Multiple SSIDs running 802.11r - different Mobility Domain IDs?

Reboot always works. Running wifi down; wifi up does the job 99.999% of the time.

1 Like

Are you able to build your own firmware from source? You may want to try https://github.com/openwrt/openwrt/pull/13911
If you can build but do not know what to do with the Pull Request, I can give you some directions. It will not be right away, though. I'm about to leave.

I build stuff, but openwrt is pretty new to me, we can try, what exactly is the outcome we can achieve here?

It's an update to hostapd, the package responsible for running wireless from user space. Among the changes there are updates to 802.11r handling:

commit 9929426b92d0189b6efbd3a4e74a3e7ca59bd023
Author: Jouni Malinen <j@w1.fi>
Date:   Sat Feb 3 20:39:56 2024 +0200

    FT: Allow PMKIDs from AssocReq to be in EAPOL-Key msg 2/4

    The standard is somewhat unclear on whether the PMKIDs used in
    (Re)Association Request frame (i.e., potential PMKIDs that could be used
    for PMKSA caching during the initial mobility domain association) are to
    be retained or removed when generating EAPOL-Key msg 2/4.

    hostapd used to require that only the PMKR1Name is included in the PMKID
    List of RSNE in EAPOL-Key msg 2/4. Extend this to allow the PMKIDs that
    were included in the (Re)Association Request frame to be present as long
    as the correct PMKR1Name is also present. This would allow PMKSA caching
    to be used in initial mobility domain association with supplicant
    implementations that insert the PMKR1Name without removing the PMKIDs
    used in the (Re)Association Request frame. wpa_supplicant did not use to
    that, but other implementations might.

    Signed-off-by: Jouni Malinen <j@w1.fi>

This looks like it may fix some interoperability problem. It could just speed things up, though. It does not mention what the "other implementations" are, so I'm curious if Apple is included or not. I'm going out now.

1 Like

so I did this, and the iPad 9Gen stopped working again, so I added at the end one by one every config option and tried every time to connect.

        option ieee80211r '1'
        option ft_generate_local '0'
        option reassociation_deadline '20000'
        option wnm_sleep_mode '1'
        option disassoc_low_ack '0'

as soon as I deactivate option ieee80211r '0' I connect instantly with the iPad

so strange

with deactivated option ieee80211r '0'

root@AX6000:~# while true; do (logread -f | egrep -h "82:56") ; sleep 1 ; done
Thu Feb 22 22:25:50 2024 daemon.info hostapd: phy0-ap0: STA 74:xxx:82:56 IEEE 802.11: authenticated
Thu Feb 22 22:25:50 2024 daemon.info hostapd: phy0-ap0: STA 74:xxx:82:56 IEEE 802.11: associated (aid 2)
Thu Feb 22 22:25:50 2024 daemon.notice hostapd: phy1-ap0: Prune association for 74:xxx:82:56
Thu Feb 22 22:25:50 2024 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED 74:xxx:82:56 auth_alg=open
Thu Feb 22 22:25:50 2024 daemon.info hostapd: phy0-ap0: STA 74:xxx:82:56 RADIUS: starting accounting session 2C200B3C304CB483
Thu Feb 22 22:25:50 2024 daemon.info hostapd: phy0-ap0: STA 74:xxx:82:56 WPA: pairwise key handshake completed (RSN)
Thu Feb 22 22:25:50 2024 daemon.notice hostapd: phy0-ap0: EAPOL-4WAY-HS-COMPLETED 74:xxx:82:56
Thu Feb 22 22:25:57 2024 daemon.notice hostapd: phy0-ap0: AP-STA-DISCONNECTED 74:xxx:82:56
Thu Feb 22 22:25:57 2024 daemon.info hostapd: phy0-ap0: STA 74:xxx:82:56 IEEE 802.11: disassociated
Thu Feb 22 22:25:59 2024 daemon.info hostapd: phy0-ap0: STA 74:xxx:82:56 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Thu Feb 22 22:26:08 2024 daemon.info hostapd: phy0-ap0: STA 74:xxx:82:56 IEEE 802.11: authenticated
Thu Feb 22 22:26:08 2024 daemon.info hostapd: phy0-ap0: STA 74:xxx:82:56 IEEE 802.11: associated (aid 2)
Thu Feb 22 22:26:08 2024 daemon.notice hostapd: phy1-ap0: Prune association for 74:xxx:82:56
Thu Feb 22 22:26:08 2024 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED 74:xxx:82:56 auth_alg=open
Thu Feb 22 22:26:08 2024 daemon.info hostapd: phy0-ap0: STA 74:xxx:82:56 RADIUS: starting accounting session FFA839DC89BC8F12
Thu Feb 22 22:26:08 2024 daemon.info hostapd: phy0-ap0: STA 74:xxx:82:56 WPA: pairwise key handshake completed (RSN)
Thu Feb 22 22:26:08 2024 daemon.notice hostapd: phy0-ap0: EAPOL-4WAY-HS-COMPLETED 74:xxx:82:56

and with activated option ieee80211r '1' not further than:

root@AX6000:~# while true; do (logread -f | egrep -h "82:56") ; sleep 1 ; done
Thu Feb 22 22:26:50 2024 daemon.info hostapd: phy0-ap0: STA 74:xxx:82:56 IEEE 802.11: authenticated
Thu Feb 22 22:31:50 2024 daemon.info hostapd: phy0-ap0: STA 74:xxx:82:56 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Thu Feb 22 22:33:44 2024 daemon.notice hostapd: phy0-ap0: STA 74:xxx:82:56 IEEE 802.11: did not acknowledge authentication response

overall I ran around with my MacBook and Watch through the house with 4 logread open, monitoring:

while true; do (logread -f | egrep -h "pairwise") ; sleep 1 ; done 

ยป FT is working, could be faster, but its doing its job. I will add all options to every AP and see if I can make it react quicker

now I only need to fix this one iPad that doesn't like FT at all in its current state

Does the iPad connect at all?
With 802.11r on, try to change using WPA3-SAE alone (not mixed), then WPA2-PSK.

Install hostapd-utils and see if you can get information about the connection by running:

hostapd_cli -i phy0-ap0 sta 74:xxx:82:56

Substitute phy0-ap0 with the interface the STA is connected. This will show lots of information. The most useful ones are flags and AKMSuiteSelector. The AKM will start with 00-0f-ac, and the last number will identify the suite, which for WPA3-mixed are:
-2 = WPA2-PSK
-4 = WPA2-PSK-FT (802.11r)
-6 = WPA2-PSK-SHA256 (802.11w)
-8 = WPA3-SAE
-9 = WPA3-SAE-FT (802.11r)

flags will show [MFP] if 802.11w MFP is enabled.
wpa will be set to 2 even if connected with WPA3; this is by design.

1 Like

the iPad connects with 802.11r disabled, instantly without issues.

will follow your instructions and come with results later, thank you

Another thing you may try on the iPad is to download a profile with the configuration, forcing it to use WPA3. Apple documentation is at https://developer.apple.com/documentation/devicemanagement/wifi

Wi-Fi.mobileconfig file
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>PayloadContent</key>
        <array>
                <dict>
                        <key>PayloadType</key>
                        <string>com.apple.wifi.managed</string>
                        <key>PayloadVersion</key>
                        <integer>1</integer>
                        <key>PayloadIdentifier</key>
                        <string>local.editwentyone.Black</string>
                        <key>PayloadUUID</key>
                        <string>42fd5f77-6100-4ff1-9652-92184ef8fde7</string>
                        <key>PayloadDisplayName</key>
                        <string>Black Wi-Fi</string>
                        <key>PayloadDescription</key>
                        <string>Configures WPA3-only connection to Black Wi-Fi</string>
                        <key>SSID_STR</key>
                        <string>Black</string>
                        <key>AutoJoin</key>
                        <true/>
                        <key>EncryptionType</key>
                        <string>WPA3</string>
                        <key>Password</key>
                        <string>#####XXXXX#######</string>
                </dict>
                <dict>
                        <key>PayloadType</key>
                        <string>com.apple.wifi.managed</string>
                        <key>PayloadVersion</key>
                        <integer>1</integer>
                        <key>PayloadIdentifier</key>
                        <string>local.editwentyone.White</string>
                        <key>PayloadUUID</key>
                        <string>45baba8b-04e9-4e64-a03e-d709b607fb6a</string>
                        <key>PayloadDisplayName</key>
                        <string>White Wi-Fi</string>
                        <key>PayloadDescription</key>
                        <string>Configures WPA3-only connection to White Wi-Fi</string>
                        <key>SSID_STR</key>
                        <string>Black</string>
                        <key>AutoJoin</key>
                        <false/>
                        <key>EncryptionType</key>
                        <string>WPA3</string>
                        <key>Password</key>
                        <string>#####XXXXX#######</string>
                </dict>
        </array>
        <key>PayloadDescription</key>
        <string>Installs wireless network profiles to Black and White Wi-Fi using WPA3 only.</string>
        <key>PayloadDisplayName</key>
        <string>editwentyone Wi-Fi networks</string>
        <key>PayloadIdentifier</key>
        <string>local.editwentyone.config.wifi</string>
        <key>PayloadUUID</key>
        <string>2feca855-dff6-4289-8fbb-e389e56f879c</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
</dict>
</plist>

Save the file as Wi-Fi.mobileconfig, and then you can send it to your devices by e-mail or Air Drop. I added both Black (AutoJoin), and White (AutoJoin=false) to the example, and you can remove either one, or add the iot there as well. The EncryptionType may be set to WPA to try to force WPA2. Here are what the different settings do on modern versions of iOS (>=iOS 16): WPA=WPA/WPA2; WPA2=WPA2/WPA3; WPA3=WPA3-only. Prior to iOS 16, they are all equivalent and connect to any WPA version. Make sure you don't change the PayloadType or PayloadVersion fields.

1 Like

@cotequeiroz new update, so I have another iPhone 11 and iPhone XS besides the iPad (see above) that are struggling to enter Black or White.

I tried the Wifi.mobileconfig on my XS (completely reseted, 17.4 iOS version for testing purposes) and its not connecting, with or without mobileconfig
BESIDES
I go down to my AX6000, disable and re-enable Wifi in iOS and then I connects (iPad had same experience for a time).

if I then walk around the house, all other AVM products (7530, and two 1200) are roaming. If I go to an AVM product and disable/re-enable Wifi, then I get same connection problems.

the hostapd_cli debugging is still to do, I couldn't find the time yet.

what is different to AX6000 then AVM?