Encryption sae-mixed doesn't work always, but psk2

One model of my mobile phone connects to psk2, but not to sae-mixed. This happens with all openwrt-routers. All have openwrt 23.05.2. Most phones connect to sae-mixed and use WPA3 or WPA2 according to their possibilities. But with 1 phone I found no solution, although I think it worked already, but in the meantime I am very unsure, thought I had WAP3 alreday with this phone.

Can i create another radio?

So radio0 is 2.4 GHz sae-mixed, radio 1 is 5GHz sae-mixed and radio3 is psk2?

Please note, the device is wirelessly connected to another openwrt-router using wds.

This is not an issue with OpenWrt, but rather a common issue with all wifi routers/APs and devices.... mixed mode just doesn't work well for certain devices. If you search the forums here as well as with other vendors/firmware providers, you will see that the mixed mode issues are common.

You are better off with either WPA2 for all, or a WPA3 SSID + WPA2 SSID.

Played with this a little bit. The router is not connected with ethernet but via wifi.

root@C7v5-K1:~# uci show wireless | cut -f1-2 -d"." | sort -u
wireless.default_radio0
wireless.default_radio0=wifi-iface
wireless.default_radio1
wireless.default_radio1=wifi-iface
wireless.radio0
wireless.radio0=wifi-device
wireless.radio1
wireless.radio1=wifi-device
wireless.wifinet2
wireless.wifinet2=wifi-iface

I see "Qualcomm Atheros QCA9984 802.11bgn" with the Archer C7 in the webinterface.

If I add with an editor

config wifi-device 'radio2'
and
config wifi-iface 'default_radio2'

Changing especially "option encryption" I see "generic device"

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thanks I will come back to this topic in the next days. I want to solve one problem after another. Random MAC with some phones confused me a lot. I want to make sure, that my internet connection is reliable now. Looks like it works without problems with another device, why I have no idea, why it doesn't with another. I will flash them with "sysupgrade -n" and start again. Afterwards I will come back to this thread.

BTW it worked in the meantime with sae-mixed, then didn't work again. Maybe there is a connection to the DHCP-server an a Fritzbox which doesn't run openwrt. DHCP is deactivated with all openwrt devices.

Well, that is due to the security settings in your phone.
At least with android, modern versions default to random device MAC in WiFi networks, and you need to toggle the setting to "use device MAC" for each trusted WiFi network.

I know this in the meantime, but not every phone behaves the same way, so again confusing for me.

You have to know, I use a Fritzbox for DHCP. This is my DSL connection. So I have to disable DHCP with openwrt and I forget this after a "sysupgrade -n".with 4 Archer C7. Then I tested with these access points. Every phone with a different SSID created an own entry with DHCP and I thought this was because of the 4 DHCP-servers in the openwrt-routers. Started again with "sysupgrade -n" and disabled DHCP immediately, but there were still more than 1 entry for a phone, but not for every phone, namely these which do not support random MAC were seen once, the others 2 times or more. Ok, solved.

But I still don't understand, why 1 AP works sometimes with 2.4 GHz sae-mixed and the next day not. But a connectrion to a WAP2-only AP works without problems. Maybe a cache problem somewhere after changing a lot. I connected all android phones new without random MAC.

No problem, if it doesn't work always, but sometimes is confusing.

Another thing which confuses me with 1 android phone (another one), that the connection says now WPA2 with sae-mixed, while I have seen there for days WPA3. It are always the same 2 models, which behave strange the same way, while others always work as they should.

As recommended, I should create 2 SSID in the 2.4GHz net, one with WPA2 and the other with WPA3, but I can't get it work. Please note, there is no ehternet connection.

root@X1860-B1:~# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "X1860-B1",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "D-Link DAP-X1860 A1",
	"board_name": "dlink,dap-x1860-a1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

root@X1860-B1:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7b:0854:9181::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.178.52'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.178.1'
	list dns '192.168.178.1'

root@X1860-B1:~# cat /etc/config/wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '11'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option country 'AT'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Bath1-4-2'
	option encryption 'psk2'
	option key '...'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option disabled '1'
	option country 'AT'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Bath1-5-2'
	option encryption 'sae-mixed'
	option key '...'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option ssid 'Mainrouter'
	option encryption 'sae-mixed'
	option key '...'
	option mode 'sta'
	option bssid 'CC:...:CA'
	option wds '1'
	option network 'lan'

root@X1860-B1:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@X1860-B1:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'40:D0:56:0E

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'40:D0:56:0E
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
40:D0:56:0E
config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

I do not post, what doesn't work. So simply give me an example as text configuration for another SSID with WPA3.

This is for WPA2:

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Bath1-4-2'
	option encryption 'psk2'
	option key '...'

In 'Bath1-4-2' means 4 for 2.4GHz and 2 for WPA2. So for WPA3 I would like to use

option ssid 'Bath1-4-**3**'

Then I modified this part:
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+2'

The connection goes again to ssid 'Mainrouter' as with WPA2.

Looks like it shouldn't be too difficult to copy the needed 3 sections and modify them or doesn't it work this way? I think copying and editing a file is much easier than using the webinterface. In the webinterface I always forget things, doing modifications with 4 routers.

No idea, why.
Your hardware radios are as they are. Trying to modify the PCI path seems really strange.

You only need to modify/add interface sections (wifi-iface), not physical radio definitions.

config wifi-iface 'wpa3_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Bath1-4-3'
        option encryption 'sae'
        option key 'xxxxx'

You just copy the section, change its section name, change SSID and set encryption as "sae" for WPA3

some clients vary in their connection behaviour in respect to many things.

You can see the actual connection authentication/encryption type also from the SSH from the hostapd-cli output.

I have done script that shows it this way:

root@router5:~# /etc/wifi-suite.sh
Associated wifi stations' AKM suites:
hn5wpa2r: AKM suite of e0:c3:77:ae:0a:30 is 00-0f-ac-4 (WPA-PSK-FT)
hn5wpa3: AKM suite of a8:cc:6f:0a:50:f1 is 00-0f-ac-8 (WPA3-SAE)

(Phone is connected with WPA3 SAE, while my tablet uses WPA2 802.11r FT)

The script:

root@router5:~# cat /etc/wifi-suite.sh
#!/bin/sh
# Copyright 2021-2023 Hannu Nyman
# SPDX-License-Identifier: GPL-2.0-only

echo "Associated wifi stations' AKM suites:"
cd /var/run/hostapd
for socket in *; do
  [ -S "$socket" ] || continue
  [ "$socket" = "global" ] && continue
  for assoc in $(hostapd_cli -i "$socket" list_sta); do
    suite=$(hostapd_cli -i "$socket" sta "$assoc" | grep "AKMSuiteSelector" | cut -f 2 -d"=")
    case "$suite" in
        00-0f-ac-1) akm=802.1x  ;;
        00-0f-ac-2) akm=WPA-PSK  ;;
        00-0f-ac-3) akm=FT-802.1x  ;;
        00-0f-ac-4) akm=WPA-PSK-FT  ;;
        00-0f-ac-5) akm=802.1x-SHA256  ;;
        00-0f-ac-6) akm=WPA-PSK-SHA256  ;;
        00-0f-ac-7) akm=TDLS  ;;
        00-0f-ac-8) akm=WPA3-SAE  ;;
        00-0f-ac-9) akm=FT-SAE  ;;
        00-0f-ac-10) akm=AP-PEER-KEY  ;;
        00-0f-ac-11) akm=802.1x-suite-B  ;;
        00-0f-ac-12) akm=802.1x-suite-B-192  ;;
        00-0f-ac-13) akm=FT-802.1x-SHA384  ;;
        00-0f-ac-14) akm=FILS-SHA256  ;;
        00-0f-ac-15) akm=FILS-SHA384  ;;
        00-0f-ac-16) akm=FT-FILS-SHA256  ;;
        00-0f-ac-17) akm=FT-FILS-SHA384  ;;
        00-0f-ac-18) akm=OWE  ;;
        00-0f-ac-19) akm=FT-WPA2-PSK-SHA384  ;;
        00-0f-ac-20) akm=WPA2-PSK-SHA384  ;;
        *) akm="undefined" ;;
    esac
    echo "$socket: AKM suite of $assoc is $suite ($akm)"
  done
done

Tried this, because it didn't work what I tried before.

You mean this and I am done? Since all is wireless, I am having troubles to change things.

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'Bath1-4-3'
	option encryption 'sae'
	option key '...'
        option disabled '1'

And the enable it via the webinterface?

Why add the "disabled" option if you want it enabled?

Did you device suddenly get a new radio?
where did the radio2 come from?
You can't just invent new radio hardware.

I thought that you did want it for your radio0, the 2.4GHz radio?

I already said

First sorry, I answered before I read all your posts, I read the 1st answer only and I have to read your other answers carefully.

SImply, if I made a mistake with the editor it is not enabled.

Sorry, can't go on now, I will answer later, maybe in a day. It is heavily snowing outside.

Sorry, had no time, to see what your script does. But in short, your section for different encryption works. Thanks a lot!

What do I need to install?

root@C7v5-K1:/etc# hostapd_cli
-ash: hostapd_cli: not found

root@C7v5-K1:/etc# opkg list-installed | grep hostapd
hostapd-common - 2023-09-08-e5ccbfc6-6

hostapd-utils