WPA2/WPA3-Mixed Mode: connectivity issues with iOS 15.2

I just upgraded one of my APs from 19.07.7 to 21.02.1.

Now I am facing connectivity issues with iOS clients. They sometimes can't connect or randomly disconnect whenever I am using option encryption 'sae-mixed'.
As soon as I switch it back to option encryption 'psk2+ccmp' the issues are gone.

Model               TP-Link Archer C7 v2
Architecture        Qualcomm Atheros QCA9558 ver 1 rev 0
Firmware Version    OpenWrt 21.02.1 r16325-88151b8303 / LuCI openwrt-21.02 branch git-21.357.58218-b3cd473
Kernel Version      5.4.154

Tue Jan 11 22:10:13 2022 daemon.info hostapd: wlan1: STA MA:C0:AD:DR:ES:S0 IEEE 802.11: authenticated
Tue Jan 11 22:10:13 2022 daemon.info hostapd: wlan1: STA MA:C0:AD:DR:ES:S0 IEEE 802.11: associated (aid 1)
Tue Jan 11 22:10:13 2022 daemon.notice hostapd: wlan1: AP-STA-CONNECTED MA:C0:AD:DR:ES:S0
Tue Jan 11 22:10:13 2022 daemon.info hostapd: wlan1: STA MA:C0:AD:DR:ES:S0 WPA: pairwise key handshake completed (RSN)
Tue Jan 11 22:10:18 2022 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED MA:C0:AD:DR:ES:S0
Tue Jan 11 22:10:18 2022 daemon.info hostapd: wlan1: STA MA:C0:AD:DR:ES:S0 IEEE 802.11: disassociated
Tue Jan 11 22:10:19 2022 daemon.info hostapd: wlan1: STA MA:C0:AD:DR:ES:S0 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
2 Likes

No one here facing similar issues?

Different hardware and I am on a more recent snapshot, but I not seeing this. Guessing hardware/config specific.

  1. Post your /etc/config/wireless
  2. Is it a specific iOS device or is it happening to all of them?

It seems to only affect an iPhone X the same generation iPad is working fine.

What I also noticed is that sometimes devices (iOS and Android) don't automatically connect to the SSID once in range. This also happended before upgrading to the latest version of OpenWrt.


config wifi-device 'radio0'
    option channel '36'
    option country 'DE'
    option htmode 'VHT80'
    option hwmode '11a'
    option path 'pci0000:00/0000:00:00.0'
    option type 'mac80211'

config wifi-iface 'radio0_vlan_client'
    option device 'radio0'
    option disabled '0'
    option encryption 'sae-mixed'
    option ft_over_ds '1'
    option ft_psk_generate_local '1'
    option ieee80211r '1'
    option key 'PASSWORD'
    option mode 'ap'
    option network 'vlan_client'
    option ssid 'NAMENAMENAME'

config wifi-iface 'radio0_vlan_guest'
    option device 'radio0'
    option disabled '0'
    option encryption 'sae-mixed'
    option ft_over_ds '1'
    option ft_psk_generate_local '1'
    option ieee80211r '1'
    option key 'PASSWORD'
    option mode 'ap'
    option network 'vlan_guest'
    option ssid 'NAMENAMENAME-GUEST'

config wifi-device 'radio1'
    option channel '6'
    option country 'DE'
    option htmode 'HT20'
    option hwmode '11g'
    option path 'platform/ahb/18100000.wmac'
    option type 'mac80211'

config wifi-iface 'radio1_vlan_client'
    option device 'radio1'
    option disabled '0'
    option encryption 'sae-mixed'
    option ft_over_ds '1'
    option ft_psk_generate_local '1'
    option ieee80211r '1'
    option key 'PASSWORD'
    option mode 'ap'
    option network 'vlan_client'
    option ssid 'NAMENAMENAME-LEGACY'

Here is my entry on a totally different device for reference. I do not experience these issues with an iPhone X. Again, I think the issue could be unrelated the settings and perhaps something in a driver or firmware.

config wifi-iface 'wifinet3'
  option device 'radio1'
  option mode 'ap'
  option encryption 'sae-mixed'
  option dtim_period '3'
  option wpa_disable_eapol_key_retries '1'
  option ssid 'mysidd'
  option key 'mypassword'
  option ieee80211w '2'
  option network 'guest'

Your config has several other options that are unfamiliar to me.

I don't have the reference in front of me, and the suggestion is probably not why your two clients have issues, but you may want to:

  • Set to DTIM to 3
  • Set your beacon interval to 101

I'm seeing this too. I noticed that switching to just sae (WPA3) or pure WPA2 makes the respective Apple phones and tablets connect without any issues.

Some googling hints that this is only problematic when WPA2/WPA3-mixed mode is combined with enabling extensions like 802.11r/802.11k/802.11v. These are needed to implement Wi-Fi steering (aka seamless roaming). You'd normally enable them when you have several WiFi APs. So it's understandable why not everybody is able to reproduce this issue.

FWIW I blame Apple as there seem to be other AP firmwares/vendors having this same problem with portable Apple devices.

Context:

Also, other places on the internet suggest that some devices can't stomach WPA2+WPA3 mixed mode: https://help.keenetic.com/hc/en-us/articles/4402854785170-Why-can-t-my-home-network-device-connect-to-the-Wi-Fi-network-.

P.S. I haven't yet verified experimentally if disabling those Wi-Fi extensions helps. So take it with a grain of salt.

3 Likes

Alright... So I've now verified that having 802.11k, 802.11v and 802.11w enabled does not influence the situation. Having them enabled, I've confirmed that a combination of wireless.default_radio0.encryption='sae-mixed' + wireless.default_radio0.ieee80211r='1' causes problems. Changing any of them makes everything work.

So the workarounds are:

  1. If you have a single AP and don't need Wi-Fi steering/roaming β€” just disable 802.11r and you can keep sae-mixed.
  2. If you do need Wi-Fi steering, you'll have to choose either WPA2 or WPA3. If you don't have ancient devices, go for later. Otherwise, stick with the former for the time being.

P.S. Interesting observation: when I had an iPad connected with sae-mixed + 802.11r disabled, and then enabled 802.11r (causing the AP Wi-Fi interface reload), the iPad stayed connected (well, I guess re-connected almost instantly) and toggling its Wi-Fi switch off and on again keeps it connected. But if I disconnect for a while and its internal state resets/times out, then it won't be able to connect back at all, reporting the infamous Unable to join the network "***". This seemingly obvious nuance makes troubleshooting a bit more troubling. Beware.

2 Likes

Also see Apple's list of which devices support WPA3: https://support.apple.com/guide/security/secure-access-to-wireless-networks-sec8a67fa93d/web
In particular, older iPads don't support WPA3 so they'll try only WPA2.
I had trouble myself with mixed WPA2/WPA3, some iOS devices were fine and some iOS devices were not. Only the ones with WPA3 support hit the problems.

2 Likes

I must note that I've updated the iOS version to one that does support WPA3. That device works with pure non-mixed WPA3.

I've also started seeing this and I also have sae-mixed + 802.11r enabled. To add to the workarounds list- I added another wifi network with wpa2 only and connected the ios devices to that ssid. I know it's not ideal either but for me it works better than reverting everything to wpa2 or disabling 11r.

I hope Apple gets fixed soon. :confused:

2 Likes

FWIW... I've experimented w mixed mode in the house, to see if I could go full WPA3, and there's ONE item that's not compatible! An older Tivo, 2-3 gen back, thats still used, just won't connect on mixed mode. Im just using just basic mixed mode, no other features.

There's always something.. I also tried the protect the management frames feature, and ONE of my music player boxes wasnt happy with that...

1 Like

I am also facing this issue, it happens even on new macbook air (m1). Strange is that on macbook pro with same processor (m1 pro) this isn’t happening as well as on very old iPhone SE everything works. Hopefully it will be fixed soon.

I've encountered this issue too with firmware 22.03.1 and iPhone X or 8 (fully updated). They won't connect at all when I choose WPA2/WPA3 mixed mode in combination with Fast Roaming enabled. Works fine on an iPhone SE 2022.

I've seen different error messages from the iPhones that won't connect. "This network is operating on Wi-Fi channels in use by several other nearby networks. Restarting the router may allow it to automatically chose the best channel to use, and may resolve this problem." Which is nonsense since my iPhone SE 2022 which I had sitting besides it would connect just fine and I was using free channels. Other messages are (translated) "Cannot connect, come closer and try again" and "Cannot connect".

I'll try using WPA3 exclusively now.

Yes, I just had the issue today with both a MAC and an iPhone. I haven't verified the MAC 100% yet, but I did with the iPhone on both a C7 as well as a Belkin RT3200.

The iPhone could not connect to WPA2/3 mixed mode at all on both 2.4 or 5ghz bands. I also tried changing 802.11w to see if that would make a difference, just as a test. However, the iPhone could connect to just WPA2 or just WPA3. Very odd indeed.

Every other device connects. Ring. Cameras. Samsung watch. Oculus. Multiple TV's. Firesticks. Alexa. I even have a Suvie cooking device that connects no problem.

But iPhone... meh...

Mixed mode tends to cause problems with lots of devices, as does protected management frames (802.11w). It's one of the first things I look for when people have difficulty connecting -- turning off 802.11w and/or moving to pure WPA2 or WPA3 will usually resolve the problem.

I did try turning 802.11w on while in just wpa2 or wpa3, and that did work.
Someone mentioned 802.11r. I do have that on, and haven't tried wpa2/wpa3 with 802.11r turned off.

yeah... that's why I said "and/or" -- sometimes it is just the PMF, other times it is the whole mixed mode bit.

Ah, yes, I realized that and was editing my message. You're fast and replied before I finished editing.

1 Like

I have a similiar issue:
With following setup

option ieee80211r '1'
option ieee80211w '1'
option encryption 'sae-mixed'

every device works, except one iphone11pro.

If sae-mixed is replaced by psk2 my apple watch fails to connect :frowning: - iphone11pro works.

Disabling ieee80211w works, too.

That's odd. Maybe try forgetting the network on both your phone and watch and then re-adding it (when the network is using PSK2). My watch connects without issue to PSK2 networks.