I just upgraded one of my APs from 19.07.7 to 21.02.1.
Now I am facing connectivity issues with iOS clients. They sometimes can't connect or randomly disconnect whenever I am using option encryption 'sae-mixed'.
As soon as I switch it back to option encryption 'psk2+ccmp' the issues are gone.
Model TP-Link Archer C7 v2
Architecture Qualcomm Atheros QCA9558 ver 1 rev 0
Firmware Version OpenWrt 21.02.1 r16325-88151b8303 / LuCI openwrt-21.02 branch git-21.357.58218-b3cd473
Kernel Version 5.4.154
Tue Jan 11 22:10:13 2022 daemon.info hostapd: wlan1: STA MA:C0:AD:DR:ES:S0 IEEE 802.11: authenticated
Tue Jan 11 22:10:13 2022 daemon.info hostapd: wlan1: STA MA:C0:AD:DR:ES:S0 IEEE 802.11: associated (aid 1)
Tue Jan 11 22:10:13 2022 daemon.notice hostapd: wlan1: AP-STA-CONNECTED MA:C0:AD:DR:ES:S0
Tue Jan 11 22:10:13 2022 daemon.info hostapd: wlan1: STA MA:C0:AD:DR:ES:S0 WPA: pairwise key handshake completed (RSN)
Tue Jan 11 22:10:18 2022 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED MA:C0:AD:DR:ES:S0
Tue Jan 11 22:10:18 2022 daemon.info hostapd: wlan1: STA MA:C0:AD:DR:ES:S0 IEEE 802.11: disassociated
Tue Jan 11 22:10:19 2022 daemon.info hostapd: wlan1: STA MA:C0:AD:DR:ES:S0 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
It seems to only affect an iPhone X the same generation iPad is working fine.
What I also noticed is that sometimes devices (iOS and Android) don't automatically connect to the SSID once in range. This also happended before upgrading to the latest version of OpenWrt.
Here is my entry on a totally different device for reference. I do not experience these issues with an iPhone X. Again, I think the issue could be unrelated the settings and perhaps something in a driver or firmware.
I'm seeing this too. I noticed that switching to just sae (WPA3) or pure WPA2 makes the respective Apple phones and tablets connect without any issues.
Some googling hints that this is only problematic when WPA2/WPA3-mixed mode is combined with enabling extensions like 802.11r/802.11k/802.11v. These are needed to implement Wi-Fi steering (aka seamless roaming). You'd normally enable them when you have several WiFi APs. So it's understandable why not everybody is able to reproduce this issue.
FWIW I blame Apple as there seem to be other AP firmwares/vendors having this same problem with portable Apple devices.
Alright... So I've now verified that having 802.11k, 802.11v and 802.11w enabled does not influence the situation. Having them enabled, I've confirmed that a combination of wireless.default_radio0.encryption='sae-mixed' + wireless.default_radio0.ieee80211r='1' causes problems. Changing any of them makes everything work.
So the workarounds are:
If you have a single AP and don't need Wi-Fi steering/roaming — just disable 802.11r and you can keep sae-mixed.
If you do need Wi-Fi steering, you'll have to choose either WPA2 or WPA3. If you don't have ancient devices, go for later. Otherwise, stick with the former for the time being.
P.S. Interesting observation: when I had an iPad connected with sae-mixed + 802.11r disabled, and then enabled 802.11r (causing the AP Wi-Fi interface reload), the iPad stayed connected (well, I guess re-connected almost instantly) and toggling its Wi-Fi switch off and on again keeps it connected. But if I disconnect for a while and its internal state resets/times out, then it won't be able to connect back at all, reporting the infamous Unable to join the network "***". This seemingly obvious nuance makes troubleshooting a bit more troubling. Beware.
Also see Apple's list of which devices support WPA3: https://support.apple.com/guide/security/secure-access-to-wireless-networks-sec8a67fa93d/web
In particular, older iPads don't support WPA3 so they'll try only WPA2.
I had trouble myself with mixed WPA2/WPA3, some iOS devices were fine and some iOS devices were not. Only the ones with WPA3 support hit the problems.
I've also started seeing this and I also have sae-mixed + 802.11r enabled. To add to the workarounds list- I added another wifi network with wpa2 only and connected the ios devices to that ssid. I know it's not ideal either but for me it works better than reverting everything to wpa2 or disabling 11r.
FWIW... I've experimented w mixed mode in the house, to see if I could go full WPA3, and there's ONE item that's not compatible! An older Tivo, 2-3 gen back, thats still used, just won't connect on mixed mode. Im just using just basic mixed mode, no other features.
There's always something.. I also tried the protect the management frames feature, and ONE of my music player boxes wasnt happy with that...