I am working with WPA2 Enterprise and the Archer C7, Archer A7 and Armor Z2.
It appears reasonably well known that PTK0 rekeying is broken on these devices and doesn't always work, so I have set:
option eap_reauth_period '0'
in /etc/config/wireless to disable the rekeying. So far so good, but unfortunately I have recently noticed that the iPhoneX still requests a PTK0 rekey, which results in the iPhoneX having an unstable connection.
Having searched around it would appear that the next suggestion is to use the option wpa_deny_ptk0_rekey and set it to 2 which results in a PTK0 being turned into a disconnect. You can't set this option in /etc/config/wireless because it isn't passed on to the config file used by hostapd, but I managed to work around that.
So far so good, but having changed the configuration to disconnect any device that tries to do a PTK0 rekey I have found a Windows PC that is completely unable to the network, in this case I get the following log messages ...
Thu Jul 23 08:37:28 2020 daemon.info hostapd: wlan-5g: STA 28:7f:cf:ee:fb:65 IEEE 802.11: authenticated
Thu Jul 23 08:37:28 2020 daemon.info hostapd: wlan-5g: STA 28:7f:cf:ee:fb:65 IEEE 802.11: associated (aid 1)
Thu Jul 23 08:37:28 2020 daemon.notice hostapd: wlan-2g: Prune association for 28:7f:cf:ee:fb:65
Thu Jul 23 08:37:28 2020 daemon.notice hostapd: wlan-5g: CTRL-EVENT-EAP-STARTED 28:7f:cf:ee:fb:65
Thu Jul 23 08:37:28 2020 daemon.notice hostapd: wlan-5g: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Thu Jul 23 08:37:28 2020 daemon.notice hostapd: WPA: PTK0 rekey not allowed, disconnect 28:7f:cf:ee:fb:65
Thu Jul 23 08:37:33 2020 daemon.info hostapd: wlan-5g: STA 28:7f:cf:ee:fb:65 IEEE 802.11: deauthenticated due to local deauth request
Thu Jul 23 08:37:58 2020 daemon.info hostapd: wlan-2g: STA 28:7f:cf:ee:fb:65 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Thu Jul 23 08:38:28 2020 daemon.info hostapd: wlan-5g: STA 28:7f:cf:ee:fb:65 IEEE 802.11: authenticated
Thu Jul 23 08:38:28 2020 daemon.info hostapd: wlan-5g: STA 28:7f:cf:ee:fb:65 IEEE 802.11: associated (aid 1)
Thu Jul 23 08:38:28 2020 daemon.notice hostapd: wlan-5g: CTRL-EVENT-EAP-STARTED 28:7f:cf:ee:fb:65
Thu Jul 23 08:38:28 2020 daemon.notice hostapd: wlan-5g: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Thu Jul 23 08:38:28 2020 daemon.notice hostapd: WPA: PTK0 rekey not allowed, disconnect 28:7f:cf:ee:fb:65
Thu Jul 23 08:38:28 2020 daemon.info hostapd: wlan-2g: STA 28:7f:cf:ee:fb:65 IEEE 802.11: authenticated
Thu Jul 23 08:38:28 2020 daemon.info hostapd: wlan-2g: STA 28:7f:cf:ee:fb:65 IEEE 802.11: associated (aid 5)
Thu Jul 23 08:38:28 2020 daemon.notice hostapd: wlan-5g: Prune association for 28:7f:cf:ee:fb:65
Thu Jul 23 08:38:28 2020 daemon.notice hostapd: wlan-2g: CTRL-EVENT-EAP-STARTED 28:7f:cf:ee:fb:65
Thu Jul 23 08:38:28 2020 daemon.notice hostapd: wlan-2g: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Thu Jul 23 08:38:28 2020 daemon.notice hostapd: WPA: PTK0 rekey not allowed, disconnect 28:7f:cf:ee:fb:65
Thu Jul 23 08:38:30 2020 daemon.info hostapd: wlan-5g: STA 28:7f:cf:ee:fb:65 IEEE 802.11: authenticated
Thu Jul 23 08:38:30 2020 daemon.info hostapd: wlan-5g: STA 28:7f:cf:ee:fb:65 IEEE 802.11: associated (aid 1)
Thu Jul 23 08:38:30 2020 daemon.notice hostapd: wlan-2g: Prune association for 28:7f:cf:ee:fb:65
Thu Jul 23 08:38:30 2020 daemon.notice hostapd: wlan-5g: CTRL-EVENT-EAP-STARTED 28:7f:cf:ee:fb:65
Thu Jul 23 08:38:30 2020 daemon.notice hostapd: wlan-5g: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Thu Jul 23 08:38:30 2020 daemon.notice hostapd: WPA: PTK0 rekey not allowed, disconnect 28:7f:cf:ee:fb:65
Thu Jul 23 08:38:33 2020 daemon.info hostapd: wlan-2g: STA 28:7f:cf:ee:fb:65 IEEE 802.11: authenticated
Thu Jul 23 08:38:33 2020 daemon.info hostapd: wlan-2g: STA 28:7f:cf:ee:fb:65 IEEE 802.11: associated (aid 5)
Thu Jul 23 08:38:33 2020 daemon.notice hostapd: wlan-5g: Prune association for 28:7f:cf:ee:fb:65
Thu Jul 23 08:38:33 2020 daemon.notice hostapd: wlan-2g: CTRL-EVENT-EAP-STARTED 28:7f:cf:ee:fb:65
Thu Jul 23 08:38:33 2020 daemon.notice hostapd: wlan-2g: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Thu Jul 23 08:38:33 2020 daemon.notice hostapd: WPA: PTK0 rekey not allowed, disconnect 28:7f:cf:ee:fb:65
Thu Jul 23 08:38:34 2020 daemon.info hostapd: wlan-2g: STA 28:7f:cf:ee:fb:65 IEEE 802.11: authenticated
Thu Jul 23 08:38:34 2020 daemon.info hostapd: wlan-2g: STA 28:7f:cf:ee:fb:65 IEEE 802.11: associated (aid 5)
Thu Jul 23 08:38:34 2020 daemon.notice hostapd: wlan-5g: Prune association for 28:7f:cf:ee:fb:65
Thu Jul 23 08:38:34 2020 daemon.notice hostapd: wlan-2g: CTRL-EVENT-EAP-STARTED 28:7f:cf:ee:fb:65
Thu Jul 23 08:38:34 2020 daemon.notice hostapd: wlan-2g: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Thu Jul 23 08:38:34 2020 daemon.notice hostapd: WPA: PTK0 rekey not allowed, disconnect 28:7f:cf:ee:fb:65
It appears that this particular device wants to rekey immediately upon connection and the refusal to accept that rekey prevents any connection at all.
Disconnecting all rekeys doesn't seem like a great solution in the first place, but perhaps we need to allow rekeys during the first few seconds of a connection?