OWE transition mode network

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,
In our school, we set up an access point with OpenWrt (dumb ap).

The device:
Model: P-Link TL-WA801ND v5
Firmware: OpenWrt 22.03.1 r19777-2853b6d652 / LuCI openwrt-22.03 branch git-22.245.77528-487e58a

The device was configured via the LuCi interface.

Since we are running Captive Portal on a pfSense firewall, we set the WiFi encryption to "No encryption (open network)", it works fine.
We also tested the "OWE(open network)" setting, it also works great, but only with relatively new clients (Android 11 >=).

We discovered that it is somehow possible to set up an owe transition mode, where two WiFi networks (one unencrypted and one owe encrypted) operate at the same time, so that both old and new devices could work with this setting.

Add the owe_transition_ifname config option to wifi-ifaces.

This allows to configure OWE transition VAPs without adding SSID / BSSID
to the uci conifg but instead autodiscovering these parameters from
other networks on the same PHY.

The following configuration creates an OWE transition mode network
constellation.

config wifi-iface 'open0'
option device 'radio0'
option ifname 'open0'
option network 'lan'
option mode 'ap'
option ssid 'FreeNet'
option encryption 'none'
option owe_transition_ifname 'owe0'

config wifi-iface 'owe0'
option device 'radio0'
option ifname 'owe0'
option network 'lan'
option mode 'ap'
option ssid 'owe_tm.FreeNet'
option encryption 'owe'
option hidden '1'
option owe_transition_ifname 'open0'

Signed-off-by: David Bauer <mail@david-bauer.net>

This commit has already been included in the hostapd.sh file of the OpenWrt version we use (22.03.1).

Can this be set on the LuCi?

How should this be used? If we create an unencrypted or owe encrypted network on the LuCi interface, the "owe_transition_ifname" option is not included in the /etc/config/wireless file, as shown in the example above.

Please help me...

2

Just create a second SSID with unencryption and attach it to the same Interface. Are there issues doing that?

3

Now I only know on an old Android 7.0 device and a new notebook (linux) to test the settings.

If I create two SSIDs on the LuCi interface, one is unencrypted and the other is encrypted,
then the Linux notebook that can connect to owe sees two SSIDs:

  • OpenWrtLab
  • OpenWrtLab

One is obviously unencrypted, the other is owe encrypted. That's how it is
the user should choose which one to connect to, it doesn't happen
the automatic switch.

Android 7.0 only sees one SSID, the unencrypted one.

My wireless configuration:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option htmode 'VHT80'
	option channel 'auto'
	option country 'HU'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option htmode 'HT20'
	option channel 'auto'
	option country 'HU'
	option cell_density '0'

config wifi-iface 'wifinet0'
	option device 'radio1'
	option mode 'ap'
	option ssid 'OpenWrtLab'
	option encryption 'none'
	option isolate '1'
	option network 'lab'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'OpenWrtLab'
	option encryption 'owe'
	option isolate '1'
	option network 'lab'

Shouldn't it include the option "owe_transition_ifname"?