802.11s Mesh support?

Lynx · June 25, 2022, 3:38pm

802.11r fast transition.

So I have main router offer WDS AP for guest Wi-Fi on 2.4 and offer separate WDS AP for main Wi-Fi on 5. This trick seemed to avoid a great deal of extra complication associated with offering out Wi-Fi for these isolated networks.

Namely the latter trick avoids this nightmare:

The extra RT3200's connect to the main router as WDS clients for both guest Wi-Fi on 2.4 and also the main Wi-Fi on 5 and then also offer out AP's for guest Wi-Fi and main Wi-Fi.

I believe for all of this to work the 2.4 and 5 radios on all 3x RT3200's have to be on same channel. I may be mistaken and if so I'd love to know in case I can improve my setup.

akostadinov · June 27, 2022, 10:54am

Note that 802.11r makes your WPA2 PSK network easier to hack [1] because of PMK caching.

[1] https://techbeacon.com/security/wpa2-hack-allows-wi-fi-password-crack-much-faster

KOA · June 27, 2022, 10:57am

which means Only SAE is the option in roaming?

Lynx · June 27, 2022, 11:19am

Yikes. So what should we switch to if we want to keep the benefits of 802.11r roaming but avoid the security issue? The options I am offered via OpenErt are a bit mind boggling:

Can someone please recommend an option?

akostadinov · June 27, 2022, 11:37am

WPA3 and WPA2-EAP are both fine. I assume mesh as well. Only WPA2-EAP will give you wide compatibility though at the cost of harder to configure. I personally decided to live without fast transition as it is not really a big concern for my network.

nybash · June 29, 2022, 9:40am

Does anyone know the full wpad contains SAE for encrypted mesh?

wpad - 2020-06-08-5a8b3662-40 - This package contains a full featured IEEE 802.1x/WPA/EAP/RADIUS Authenticator and Supplicant

It is not obvious from description.

castillofrancodamian · June 29, 2022, 11:56pm

No. You need wpad-mesh-wolfssl as a minimum or wpad-wolfssl.