The never-ending story of WPA 3 and (fast) roaming

To return to the subject of WPA 3 and 802.11r (fast BSS transition)...

The following initial situation:
Two D-Link DAP-X1860 with OpenWrt 23.05.2 and the full version of wpad-mbedtls as wired ap's.
I have configured them as discribed in many of the the forum posts.

config wifi-iface 'name'
        option device 'radio0'
        option mode 'ap'
        option network 'xxx'
        option bssid 'xxx'
        option ssid 'xxx'
        option encryption 'sae'
        option key 'xxx'
        option ieee80211w '2'
        option dtim_period '3'
        option ieee80211r '1'
        option nasid 'xxx'
        option mobility_domain 'xxx'
        option r1_key_holder 'xxx'
        option reassociation_deadline '20000'
        list r0kh ''
        list r1kh ''
        option pmk_r1_push '0'
        option ft_over_ds '0'
        option ft_psk_generate_local '0'
        option max_inactivity '15'

In theory or on paper, WPA3 should support Fast BSS transition.

Unfortunately, practice still looks different.
My end device, a Google Pixel 4a with Android 13, is connected to the initial AP down to the last bit and prefers to use then the mobile network (LTE) instead of roaming to the nearest AP...

Does anyone else have any ideas?
So with WPA2 and 802.11w enabled, it roamed without any problems.

Android is notorious for not roaming Wi-Fi well.

I recommend turning off 802.11r (and k and v if you're using those) and focusing on optimizing the radio configuration for optimal routing without the supplemental standards. Some devices just don't work well with those standards, but any enhancements must be done on top of properly tuned APs -- it is essential to have a good foundation.

I like this video as an explainer on how to do this properly...

I am very surprised that my APs are supposed to use different radio channels. Up to now, I've always planned that the channel should be identical on all APs and that's how I've implemented it.
Confused.

Using the same channel across multiple APs is a common mistake and is part of the reason that roaming might not work smoothly. This is why I like Chris’s video - it explains everything very clearly and in actionable terms.

That really makes sense. Unfortunately, it doesn't change anything. Roaming still doesn't work. Even with 802.11r disabled it is stuck at the AP. But isn't that basically also a security feature?
So as not to be taken over by a stronger transmitting bad AP.

Did you ensure that the APs are appropriately positioned and power levels reduced such that the area of overlap is as small as possible?

You should have:

• the same SSID + encryption type + passphrase
• different, non-overlapping channels
• power levels reduced to cover only the area required by each AP

No. That is not a thing.

I can confirm: WPA3-SAE breaks roaming.
With WPA2-PSK it works flawlessly as I move around the house (confirmed with WiFiman), as soon as auth is changed to WPA3-SAE with all other settings remaining the same, it stops working.

My settings:

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option key '**********************'
	option ft_over_ds '0'
	option ieee80211r '1'
	option encryption 'psk2+ccmp'
	option mobility_domain '1337'
	option ieee80211w '1'
	option nasid 'SCOTSPINE'
	option wpa_disable_eapol_key_retries '1'
	option wnm_sleep_mode '1'
	option bss_transition '1'
	option time_advertisement '2'
	option reassociation_deadline '20000'
	option ssid 'Scots Pine'
	option ft_psk_generate_local '1'

These settings are consistent across APs - as I said, everything works with WPA2-PSK:

Fri Jul 26 11:26:00 2024 daemon.notice hostapd: wl1-ap0: AP-STA-CONNECTED 1a:7a:30:cc:ca:99 auth_alg=ft
...
Fri Jul 26 11:26:16 2024 daemon.notice hostapd: wl1-ap0: AP-STA-CONNECTED 1a:7a:30:cc:ca:99 auth_alg=ft

image897×1900 164 KB

WPA3-SAE - not so much.

Note: This config requires wpad-mbedtls instead of wpad-basic-mbedtls.