Apple TV (2022), WPA3 and latest SNAPSHOT do not like each other

I've been debugging this issue for some time now, but am not getting closer to a solution.

My home currently runs on 2x Belkin RT3200s and a Netgear WAP220, each of them in "dumb AP" mode (all ethernet ports bridged, VLANs separated out, and WiFi networks bridged with appropriate VLANs).

Here's my current network config:

config device 'switch'
	option name 'switch'
	option type 'bridge'
	list ports 'eth0' # on devices with more ports, all of them are listed here
	option bridge_empty '1'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config bridge-vlan 'lan_vlan'
	option device 'switch'
	option vlan '1'
	option ports 'eth0' # on devices with more ports, all of them are listed here

config bridge-vlan 'guest_vlan'
        option device 'switch'
        option vlan '2'
        option ports 'eth0:t' # on devices with more ports, all of them are listed here

config bridge-vlan 'iot_vlan'
        option device 'switch'
        option vlan '3'
        option ports 'eth0:t' # on devices with more ports, all of them are listed here

config bridge-vlan 'mgmt_vlan'
        option device 'switch'
        option vlan '11'
        option ports 'eth0:t' # on devices with more ports, all of them are listed here

config device
	option name 'eth0'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'lan'
        option device 'switch.1'
        option proto 'dhcp'

config interface 'guest'
        option proto 'none'
        option device 'switch.2'

config interface 'iot'
        option proto 'none'
        option device 'switch.3'

config interface 'vpn'
        option proto 'none'
        option device 'switch.11'

As well as wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option htmode 'HE40'
	option channel 'auto'
	option he_su_beamformee '1'
	option he_bss_color '44'
	option cell_density '2'
	option country 'GB'
	option noscan '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel 'auto'
	option he_su_beamformee '1'
	option he_bss_color '46'
	option cell_density '2'
	option htmode 'HE80'
	option country 'GB'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'sae-mixed'
	option ssid 'mainnet'
	option key 'mainnet_password'
	option ieee80211r '1'
	option nasid 'frigga_2g'
	option mobility_domain 'd00d'
	option ft_over_ds '0'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'GMT0BST,M3.5.0/1,M10.5.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option proxy_arp '1'

config wifi-iface 'wifinet1'
	option mode 'ap'
	option device 'radio1'
	option network 'lan'
	option encryption 'sae-mixed'
	option ssid 'mainnet'
	option key 'mainnet_password'
	option time_advertisement '2'
	option time_zone 'GMT0BST,M3.5.0/1,M10.5.0'
	option ieee80211r '1'
	option nasid 'frigga_5g'
	option mobility_domain 'd00d'
	option ft_over_ds '0'
	option pmk_r1_push '1'
	option ieee80211k '1'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option proxy_arp '1'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'guestnet'
	option encryption 'sae-mixed'
	option key 'guestnet_password'
	option network 'guest'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'guestnet'
	option encryption 'sae-mixed'
	option key 'guestnet_password'
	option network 'guest'

As you can see, both mainnet and guestnet uses sae-mixed (aka WPA2/WPA3 mixed) mode.

However, for some reason, while WPA3 is on for mainnet, both of my Apple TVs refuse to connect to the APs. hostapd logs show little, aside from a disassociation message.

However, both Apple TVs connect just fine to guestnet. The only difference between the networks is the SSID and password - but in both cases, they're alphanumeric, with mainnet containing an underscore (_) in its SSID.

There's also the roaming configuration, but to my understanding, that is applied to all wifi-iface devices on the same radio. Furthermore, disabling those options (as well as DAWN) does not seem to have any effect.

However, if I switch from sae-mixed to psk2, the Apple TV connects without trouble.

No other Apple products in my home, let them be iPhones, older iPads, Apple Watches or MacBooks have this problem. It is completely limited to the Apple TVs, and the funny thing is, before the 17.3 update, this issue wasn't present at all.

And the even funnier bit is... guestnet works with WPA3. Again, both SSID and password are alphanumeric, so it's unlikely to be caused by a funky character not being supported (I learned my lesson after naming my WiFi πŸ’© back in 2014 and having half my devices crash on WiFi scan). I'm honestly dumbfounded by what's going on.

What could be the cause of this?

Have you tried this without 802.11r enabled? My past experience with Apple devices is that they really don't like unusual configurations. Some will seem to work and then drop out, and some simply won't connect at all.

From the config snips, your 'guestnet' is pretty much a standard configuration. However, the 'mainnet' is using unusual (for fruit devices) configurations. Previous users have reported problems with 802.11r, so that might be a good place to start. After that, it might help to try eliminating the value-added features, try reconnecting, and then add the features one by one (of course with full reboots in between) until the problem reappears.

I did try disabling all the roaming settings:

There's also the roaming configuration, but to my understanding, that is applied to all wifi-iface devices on the same radio. Furthermore, disabling those options (as well as DAWN) does not seem to have any effect.

You're right, this one is beyond confusing. From a logical standpoint and simply going by the differences, it suggests one or more of the extra features added to the network as the likely culprit. If you've eliminated all of the extra options, restarted both the AppleTV and the router(s) and the trouble persists, then there has to be something we're both missing here.

As for the roaming configuration, it appears from a wireless survey as if the roaming options are indeed transmitted on a per-SSID basis as the OpenWRT configuration suggests they are and not per-radio. However, YMMV. It's not impossible that some wireless devices may experience feature spillover.

Wanna make it even weirder?

If I apply the roaming config on the guestnet, the Apple TVs still connect to it, but won't connect to the mainnet.

They also refuse to connect to a brand new SSID tied to the lan network that has none of the roaming enabled.

I suppose you're not up for wiping the cheeky b****r and trying to build the config from scratch, are you? It's screaming that some kind of crazy setting is being applied somewhere unexpected. If it's not coming from the uci configs, then that means something else is applying some kind of oddity. If it runs properly from clean defaults, then maybe something isn't being processed correctly and is leaving persistent garbage behind. If a default and minimal install is still causing issues, then you'll know for sure it's nothing you could have done accidentally and that might also give a direction to go.

Dont use wpa2/3 mixed. Not sure where the problem is but it’s not a problem with only latest snapshot, but a forever problem that has yet to be resolved.

1 Like

Whether sae-mixed is the cause of this particular issue or not, the point definitely still holds. If WPA3 is being used for security, the fact that a hacker could forcefully downgrade the connection back to WPA2 and sniff the key from there makes mixed mode entirely worthless. That's entirely on top of how some client devices won't reliably connect to mixed-mode APs, too.

2 Likes