WPA2/WPA3 mixed PSK/SAE and PMF and iOS

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

Not found any clear solution so far, forgive me if i've overlooked something.

I have mix of home devices, some that simply don't support WPA3, and some that do - So I would like to use WPA2/WPA3 mixed.

The problem I have is that one device (my partners iPhone 11, iOS 15.1) will only connect in the following configurations:

  • WPA2 only (PMF optional)
  • WPA3 only (PMF optional)
  • WPA2/WPA3 mixed PSK/SAE + PMF required.

WPA2/WPA3 mixed PSK/SAE + PMF (req) stops all the devices that don't support WPA3 from connecting.

just doesn't make sense to me.
also, with the prevalence of IPhones, also confused why I don't get more answers on google.

other notes:
auth_cache makes no difference, as i believe this is default now for WPA3 anyway.

802.11r on || off - makes no difference.

DTIM = 2 (default) || 3 (unifi forum) - makes no difference.

don't really want to give up on this. Any other ideas?
for now, I have WPA2 PSK which works.

2

Unless I misread (and I read this over and over), how does 1 iPhone stop all devices...and how is this related to OpenWrt?

From reading this, I'm getting your partner's iPhone is jamming all devices - preventing them from connecting to the AP; and somehow you determined that it wants a mixed AP with PMF. Is that correct, or was that a miswording?

I would advise:

  • require PMF if you have not done so (it's defaulted to optional in OpenWrt version 21)
    or
  • a WAP3 only SSID
  • a WAP2 only SSID

connected to the same LAN.

I'm not sure you've realized the issue:

:spiral_notepad: It seems some of your WAP2 devices don't support 802.11w required management frames - don't blame your partner, you'll have a longer relationship and less frustration with your router. :smiley: :bulb:

3

You could set up a second AP interface (different ESSID) on your radios, also bridged to lan. One exclusively for WPA3SAE/ PMF=mandatory, one exclusively for WPA2PSK. WPA2/ WPA3 mixed mode is known to confuse quite a few (broken) clients.

2 Likes
4

What I'm saying is that none of my wpa2 devices (as in the ones that don't support beyond wpa2) will connect to the access point with wpa2/wpa3 mixed mode and PMF set to required.
They connect fine with PMF set to optional. But then the iPhone won't connect.
I don't think the iPhone is jamming anything. Just that it's an annoyingly arrogant product that thinks it knows best ;-O

5

Fair point. I don't know what is more reasonable expectation.

The devices that don't work with PMF and wpa2, or WPA3 are 1st gen Google homes and strangely the home audio max.

6

Thanks slh.