WPA2/WPA3-Mixed Mode: connectivity issues with iOS 15.2

TheHellSite · January 11, 2022, 10:29pm

I just upgraded one of my APs from 19.07.7 to 21.02.1.

Now I am facing connectivity issues with iOS clients. They sometimes can't connect or randomly disconnect whenever I am using option encryption 'sae-mixed'.
As soon as I switch it back to option encryption 'psk2+ccmp' the issues are gone.

Model               TP-Link Archer C7 v2
Architecture        Qualcomm Atheros QCA9558 ver 1 rev 0
Firmware Version    OpenWrt 21.02.1 r16325-88151b8303 / LuCI openwrt-21.02 branch git-21.357.58218-b3cd473
Kernel Version      5.4.154

Tue Jan 11 22:10:13 2022 daemon.info hostapd: wlan1: STA MA:C0:AD:DR:ES:S0 IEEE 802.11: authenticated
Tue Jan 11 22:10:13 2022 daemon.info hostapd: wlan1: STA MA:C0:AD:DR:ES:S0 IEEE 802.11: associated (aid 1)
Tue Jan 11 22:10:13 2022 daemon.notice hostapd: wlan1: AP-STA-CONNECTED MA:C0:AD:DR:ES:S0
Tue Jan 11 22:10:13 2022 daemon.info hostapd: wlan1: STA MA:C0:AD:DR:ES:S0 WPA: pairwise key handshake completed (RSN)
Tue Jan 11 22:10:18 2022 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED MA:C0:AD:DR:ES:S0
Tue Jan 11 22:10:18 2022 daemon.info hostapd: wlan1: STA MA:C0:AD:DR:ES:S0 IEEE 802.11: disassociated
Tue Jan 11 22:10:19 2022 daemon.info hostapd: wlan1: STA MA:C0:AD:DR:ES:S0 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)

TheHellSite · January 16, 2022, 11:47am

No one here facing similar issues?

darksky · January 16, 2022, 11:49am

Different hardware and I am on a more recent snapshot, but I not seeing this. Guessing hardware/config specific.

Post your /etc/config/wireless
Is it a specific iOS device or is it happening to all of them?

TheHellSite · January 17, 2022, 6:11pm

It seems to only affect an iPhone X the same generation iPad is working fine.

What I also noticed is that sometimes devices (iOS and Android) don't automatically connect to the SSID once in range. This also happended before upgrading to the latest version of OpenWrt.


config wifi-device 'radio0'
    option channel '36'
    option country 'DE'
    option htmode 'VHT80'
    option hwmode '11a'
    option path 'pci0000:00/0000:00:00.0'
    option type 'mac80211'

config wifi-iface 'radio0_vlan_client'
    option device 'radio0'
    option disabled '0'
    option encryption 'sae-mixed'
    option ft_over_ds '1'
    option ft_psk_generate_local '1'
    option ieee80211r '1'
    option key 'PASSWORD'
    option mode 'ap'
    option network 'vlan_client'
    option ssid 'NAMENAMENAME'

config wifi-iface 'radio0_vlan_guest'
    option device 'radio0'
    option disabled '0'
    option encryption 'sae-mixed'
    option ft_over_ds '1'
    option ft_psk_generate_local '1'
    option ieee80211r '1'
    option key 'PASSWORD'
    option mode 'ap'
    option network 'vlan_guest'
    option ssid 'NAMENAMENAME-GUEST'

config wifi-device 'radio1'
    option channel '6'
    option country 'DE'
    option htmode 'HT20'
    option hwmode '11g'
    option path 'platform/ahb/18100000.wmac'
    option type 'mac80211'

config wifi-iface 'radio1_vlan_client'
    option device 'radio1'
    option disabled '0'
    option encryption 'sae-mixed'
    option ft_over_ds '1'
    option ft_psk_generate_local '1'
    option ieee80211r '1'
    option key 'PASSWORD'
    option mode 'ap'
    option network 'vlan_client'
    option ssid 'NAMENAMENAME-LEGACY'

darksky · January 18, 2022, 11:48am

Here is my entry on a totally different device for reference. I do not experience these issues with an iPhone X. Again, I think the issue could be unrelated the settings and perhaps something in a driver or firmware.

config wifi-iface 'wifinet3'
  option device 'radio1'
  option mode 'ap'
  option encryption 'sae-mixed'
  option dtim_period '3'
  option wpa_disable_eapol_key_retries '1'
  option ssid 'mysidd'
  option key 'mypassword'
  option ieee80211w '2'
  option network 'guest'

Your config has several other options that are unfamiliar to me.

I don't have the reference in front of me, and the suggestion is probably not why your two clients have issues, but you may want to:

Set to DTIM to 3
Set your beacon interval to 101

webknjaz · May 25, 2022, 12:46am

I'm seeing this too. I noticed that switching to just sae (WPA3) or pure WPA2 makes the respective Apple phones and tablets connect without any issues.

Some googling hints that this is only problematic when WPA2/WPA3-mixed mode is combined with enabling extensions like 802.11r/802.11k/802.11v. These are needed to implement Wi-Fi steering (aka seamless roaming). You'd normally enable them when you have several WiFi APs. So it's understandable why not everybody is able to reproduce this issue.

FWIW I blame Apple as there seem to be other AP firmwares/vendors having this same problem with portable Apple devices.

Context:

Also, other places on the internet suggest that some devices can't stomach WPA2+WPA3 mixed mode: https://help.keenetic.com/hc/en-us/articles/4402854785170-Why-can-t-my-home-network-device-connect-to-the-Wi-Fi-network-.

P.S. I haven't yet verified experimentally if disabling those Wi-Fi extensions helps. So take it with a grain of salt.

webknjaz · May 25, 2022, 1:10am

Alright... So I've now verified that having 802.11k, 802.11v and 802.11w enabled does not influence the situation. Having them enabled, I've confirmed that a combination of wireless.default_radio0.encryption='sae-mixed' + wireless.default_radio0.ieee80211r='1' causes problems. Changing any of them makes everything work.

So the workarounds are:

If you have a single AP and don't need Wi-Fi steering/roaming — just disable 802.11r and you can keep sae-mixed.
If you do need Wi-Fi steering, you'll have to choose either WPA2 or WPA3. If you don't have ancient devices, go for later. Otherwise, stick with the former for the time being.

P.S. Interesting observation: when I had an iPad connected with sae-mixed + 802.11r disabled, and then enabled 802.11r (causing the AP Wi-Fi interface reload), the iPad stayed connected (well, I guess re-connected almost instantly) and toggling its Wi-Fi switch off and on again keeps it connected. But if I disconnect for a while and its internal state resets/times out, then it won't be able to connect back at all, reporting the infamous Unable to join the network "***". This seemingly obvious nuance makes troubleshooting a bit more troubling. Beware.

atownlede · May 25, 2022, 2:34am

Also see Apple's list of which devices support WPA3: https://support.apple.com/guide/security/secure-access-to-wireless-networks-sec8a67fa93d/web
In particular, older iPads don't support WPA3 so they'll try only WPA2.
I had trouble myself with mixed WPA2/WPA3, some iOS devices were fine and some iOS devices were not. Only the ones with WPA3 support hit the problems.

webknjaz · May 26, 2022, 12:16am

I must note that I've updated the iOS version to one that does support WPA3. That device works with pure non-mixed WPA3.

jonozzz · May 26, 2022, 2:00am

I've also started seeing this and I also have sae-mixed + 802.11r enabled. To add to the workarounds list- I added another wifi network with wpa2 only and connected the ios devices to that ssid. I know it's not ideal either but for me it works better than reverting everything to wpa2 or disabling 11r.

I hope Apple gets fixed soon.

JonP · May 26, 2022, 11:57pm

FWIW... I've experimented w mixed mode in the house, to see if I could go full WPA3, and there's ONE item that's not compatible! An older Tivo, 2-3 gen back, thats still used, just won't connect on mixed mode. Im just using just basic mixed mode, no other features.

There's always something.. I also tried the protect the management frames feature, and ONE of my music player boxes wasnt happy with that...