802.11s with sae-mixed possible?

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi there,

when I try to configure 802.11s (mesh) the only encryption which seems to be supported in Luci is "sae" (WPA3). Is it possible to use 802.11s with sae-mixed (WPA2+WPA3)? I have an old device which can do only WPA2 :confused:
(yes, I removed all wpad-* and installed wpad-mbedtls as well as mesh11sd)

Cheers!

2

I can't answer the core of your question, but I figured it would be worth addressing htis:

using mixed mode WPA2/WPA3 doesn't work well with some devices. This may be especially true for those devices that are older and only support WPA2 -- they may have difficulty connecting to a mixed mode network despite the fact that it technically supports WPA2. The solution is usually to run WPA2 or WPA3 directly (or to setup an SSID with WPA2 specifically for your older device(s).

3

This is correct. It is important to understand that encryption between an AP and a user device is a very different thing altogether from 802.11s mesh authentication/encryption, more correctly known as sae-aes, developed specifically for 802.11s standards. This was later applied to AP-Client encryption in the form of WPA3. So Mesh "sae" and "wpa3" can be regarded as very closely related.

The only form of authentication/encryption supported by 802.11s standards is sae-aes.
Any form of "mixed mode" is not applicable to mesh authentication/encryption.

As far as I am aware no other authentication/encryption methods have been implemented for 802.11s mesh, at least under open source licensing.

It is perfectly normal to find a single radio running both AP and mesh modes, with WPA2 on the AP and sae-aes on the mesh.

I would be surprised if a radio capable of running in mesh mode could not support sae-aes, but I suppose anything is possible. It would be interesting to know what your "old device" actually is.

Note: After replacing the default wpad with the mbedtls, mesh or full version, it is essential to REBOOT for the new wpad to take effect, even restarting the wireless is not enough.

1 Like
4

Thanks for the answers!

I actually mixed up the term mesh (802.11s) with terms like "seamless roaming" and "Access Point Steering" which all goes into 802.11r, 802.11k and 802.11v :smiley:

So in the end I wanted a WiFi with multiple AP's where the WiFi clients pick up the closest/best AP even when walking in the house.