iPad Mini 5 vs WPA2-PSK/WPA3-SAE Mixed Mode

cpswan · January 2, 2025, 11:05am

After switching my router to a GL.iNet MT6000 (Flint 2) and access point to a ZyXEL NWA50AX Pro I found that my iPad Mini 5 wouldn't connect to any of my SSIDs. Both are running OpenWrt 23.05.5.

It turned out that WPA2-PSK/WPA3-SAE Mixed Mode was the cause, and I've had to switch my primary SSID back to just WPA2-PSK

Since everything else was just fine (including other iPads and iPhones) this feels like an Apple bug rather than an OpenWrt thing. But it's a nasty surprise that a (relatively) recent device with fully up to date firmware misbehaves so badly.

More background in my blog post about it.

Painnance · January 2, 2025, 12:14pm

Question sir. Do you have this too in your kernel log? It drops connection with iphone

Ignoring NSS change in VHT Operating Mode Notification from 6e:xx:xx:xx:xx:12 with invalid nss 2
[ 1872.250547] Ignoring NSS change in VHT Operating Mode Notification from e6:xx:xx:xx:xx:eb with invalid nss 2

brada4 · January 2, 2025, 12:19pm

Check your settings:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

cpswan · January 2, 2025, 1:15pm

@brada4 that Apple doc actually recommends mixed mode

WPA2/WPA3 Transitional is a mixed mode that uses WPA3 Personal with devices that support that protocol, while allowing older devices to use WPA2 Personal (AES) instead.

Here are my present configs (for the access point, the router is much similar except it is authoritative for DHCP, and it has SSIDs configured for the Guest and Devices networks):

{
        "kernel": "5.15.167",
        "hostname": "NWA50AXPRO",
        "system": "ARMv8 Processor rev 4",
        "model": "ZyXEL NWA50AX Pro",
        "board_name": "zyxel,nwa50ax-pro",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3e:778e:f1d4::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan.99'
        option proto 'dhcp'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '22'
        option name 'br-lan.22'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '11'
        option name 'br-lan.11'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '99'
        option name 'br-lan.99'

config interface 'Guest'
        option proto 'none'
        option device 'br-lan.11'

config interface 'Devices'
        option proto 'none'
        option device 'br-lan.22'

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wifi'
        option channel '11'
        option band '2g'
        option htmode 'HE40'
        option cell_density '0'
        option country 'GB'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '<redacted>'
        option encryption 'psk2'
        option key '<redacted>'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/18000000.wifi+1'
        option channel '100'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'
        option country 'GB'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '<redacted>'
        option encryption 'psk2'
        option key '<redacted>'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'hybrid'
        option ra 'hybrid'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Guest'

config zone
        option name 'devices'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Devices'

cpswan · January 2, 2025, 1:43pm

@Painnance yes, I'm seeing a bunch of Ignoring NSS change in VHT Operating Mode Notification from <MAC> with invalid nss 2. The timestamps aren't totally regular, but around every 1200s.

I'll need to track down which device owns that MAC, it's none of the iPhones or iPads (and it's invisible to a runZero scan). MA:CV:en:do:rs tells me it's a Nintendo MAC.

brada4 · January 2, 2025, 3:42pm

And you do not provide them in config file so that no one can guess?

And? Do you see any mentions of fast transition in whole document?

cpswan · January 2, 2025, 4:01pm

And? Do you see any mentions of fast transition in whole document?

Nope.

On the other hand I've not seen any problems with other iDevices and my OpenWrt setup (or my previous Draytek gear). Just the iPad Mini 5, and WPA2/3 Mixed mode (or maybe even specific ways of implementing WPA2/3 Mixed mode as I suspect the Draytek AP was OK whilst the router wasn't).

I posted here with no expectation of a fix (as I think this is an Apple problem rather than an OpenWrt thing); but rather so that anybody else experiencing the same frustration can see the workaround of not using Mixed mode (or setting up another SSID that doesn't use Mixed mode). I guess the chosen workaround path would depend on threat model and airspace management considerations.

brada4 · January 2, 2025, 4:56pm

1/ certainly disable 11R / FT
2/ You can add WPA3 access point with same name/password/network next to existing WPA2, that makes roomba vacuum and android 9-10-11 happy.
3/ Access point name should be same in both/all bands / access points

cpswan · January 3, 2025, 9:00am

1/ certainly disable 11R / FT

Apple say that they support 802.11r across pretty much all the currently supported devices (any many that are now past end of supported life).

brada4 · January 3, 2025, 9:37am

Very "good", stop complaining and enjoy it?

Are your all access point names in all bands and places identical ie same dhcp subnet and name? You kind of concealed that crucial piece.

cpswan · January 3, 2025, 10:10am

Yep, SSIDs are uniform across all bands, and are consistently mapped to VLANs, their respective subnets, and corresponding DHCP configs.

Everything was behaving itself and working as expected apart from the iPad Mini 5, and switching from WPA2/3 Hybrid to just WPA2 has fixed that. It's just stupid and annoying that I needed to do that, as WPA2/3 Hybrid is a sensible default these days, and the Mini 5 totally should play nicely with that.

2/ You can add WPA3 access point with same name/password/network next to existing WPA2, that makes roomba vacuum and android 9-10-11 happy.

This brings us back to the forced trade off between better security (at least for the devices that use WPA3) and additional beaconing (and the impact that has on overall network performance); and I guess I've already made my choice here (to have less beaconing). I don't think this is something that will get fixed. Somewhere in the bowels of Apple there will be a bunch of engineers who know they have a problem with the Mini 5 WiFi stack and have been told to move on and get on with other work.

The whole point of posting here is that there's essentially no acknowledgement that there is a problem, and no clear guidance to work around it. The workaround of disabling Hybrid is my choice of least worst setup that lets the Mini 5 behave itself. There are other choices that might be least worst for other people's circumstances. But all of those choices diverge from what might be considered a 'best' set of sensible defaults in 2025.

brada4 · January 3, 2025, 11:43am

Wpa3 has downgrade prevention, once supporting device connects to wpa3-only AP there is no going back.

Painnance · January 13, 2025, 5:38am

root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.67",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "Linksys EA8300 (Dallas)",
"board_name": "linksys,ea8300",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0-rc4",
"revision": "r28211-d55754ce0d",
"target": "ipq40xx/generic",
"description": "OpenWrt 24.10.0-rc4 r28211-d55754ce0d",
"builddate": "1734915335"
}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd4e:53be:eb32::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option ipv6 '0'

config device
option name 'lan1'
option macaddr 'e8:9f:80:a3:e7:e4'

config device
option name 'lan2'
option macaddr 'e8:9f:80:a3:e7:e4'

config device
option name 'lan3'
option macaddr 'e8:9f:80:a3:e7:e4'

config device
option name 'lan4'
option macaddr 'e8:9f:80:a3:e7:e4'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option delegate '0'

config device
option name 'wan'
option macaddr 'e8:9f:80:a3:e7:e3'

config interface 'wan'
option device 'wan'
option proto 'dhcp'
option delegate '0'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '149'
option band '5g'
option htmode 'VHT40'
option cell_density '0'
option beacon_int '100'
option country 'HK'
option txpower '27'

config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt5ghz'
option encryption 'psk2'
option disassoc_low_ack '0'
option key '!'
option dtim_period '3'
option max_inactivity '86400'
option log_level '1'

config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option channel '11'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'HK'
option beacon_int '80'
option txpower '21'

config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Openwrt2.4ghz'
option encryption 'psk2'
option disassoc_low_ack '0'
option key '!'
option dtim_period '6'
option max_inactivity '86400'
option ieee80211w '2'
option ocv '0'
option ieee80211r '1'
option ft_over_ds '1'
option ft_psk_generate_local '1'
option log_level '1'

config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option channel '48'
option band '5g'
option htmode 'VHT80'
option cell_density '0'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option force '1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

config host
option name 'Infinixzero5g2023'
list mac '88:B8:6F:12:D6:13'
option leasetime 'infinite'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'