The presence of FT: Found matching PSK for lines in your log output tells me you're using the first revision of the patch that I put out for testing. I have since deprecated that patch revision as it had some faulty code paths that gave false positives.
Could you please build again with the latest version of the patch and test?
I located the issue I had (hostapd.vlan assignment reused same wireless interface). Applied the new patch.
FT works as usual on the radio default networks (the 4WAY is skipped, FT OK message appears). On non-default radio networks the usual messages do not appear, (just says STA connected, alg=ft) but the connection seems fine (no noticeable connection loss when switching back and forth).
Another note for my configuration is that the mobility_domain is computed (first four letters of md5 of SSID), so you do not need to set it explicitly. Same SSID has the same computed mobility_domain value on multiple OpenWRT routers by default. You need to specify it only in case you need to use a specific value. I have deleted the value from my former answer to provide more useful data for others.
@takimata Thank you for this great writeup! As I just commented in your other thread on the same topic, maybe update the original post in this one so that the init script provided by the wpad package is used for stopping hostapd rather than just killing the process:
# /etc/init.d/wpad stop
Killing the process without allowing a graceful shutdown may leave temporary files around that could cause issues when starting a new hostapd process compiled with a different feature set (ask me how I know...).
You are absolutely right, the post has been edited accordingly. Thanks!
Btw whatās the mainline status for your patch?
Does this work with WPA3 SAE? I can only get it to work with psk2.
Please see:
I think it should, but there are also changes on this you may need a mac list now for wifi-stationš
Mac is required for it to work.
If I understand that link correctly, as per my testing, wildcard mac works only for last entry? IOW, sae kinda doesnt work (all entries have wildcard macs)?
No they don't, the wildcard only works on wpa2, for wpa3 it is much more stricter as enhancement for better security by the wifi standard, and it requires a mac on the wifi-station.
Atleast that is how I interpreted it.
I was so ecstatic when I found this method to make WPA-EAP-like wifi for all possible devices and now Im saddened. Does everyone here just run psk2 in 2025 for this to work?
If you need tight secops then it's recommended to use ipsec or wireguard between the router and client.
Yes I still do wpa2 and I think in 2025 war driving is kinda lame for kids these days. 
I also use psk2, for the very few devices I wanted to have extra security on like smart phones I use a wireguard tunnel, I agree with @_bernd on that one.
My biggest problem with wpa3 and multipsk is that it can work for a few devices to have a list with macs, but if you own alot of devices especially iot ones which can expand also at anytime, it will be unmanagable and lower the ease of introducing new devices to the network too.
Dont get me wrongā¦ I also use psk2 within sae-mixed. What I meant was: are you using psk2 exclusively? Hasnt psk2 been cracked long time ago?
For this multi vlan ssids, one needs to use psk2 exclusivelyā¦
Also, are you using wireguard on all devices? That must a nightmare to setup and maintain?
If I'm Not mistaken yes I use wpa2 exclusively and at home, I don't use a VPN, only on the road.
I use it exclusively for the wildcard functionality so I don't need macs as requirement.
wether it is secure... This is what I think: none of the wifi protocols are secure if you want security you want airgapped control :), wpa3 had dragonblood and perhaps also a few other bad things which had to do with hunting and pecking and some side channel attacks, wpa2 had krack and kr00k and maybe another few, and then you also have evil twins.
I came to the conclusion wifi can't be 100% trusted, but you can use one of the better ciphers with a long password, wpa2 and also wpa3 in OpenWrt has alot of megitations so I don't see a high risk between using wpa2/wpa3 except for the reasoning you should never consider wifi as full bulletproof solution, for that reason I like my most personal devices like smart phones encrypted over a wireguard tunnel. 
Sadly "reverse war driving" never became a thing... capturing what telemetry data passing cars emit with ath9k based devices could be fun.
E.g. supplement particle matter or loudness sensors to collect data for citizen science. So you can correlate driving speed to noise.
Iām having this same problem when setting this up.
Iām using a Meraki MR52. I installed wpad-mbedtls. It works just fine with one radio but not with both. Is there some trick to get it to work with both radios?
/etc/config/wireless
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'psk2'
option wpa_psk_file '/etc/hostapd.wpa_psk'
option vlan_file '/etc/hostapd.vlan'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-vlan'
option dynamic_vlan '1'
config wifi-device 'radio2'
option type 'mac80211'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option band '5g'
option channel '36'
option htmode 'VHT80'
option country 'US'
option cell_density '0'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'psk2'
option wpa_psk_file '/etc/hostapd.wpa_psk'
option vlan_file '/etc/hostapd.vlan'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-vlan'
option dynamic_vlan '1'
This is what i have 
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option channel '12'
option band '2g'
option htmode 'HE20'
option cell_density '0'
option txpower '16'
option country 'NL'
list hostapd_options 'ssid_protection=1'
option log_level '3'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'GL-MT6000-7fa'
option encryption 'psk2+aes'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ieee80211w '1'
option ocv '1'
option wpa_disable_eapol_key_retries '1'
option mobility_domain 'F8DD'
option reassociation_deadline '20000'
option macaddr 'random'
option dynamic_vlan '2'
option vlan_naming '1'
option vlan_tagged_interface 'eth1'
option wpa_psk_file '/etc/hostapd/ppsk-vlans'
option skip_inactivity_poll '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option channel '108'
option band '5g'
option htmode 'HE160'
option cell_density '0'
option country 'NL'
option txpower '17'
list hostapd_options 'ssid_protection=1'
option log_level '3'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'GL-MT6000-7fa-5G'
option encryption 'psk2+aes'
option ieee80211r '1'
option mobility_domain 'F8DC'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ieee80211w '1'
option reassociation_deadline '20000'
option macaddr 'random'
option ocv '1'
option skip_inactivity_poll '1'
option wpa_disable_eapol_key_retries '1'
option wpa_psk_file '/etc/hostapd/ppsk-vlans'
option vlan_tagged_interface 'eth1'
option dynamic_vlan '2'
option vlan_naming '1'
config wifi-vlan
option iface 'default_radio0'
option vid '178'
option name 'aqnet'
option network 'aqara'
config wifi-vlan
option iface 'default_radio0'
option vid '179'
option name 'hwnet'
option network 'hwnet'
config wifi-vlan
option iface 'default_radio1'
option vid '90'
option name 'aya'
option network 'ayaneo'
config wifi-vlan
option vid '52'
option name 'iot'
option network 'iot'
option iface 'default_radio0'
config wifi-vlan
option vid '62'
option name 'beta'
option network 'beta'
config wifi-vlan
option iface 'default_radio0'
option vid '133'
option name 'sma'
option network 'sma'
config wifi-vlan
option iface 'default_radio1'
option vid '50'
option name 'wlan0'
option network 'wlan0'
config wifi-vlan
option iface 'default_radio0'
option vid '51'
option name 'wlan1'
option network 'wlan1'
brctl show:
root@X-SDK-dumbap:~# brctl show
bridge name bridge id STP enabled interfaces
br-management 7fff.9483c4a6ef82 yes lan5
br-lan 7fff.9483c4a6ef80 yes phy1-ap0-aya
phy0-ap0-aqnet
lan4
lan2
eth1
phy1-ap0-wlan0
phy0-ap0-wlan1
lan3
phy0-ap0-sma
lan1
phy0-ap0-iot
phy0-ap0-hwnet
I think you can also accomplish this with option vlan_file '/path/to/file' where iface.vlanid is defined, however with wifi-vlan no specification of iface would mean it should run on both radios automaticly.
Edit:
it seem you need a seperated file name for it to work if you want to use per band with vlan_file
Thanks for pointing me in the right direction! Using the two seperate vlan_files worked for me