I have two wifis, one protected 2,4 GHz and one 5 GHz for guests. They both work fine with other devices. However, a couple of days ago I updated my phone's firmware to a new version of Lineage OS based on Android 11, and after that the phone cannot connect anymore to either wifi (but it does connect to wifis from other devices such as my friend's router). Clearly something happened when updating to the new Android version, but could it be some misconfiguration option from my OpenWRT device?
I also found this thread that mentions to disable Management Frame Protection. I haven't tried this option yet, but I wonder if it's reasonable to disable a security feature after updating to a new Android version???
It's unlikely that Management Frame Protection is causing this since Android 11 should support it due to it being required in WPA3. Have you tried disabling the krack attack mitigation by unticking Enable key reinstallation (KRACK) countermeasures in Luci or removing option wpa_disable_eapol_key_retries '1' from the config?
So just disable one after one all of the "additional" settings in your config to figure out which one is causing the problem. I had to switch off management frame protection in one of my Wifis due to Windows 10 not supporting WPA2/EAP together with management frame protection and 802.11r roaming.
But my Android 11 device can connect to Wifis that have management frame protection set to optional (1) and required (2).
Anyhow: one by one, disable the mac filter, test, remove the next config ..., test until you found the reason, and switch them on again once you found the problem.
Thank you all, but I don't understand exactly what you are suggesting. I understand that some options might not have effect, I will try to remove those first. But honestly the recommendation of removing certain security features are not really an option, why should this be acceptable? Especially considering that these are fine with other devices, and also with my phone before the update. My first thought is that this is a bug introduced in the Lineage OS build I'm running, but I just wanted to check here as well in case my WiFi configuration was messing things up. Will try to disable some non-security stuff, thanks.
OK, then you have to follow the procedure, and temporarily switch off the features one by one to find the root cause. I do not suggest to keep the features switched off forever, but for an error analysis you have to do that. Once you found the root cause, you can google and check what others did in that situation.
OK, so, after doing some testing I pinpointed the WIFi option that creates trouble:
option ieee80211w '1'
Forcing this to '2' does not solve the problem, but setting it to zero (or, to be precise, removing it altogether) fixes the issue. I also tried to install the full wpad but nothing changes.
This option is a security feature, so disabling it is not a long-term solution. I just cannot fathom what the problem is. My guess at this point is that the version of Lineage OS I am using was compiled with a faulty support for ieee80211w MFP. Will inquire further.
That's weird, but great that you figured it out! If you ever manage to get PMF working again on your LineageOS phone then I would suggest switching your network to WPA2/WPA3-mixed mode. Your WPA3-capable clients will then connect through WPA3 (just make sure to delete any existing network profile so they don't keep using WPA2).
I'll try to flash a new build on my phone to see if the issue has been solved.
Regarding the WPA2/3 mixed mode, that would be the encryption 'sae-mixed' option, right? I didn't even know it was supported! But I cannot see it in the Luci interface, do I need wpad-openssl installed for it?
Yes, it's 'sae-mixed'. You need either wpad-openssl or wpad-wolfssl, but I had some issues with the wolfssl package when I tried it (some WPA3 clients couldn't connect). I use wpad-openssl, but the issues with wpad-wolfssl might be fixed for all I know. A lot of time has passed since I last tested it.