802.11r + WPA3, does it work?

Gruntruck · August 20, 2022, 12:30pm

Hi,

I have three Archer C7 v2 as AP's. They all run latest OpenWrt 21.02.3, only 5GHz and WPA3 SAE is used. Fast oaming is turned on.

I have added option log_level '1' in wireless config, so I assume I would see FT authentication already completed - do not start 4-way handshake if roaming is working. Instead, I get WPA: pairwise key handshake completed (RSN). My phone supports 802.11r (iPhone 13 Pro).

This is my config for 5GHz (only radio used):

config wifi-iface 'default_radio0'
	option log_level '1'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'sae'
	option key 'xxxxxxxxxxx'
	option ieee80211w '2'
	option ieee80211r '1'
	option ft_psk_generate_local '1'
	option wpa_disable_eapol_key_retries '1'
	option ssid 'xxxxxx'
	option mobility_domain '123f'
	option ft_over_ds '0'
	option reassociation_deadline '20000'

Modules " wpad-basic-wolfssl", " ath10k-firmware-qca988x" and " kmod-ath10k" are used.

What am I doing wrong? Or is roaming not supported in WPA3?

Thanks.

Gruntruck · August 20, 2022, 4:19pm

OK, I disabled "create PMK locally" and hard-coded R0 and R1 keys. Now, instead of WPA: pairwise key handshake completed (RSN) I am getting IEEE 802.11: associated (aid 3).

I have no way to measure it, but it seems that roaming works slightly faster.

slh · August 20, 2022, 7:45pm

The short answer would be 'no'. Many clients don't work properly with WPA3 networks that have 802.11r enabled.

Gruntruck · August 20, 2022, 8:46pm

I am getting a load of daemon.err hostapd: nl80211: kernel reports: key addition failed now, but it seems to roam quite well.

Gruntruck · August 22, 2022, 7:32am

I got it working. Tested by running ping on mobile every 200ms and roaming. No dropped packets and ping spiked to 100ms at most.

Secret sauce:

	option ft_psk_generate_local '0'
	option max_inactivity '15'
	option dtim_period '3'
	option ieee80211w '2'
	option ft_over_ds '0'
	option reassociation_deadline '20000'

Also, you need to manually fill in the R0 and R1 keys. Automatic does not seem to work.

P.S.
Taking down ERP to 20dB (100mW) is also helping devices to roam better. No point to radiate 200mW from AP if it cannot hear the device.

system · January 2, 2023, 2:56pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.