So the instructions for 23.05.x should be
-
Install one of the following full wpad packages
i) wpad-openssl
ii) wpad-wolfssl
iii) wpad-mbedtls
iv) ^ the mesh versions of the above packages
v) wpad - similar but doesn't seem to include SAE supportQuestion - Are we sure that the basic wpad variants aren't sufficient, because the package description of them often mentions "802.11r and 802.11w support, [0] [1] ?
-
Under each AP wifi-iface entry add the following
option ieee80211r '1' # enable FT
option nasid '704F579E84A4' # give the AP a unique ID - same as its MAC
option reassociation_deadline '20000' # as per https://github.com/openwrt/openwrt/issues/7907
As https://github.com/openwrt/openwrt/blob/openwrt-23.05/package/network/services/hostapd/files/hostapd.sh fills in
mobility_domain from the ssid - "$(echo "$ssid" | md5sum | head -c 4)"
ft_over_ds to 0 by default - set_default ft_over_ds 0
ft_psk_generate_local is set to 1 for psk, SAE, psk-sae options - set_default ft_psk_generate_local 1
disassoc_low_ack defaults to 1
Confusingly, even without nasid roaming seems to work for me 
, I assume this was because ft was working but 11r wasn't. Perhaps something like set_default nasid "$(echo "$macaddr" | tr -d ':' | tr 'A-F' 'a-f')" should be added - as suggested here).
Users should also consider setting
-
option rsn_preauth 1 # only works if used on an I/F which is a bridge (Wi-Fi is a bridge to a LAN)but this likely depends upon a RADIUS server being available on the network. -
option bss_transition '1' -
option ieee80211w '1' -
option wnm_sleep_mode '1'