After update, Android 11 device cannot connect to OpenWrt WiFi

Hi there, I am using OpenWRT 19.07.2 on a TP-Link Archer C7 v2

Model: TP-Link Archer C7 v2
Architecture: Qualcomm Atheros QCA9558 ver 1 rev 0
Firmware Version: OpenWrt 19.07.2 r10947-65030d81f3 / LuCI openwrt-19.07 branch git-20.204.30585-8750495
Kernel Version: 4.14.171

I have two wifis, one protected 2,4 GHz and one 5 GHz for guests. They both work fine with other devices. However, a couple of days ago I updated my phone's firmware to a new version of Lineage OS based on Android 11, and after that the phone cannot connect anymore to either wifi (but it does connect to wifis from other devices such as my friend's router). Clearly something happened when updating to the new Android version, but could it be some misconfiguration option from my OpenWRT device?

Here is my OpenWRT WiFi config:

/etc/config# cat wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option country 'CH'
	option bursting '1'
	option ff '1'
	option compression '1'
	option turbo '1'
	option channel '120'
	option htmode 'VHT80'
	option txpower '23'
	option path 'pci0000:00/0000:00:00.0'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option htmode 'HT20'
	option country 'CH'
	option channel '8'
	option txpower '20'
	option path 'platform/ahb/18100000.wmac'

config wifi-iface 'wifinet0'
	option device 'radio1'
	option mode 'ap'
	option network 'lan'
	option key 'xxxxxxxxxxxxxxxxxx'
	option wpa_disable_eapol_key_retries '1'
	option encryption 'psk2+ccmp'
	option ssid 'MyHiddenSSID'
	option ieee80211w '1'
	option macfilter 'allow'
	list maclist '00:00:00:00:00:00'
	list maclist '00:00:00:00:00:01'
	option hidden '1'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'ap'
	option network 'dmz'
	option key 'xxxxxxxxxxxxxxxxxxxxx'
	option isolate '1'
	option encryption 'psk2+ccmp'
	option wpa_disable_eapol_key_retries '1'
	option ssid 'MyPublicWiFi'
	option ieee80211w '1'

I also found this thread that mentions to disable Management Frame Protection. I haven't tried this option yet, but I wonder if it's reasonable to disable a security feature after updating to a new Android version??? :frowning:

Thanks in advance for any useful reply!

Android 11 uses mac randomization so that may explain why you can't connect to the secured network anymore.

Thank you for the hint, but I disabled MAC randomization exactly for this reason, and anyway the device cannot connect to the guest network as well :frowning:

It's unlikely that Management Frame Protection is causing this since Android 11 should support it due to it being required in WPA3. Have you tried disabling the krack attack mitigation by unticking Enable key reinstallation (KRACK) countermeasures in Luci or removing option wpa_disable_eapol_key_retries '1' from the config?

Also, your config contains some parameters that seem to have no function: Wireless Settings Not Available in Luci - #4 by jow

So just disable one after one all of the "additional" settings in your config to figure out which one is causing the problem. I had to switch off management frame protection in one of my Wifis due to Windows 10 not supporting WPA2/EAP together with management frame protection and 802.11r roaming.

But my Android 11 device can connect to Wifis that have management frame protection set to optional (1) and required (2).

Anyhow: one by one, disable the mac filter, test, remove the next config ..., test until you found the reason, and switch them on again once you found the problem.

1 Like

Thank you all, but I don't understand exactly what you are suggesting. I understand that some options might not have effect, I will try to remove those first. But honestly the recommendation of removing certain security features are not really an option, why should this be acceptable? Especially considering that these are fine with other devices, and also with my phone before the update. My first thought is that this is a bug introduced in the Lineage OS build I'm running, but I just wanted to check here as well in case my WiFi configuration was messing things up. Will try to disable some non-security stuff, thanks.

I found your problem:

https://support.google.com/pixelphone/thread/14222745?hl=en

Not my problem: the phone cannot connect to the non-hidden 5g WiFi as well, but thanks anyway :slight_smile:

OK, then you have to follow the procedure, and temporarily switch off the features one by one to find the root cause. I do not suggest to keep the features switched off forever, but for an error analysis you have to do that. Once you found the root cause, you can google and check what others did in that situation.

Sounds reasonable, will try, thanks!

OK, so, after doing some testing I pinpointed the WIFi option that creates trouble:

	option ieee80211w '1'

Forcing this to '2' does not solve the problem, but setting it to zero (or, to be precise, removing it altogether) fixes the issue. I also tried to install the full wpad but nothing changes.

This option is a security feature, so disabling it is not a long-term solution. I just cannot fathom what the problem is. My guess at this point is that the version of Lineage OS I am using was compiled with a faulty support for ieee80211w MFP. Will inquire further.

1 Like

That's weird, but great that you figured it out! If you ever manage to get PMF working again on your LineageOS phone then I would suggest switching your network to WPA2/WPA3-mixed mode. Your WPA3-capable clients will then connect through WPA3 (just make sure to delete any existing network profile so they don't keep using WPA2).

1 Like

I'll try to flash a new build on my phone to see if the issue has been solved.

Regarding the WPA2/3 mixed mode, that would be the encryption 'sae-mixed' option, right? I didn't even know it was supported! But I cannot see it in the Luci interface, do I need wpad-openssl installed for it?

Yes, it's 'sae-mixed'. You need either wpad-openssl or wpad-wolfssl, but I had some issues with the wolfssl package when I tried it (some WPA3 clients couldn't connect). I use wpad-openssl, but the issues with wpad-wolfssl might be fixed for all I know. A lot of time has passed since I last tested it.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.