old and new SSID and I didn't notice any change.
So I ended deleting the old SSID and renaming the test SSID for the old one. And it works.
Thanks to everyone that has tried to help suggesting changes or posting working configurations.
2 Likes
And you don't have any errors about command failed in logs? Can you post your config that is working for 2 APs?
That's great you got it working!
I tried ubus call hostapd.wlan1 bss_mgmt_enable '{"neighbor_report": true}' and it did not enable but in LuCI it enables so there just must be a syntax error or something.
Of course, but it's the basic configuration posted here several times, that for some unknown reason was not working for me and now it does:
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'XXXXXX'
option encryption 'psk2+ccmp'
option ifname 'wlan5g'
option key '************'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ieee80211k '1'
option time_advertisement '2'
option time_zone 'CET-1CEST,M3.5.0,M10.5.0/3'
option wnm_sleep_mode '1'
option bss_transition '1'
option network 'lan'
1 Like
Thank you. I've noticed you posted it before, but it's best to know what exactly works and what it contains.
I will try it on my setup in spare time
@cotequeiroz
Does 802.11r still work for you with WPA3/SAE with the current OpenWrt master?
If yes, please share the working config.
1 Like
Very interested about this. Now that I have it working with WPA2, I'm curious if it can work with WPA3 and, if there is any possibility that it works with "WPA2 PSK/WPA3 SAE mixed mode" (sae-mixed).
I've tried sae-mixed without luck, it seems not working, adding the r0kh and r1kh as explained before for WPA3 SAE.
@hnyman and @cotequeiroz what I'd really like to figure out is how to get apple devices to work OK with my setup involving 3x RT3200's connected via WDS and FT. We still suffer from the problem that an apple device shows itself connected to WiFi, but there is no or very sluggish internet connectivity pending manually disabling and re-enabling WiFi to reconnect.
Android / Windows devices have always been fine. This issue only affects iPhone and iPad devices.
Here is my config:
root@OpenWrt:~/cake-autorate# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/18000000.wmac'
option channel '1'
option band '2g'
option htmode 'HT40'
option country 'GB'
option noscan '1'
option cell_density '2'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option wds '1'
option ssid 'XXX'
option encryption 'psk2'
option key 'XXX'
option ieee80211r '1'
option reassociation_deadline '20000'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'guest'
option dtim_period '3'
config wifi-device 'radio1'
option type 'mac80211'
option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'HE80'
option country 'GB'
option he_bss_color '8'
option he_su_beamformee '1'
option cell_density '2'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option wds '1'
option ssid 'XXX'
option encryption 'psk2'
option key 'XXX'
option ieee80211r '1'
option reassociation_deadline '20000'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'XXX'
option encryption 'psk2'
option key 'XXX'
option ieee80211r '1'
option reassociation_deadline '20000'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'lan'
option dtim_period '3'
See discussion around here:
WDS? Do you have them on same channel? WDS require that AFAIR
Try Mesh11sd, you don't lose anything.
1 Like
i also use
config wifi-iface 'default_radio0'
option device 'radio0'
option wpa_group_rekey '3600'
setting DTIM in this section from default 2 to 3 did not help, yet still some (and apple docs) recommend it.
non-apple devices did not roam "well" with DTIM set to 3.
RouterOS (MikroTik) setting is (hardcoded) DTIM 1.
2 Likes
What does that do? Did it help your FT with Apple devices?
Maybe I'll undo DTIM set to 3 then.
I presently use WDS. Is mesh superior in respect of FT? Last time I tried mesh about a year ago it was unstable.
Wired AP > Mesh > WDS
I only use the "Static address" protocol on the LAN interface of the dumb AP or mesh node, because the "DHCP client" protocol is unstable.
Something like this happened to me when I use the "DHCP client" protocol on the dumb AP or mesh node and it was fixed when I changed to "Static address" protocol.
Very late reply, but I believe I have the same issue. On my FT-SAE network several Apple devices initially roam fine for a while after connecting, but after being connected to the network for some time they refuse to roam anymore. I believe this is due to a longstanding bug in the WiFi firmware, and I have been in contact with Apple several times to report this. They've asked for logs, which I've provided, and I'm now waiting for the iOS 16.4 beta to see whether it's been fixed. I wouldn't keep my hopes up though considering that the bug has at least been around since I got my iPhone 13 Mini shortly after launch.
1 Like
I have two access points running an FT-SAE network (WPA3 + 802.11r), and my config can be found below. I initially only sent it to @hnyman as a DM because I'm unsure what the different values actually do, and I feared that it might have been a security risk to post it (however slim). However, I've since changed all of my settings so there's no risk to posting this.
Router 1:
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'sae'
option key 'redacted'
option ieee80211r '1'
option ieee80211w '2'
option sae_pwe '2'
option ocv '1'
option ft_psk_generate_local '0'
option pmk_r1_push '1'
option nasid 'openwrt1'
option mobility_domain 'e1e2'
option r1_key_holder 'a040a07ccbb9'
list r0kh '08:02:8e:96:4a:d0,openwrt2,3ed67e18b353c6d80f5242e98e58a7efae9b9bc93903ecc32473c90c3c136ac6'
list r1kh '08:02:8e:96:4a:d0,08:02:8e:96:4a:d0,3ed67e18b353c6d80f5242e98e58a7efae9b9bc93903ecc32473c90c3c136ac6'
option ft_over_ds '0'
option iw_qos_map_set '0,63,255,255,255,255,255,255,255,255,255,255,255,255,255,255'
Router 2:
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'sae'
option key 'redacted'
option ieee80211r '1'
option ieee80211w '2'
option sae_pwe '2'
option ocv '1'
option ft_psk_generate_local '0'
option pmk_r1_push '1'
option nasid 'openwrt2'
option mobility_domain 'e1e2'
option r1_key_holder '08028e964ad0'
list r0kh 'a0:40:a0:7c:cb:b9,openwrt1,3ed67e18b353c6d80f5242e98e58a7efae9b9bc93903ecc32473c90c3c136ac6'
list r1kh 'a0:40:a0:7c:cb:b9,a0:40:a0:7c:cb:b9,3ed67e18b353c6d80f5242e98e58a7efae9b9bc93903ecc32473c90c3c136ac6'
option ft_over_ds '0'
option iw_qos_map_set '0,63,255,255,255,255,255,255,255,255,255,255,255,255,255,255'
Some explanation for the different values:
option ft_psk_generate_local - This has to be set to 0 because setting it to 1 only works for WPA2.
option pmk_r1_push - Setting this to 1 makes an access point pre-pushs the PMK-R1 to all other access points once a client connects. This speeds up the roaming process because it doesn't have to be done at the time the client decides to roam.
option nasid - This is the PMK-R0 Key Holder identifier. Give each access point its own unique name.
option mobility_domain - This setting is used to indicate to clients which APs within an ESS (those sharing the same SSID) can be used for roaming. Set this to the same value for all APs you want to be able to roam to. Its format has to be in the form of a 2-octet hex string.
option r1_key_holder - Set this to the MAC address (without the colons) of wifi interface of the AP you're currently configuring.
list r0kh - Set this to the following values: MAC address of the wifi interface on the other AP, NASID of other AP, 256-bit key as hex string.
list r1kh - Set this to the following values: MAC address of the wifi interface on the other AP, MAC address of the wifi interface on the other AP, 256-bit key as hex string.
option ft_over_ds - This setting specifies whether the roam process should happen over the DS or over the air. Setting this to 0 is the safe option because a lot of clients have issues with over-the-DS roaming.
To find random values that can be used for the mobility domain and 256-bit keys you can use python (please re-run the code to find your own random values):
>>> import secrets
>>> secrets.token_hex(2)
'423e'
>>> secrets.token_hex(32)
'3a879bf3635bfba19c7b85ee4658cf8eb724ca72aa6fa1549d8c96fbc7a2ee74'
If you don't have access to Python locally you can run the code here to get the random values: https://www.online-python.com/BX8i2OeHpK
6 Likes
With settings set in your style, my Android 11 tablet roams nicely with WPA2, but does not roam with WPA3.
I suspect that it is because it does not want to authenticate with "FT-SAE" as the key management system.
It always shows up with 00-0f-ac-8, which means normal SAE.
root@router5:~# /etc/wifi-suite.sh
Associated wifi stations' AKM suites:
phy0-ap0: AKM suite of e0:c3:77:ae:0a:30 is 00-0f-ac-8 (WPA3-SAE)
FT-SAE would be 00-0f-ac-9.