Trying to put 802.11r (fast forwarding) to work. Wdap or hostapd?

I am trying to activate fast transitions (roaming) in may wireless network.

I have a main router and a dumb AP both running 22.3.2 openWRT.

They both are configured with two wireless networks (guest and wlan).
Each wireless network is configured with a SSID and password, the same on both devices and over 5GHZ and 2.4 GHz network.

By default they have wdap-basic-wolfssl

But when I activate roaming in the wlan (under wireless security enabling fast transitions and with the same mobility domain) transitions don't seem to work well. (I have 802.11w as optional).

But the main problem is that some devices won't be able to even connect to the wlan.

Following instructions in this thread (thanks to @frollic ), I removed wpad-* and installed hostapd.

It seems to work (it was neccesary to recreate all wirless interfaces) but it does not seem to provide WAP3 security.

Is there a modules that let me provide WPA2 and WPA3 security and works well with fast transitions?

802.11r + WPA3, does it work? read all the way to the end.

1 Like

Thanks, I will, I hope to understand enough of it to have it working (or decide whether WPA3 should take preference to fast transitions, if they are not compatible).

I had read that WPA2 is not so secure and WPA3 should be used (not all devices support it so I cannot enforce it).

What do you think about it?

WPA2 is less secure, but then again not all clients will support WPA3, and mixing 2 and 3 can be an issue, unless you use two parallel ssids.

I'm still using WPA2, but live in my own house, without any neighbors on the other side of the walls.

I have been using WPA3 only for over a year. Almost all devices can speak WPA3. Those that can not (mainly Chinese IoT things or very old phones) have no business being on home network anyway, so they get to sit on IoT 2.4GHz guest WiFi.

802.11r does work slightly better than "fake" roaming that my iPhone does but you basically need to specifically measure it (pinging and logging the results) to notice the difference.

Well I have been making tests to see if I can put WPA3 and 802.11r to work.

I have used the options provided in the thread:

	option ft_psk_generate_local '0'
	option max_inactivity '15'
	option dtim_period '3'
	option ieee80211w '2'
	option ft_over_ds '0'
	option reassociation_deadline '20000'

And activated ft transitions in the 2.5GHz and 5GHz wlan in both router and access point (I have not activated it in the guest lan).

But it did not work. Some devices like my mobile does connect, but older mobiles like the mobile of my sister do not.

I have discovered that it does not connect when I stablish 802.11w to required either.

I getting a bit mad about this.

Without fast transitions, my phone many times changes the AP when i go from one point to the other, but it takes a while and some times it does it incorrectly, moving from 5G to 2.4G network in the other AP and it keeps there.

My wifi neighbouhood is quite busy I can see (and they can see me) SSIDS from some bars and restarutants near me, so I think it is important to use WPA3 (I cannot enforce it as not all devices might work, so may be using mixed wpa2+wpa3 is just as insercure as using only wpa2).

It seems that I have to decide whether is better to not use fas transitions (as it was now) or use hostapd (it seemed to wokr) and just wpa2.

I am not sure as I don't know exactly what hostapd does and differences with current default implementations.

To my knowledge, you can't do that easily.

(Entering R0 and R1 keys manually may enable wpa3 with 802.11r, but is somewhat cumbersome.)

OK, thank you.
I think I will have to wait to activate fast transition to see if things get better in next release of openwrt.

I don't have enough expertize to deal with all the problems that can arrive if (as it seems) current wpad implementations are not fully compatible with it and with many devices.

The altternative could be use hostapd instead and wpa2, but it seems that openwrt has decided to go forward with wpad alternatives, as they distribute the firmware with that, so better don't tinker too much with router configuration.

Wpad is hostapd.
Wpad has just somewhat wider feature selection than the plain hostapd package. (Wpad = hostapd + wpa_supplicant)

In general, you are likely better off with the openssl variants than the wolfssl based ones.

1 Like

And what is the difference between wpad and hostapd + wpa-supplicant?

Thank you, I don't know the differences, I am lost with all that modules.

But in the thread that I have bookmarked, it is advised to uninstall wpad and install hostapd and it seemed to work but you only have wpa2 and you need to recreate the wifi networks (at leaste I had too).

I will try to uninstall wpad-basic-wolfssl and install wpad-basic-openssl and see if it makes any difference.

Be advised that I only got WPA3 and 802.11r to work on 5GHz 802.11ac network. With other words, I never mixed 2.4GHz and 5GHz.

1 Like