I am trying to set up Band Steering using Dawn on my ax3600 with snapshot [r21995-059263dd6e]. When I enable 802.11r, the IPhones on the network running the latest IOS 16.3 can no longer connect to the network. All other devices, even printers and such, connect without a problem.
I have two APs with the same password and SSID running on the 2.4 GHz and 5 GHz bands respectively
What i tried so far:
Default LuCI config for 802.11r
Setting NASID to different values on each AP
WPAD-openssl, WPAD-Wolfssl and the new wpad-mbedtls
Setting Reassociation Deadline to 20000 (https://github.com/openwrt/openwrt/issues/7907)
Setting DTIM Interval to 2
Setting to either WPA2 or WPA3 solves the issue.
Is there any other workaround to this since I would like to use WPA3 but not all of my clients support it.
Is it fine if only the 2.4GHz channel has WPA2 and the 5Ghz has WPA3?
It is a requirement for DAWN so that's not an option either.
Edit: its not a requirement so i will drop it. Thanks for the Info
"If 802.11r is enabled for fast, seamless transfer of a device across AP's then it enhances the overall user experience, but DAWN doesn't directly use it." https://github.com/berlin-open-wireless-lab/DAWN/blob/master/README.md
I also stumpled upon this issue with SAE-Mixed and FT enabled with an IPhone XR (16.3) and an IPad 9th gen (16.3). Switching to WPA2 (as some clients don't support WPA3) "fixed" it. 802.11w was turned off, as I remembered some older Apple devices has problems with it, but those devices now are new.
I have 2 AX3600 being delivered in about 3 to 4 hours.
I am fairly well versed in wireless roaming (k/v/r, neighbor reports, ft, sending out bss transition requests etc etc etc).
As it stands now on my current APs, ft works perfectly. I am swapping 2 of my APs out for these AX3600. Installing OpenWRT on them right away of course.
I do not / will not be using WPA3...
I have a small basket of clients that can properly use FT including 3 android devices as well as an ios device.
Although this doesn't apply to the AX3600 as its currently snapshot only.. 802.11r is / was broken using even the most latest stable build (22.03?). With fairly recent snapshots, without touching log_level in /etc/config/wireless you should be seeing this in your logs:
Will post back here if the AX3600 with the most current build, WPA3 turned off and 802.11r turn on allows clients to seamlessly roam. I have a good base level to compare to... I can walk across my 3 floor (concrete) home maintaining a sub 10ms ping to my primary gateway without any packet loss, all while connected to only my 5.8ghz band. 2 of my APs are getting swapped for the AX3600s which raw hardware wise are much better than whats in place there now.
Actually, on WPA3-only, 802.11r simply is not working - specifically, there are no auth_alg=ft events and my Android and iOS test devices perform a full handshake when switching BSSIDs.
I have FT working to some degree while testing exclusively with iOS devices on 23.05. I have WPA3 enabled as well.
I believe the only other non-default setting I used was
reassociation_deadline=20000
I have a shared ESSID between both bands and two access points. When it doesn't work, I see errors such as:
daemon.err hostapd: nl80211: kernel reports: key addition failed
daemon.notice hostapd: FT: Missing required pairwise in pull response from xx:xx:xx:xx:xx:xx
When it does work, I've switched APs as expected. I believe that I've also hopped/steered (edit: via usteer) from the 2.4Ghz band to 5Ghz without a full handshake. But going from 5Ghz to 2.4GHz, I get a full handshake.
Setting r0kh and r1kh should not be mandatory, except if you use a password file and do not set a regular password. Keys are supposed to be random; manually changing them should not make a difference. If you have a PSK set, and FT does not work without setting r0kh and r1kh, then there is a bug that needs to be fixed! Can you share a group configurations that does NOT work so that I can take a look at it? I will need SSID and key, unfortunately, as they are both used to compute the default r[01]kh secret. You could perhaps create a dummy SSID/key combination, test it to make sure it is broken, post them, along with contents of /var/run/hostapd*.conf. After adding r0kh and r1kh settings and making sure they work, send /var/run/hotapd*.conf again. You may omit other bss=/interface= blocks from hostapd*.conf.
I know Apple devices are troublesome, and there are many settings that actually affect roaming behavior that we need to worry about: ft_over_ds, reassociation_deadline, pmk_r1_push, ft_generate_local, even DFS channels, to name a few. r0kh and h1kh secrets are not even seen by the clients, they are used to encrypt communication between APs only.
Are you sure? Like for @ej_breaks_the_lan, it was your post that, for me, clued me into needing to specify an r0kh and r1kh!
And your follow-up post here:
If you're certain that simply enabling 802.11r with WPA3-SAE should simply work, I can certainly try to provide a minimally reproducible config when my wife isn't in the middle of some AWS exam studies.
I wonder if Wi-Fi assist being on helps iPhones with FT?
I don't need FT now but when I had APs using it (they were all wired) I never had a problem, but I also use Wi-Fi assist; just to let go of weak Wi-Fi and get on wireless data ASAP.
Apple WiFi setup guidance docs don't mention "Wi-Fi Assist", but feel free to try.
Note that they don't mention enabling fast roaming and other extra features for home users: https://support.apple.com/en-us/102766
"fast" in "fast roaming" means that, after a device decides by itself to switch to another BSSID, it won't have to go through the full authentication process. It is already typically fast enough without 802.11r when using WPA2-PSK or WPA3-SAE.
Yes. If you can’t find any obvious reason for your problems in logs or internets, you need to do trial and error troubleshooting. Start with vanilla OpenWrt WiFi settings and see if that works.
Because @rkboni messaged me asking if I had updated the Wiki yet - I haven't as I wanted to retest and see what my situation looked like. Unfortunately looks like I don't have a successful config that works with iOS devices.
Quick summary of current status & findings:
One device running OpenWrt 23.05.4 | hostapd-common 2023-09-08-e5ccbfc6-7
Other device running a current snapshot OpenWrt SNAPSHOT r27143-0b7d99147b | hostapd-common 2024.03.09~695277a5-r3
WPA3-only network
I have confirmed that both devices set r0kh and r1kh automatically to the same value if field left empty as @cotequeiroz stated
Whether I let r0kh and r1kh be set automatically or set it manually, an iPhone I have on hand fails to roam.
802.11r default config with reassociation deadline set to 2000
Sometimes,
daemon.err hostapd: nl80211: kernel reports: key addition failed
FT: Missing required pairwise in pull response from <other_router>
appears in logs and iPhone falls back to a full handshake.
Other times, I just get a constant spam of:
daemon.err hostapd: nl80211: kernel reports: key addition failed
daemon.debug hostapd: wl1-ap0: STA <iphone> IEEE 802.11: binding station to interface 'wl1-ap0'
daemon.debug hostapd: wl1-ap0: STA <iphone> IEEE 802.11: authentication OK (FT)
daemon.debug hostapd: wl1-ap0: STA <iphone> MLME: MLME-AUTHENTICATE.indication(<iphone>, FT)
daemon.debug hostapd: wl1-ap0: STA <iphone> IEEE 802.11: association OK (aid 2)
daemon.info hostapd: wl1-ap0: STA <iphone> IEEE 802.11: associated (aid 2)
daemon.notice hostapd: wl1-ap0: AP-STA-CONNECTED <iphone> auth_alg=ft
daemon.debug hostapd: wl1-ap0: STA <iphone> MLME: MLME-REASSOCIATE.indication(<iphone>)
daemon.debug hostapd: wl1-ap0: STA <iphone> IEEE 802.11: binding station to interface 'wl1-ap0'
daemon.debug hostapd: wl1-ap0: STA <iphone> WPA: event 6 notification
daemon.debug hostapd: wl1-ap0: STA <iphone> WPA: FT authentication already completed - do not start 4-way handshake
daemon.notice hostapd: wl1-ap0: AP-STA-DISCONNECTED <iphone>
This continues multiple times a second and the iPhone never actually successfully transitions over.