WPA3 slow association

I am using wpad-openssl to enable WPA2/WPA3 mixed support on a Turris Omnia. A Win10 client with a WPA3 PSK Wi-Fi profile takes its sweet time to associate to the network for around 1 min. If I change the profile to WPA2 PSK, it associates in a few seconds. AP logs don't show anything between disconnect and authentication in neither case:

Jun 24 07:42:22 turris hostapd: wlan0: AP-STA-DISCONNECTED 3c:58:c2:36:0a:4c
Jun 24 07:42:28 turris hostapd: wlan0: STA 3c:58:c2:36:0a:4c IEEE 802.11: authenticated


Jun 24 07:15:39 turris hostapd: wlan0: AP-STA-DISCONNECTED 3c:58:c2:36:0a:4c
Jun 24 07:17:41 turris hostapd: wlan0: STA 3c:58:c2:36:0a:4c IEEE 802.11: authenticated

No windows clients here but that doesn't seem normal. Post `/etc/config/wireless for the particular wifi-device and wifi-iface.

What OpenWrt version are you running? I seem to recall there was an issue with wolfssl that caused WPA3 association to time out or something...

I am running Turris OS 5.0.1, based on OpenWrt 19.07.

hostapd-common - 2019-08-08-ca8c2bd2-5.0
wpad-openssl - 2019-08-08-ca8c2bd2-5.0
config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11a'
        option macaddr '04:f0:21:*'
        option htmode 'VHT80'
        option disabled '0'
        option channel '116'
        option country 'RO'
        option legacy_rates '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option disabled '0'
        option ssid '*'
        option wpa_group_rekey '86400'
        option key '*'
        option ieee80211w '1'
        option encryption 'sae-mixed'

config wifi-iface 'guest_iface_1'
        option disabled '1'
        option device 'radio1'

Does it change if you switch to a pure SAE mode?

option encryption 'sae'
option ieee80211w '2'

In SAE-only mode the Win10 client does not associate at all. An iOS 13, supposedly WPA3-capable client, does not associate at all. The only one connecting is a Ubuntu 20.04 client. It could have been that in mixed mode the Win10 client was slow to associate because WPA3 was not working and the WPA2 fallback timeout is long.
So why isn't WPA3 working with all my clients?

From my experience, both the client OS and the wireless driver need to support WPA3 for it to work. Win10 from 1903 supports WPA3, but the wireless card you are using also needs to support WPA3. Example: Intel 8260 driver doesn't support WPA3 but Intel 9260 driver does.

Also, consider ditching mixed mode if you can. All it did on my network was confuse clients when connecting. My AppleTV units would take a minute+ to associate when AP was set to mixed mode. When AP was set to WPA3 only, they connect immediately. I have two separate APs here, one is WPA3-only for clients that support it and the other AP is WPA2-only for old junk.

A note on the Apple crap... when going from mixed-mode to WPA3-only on the AP, I had to tell AppleTV and iPhones to forget the SSID and then freshly add it again. Seems they cache some kind of config for the SSID and still thinks the AP is WPA2 capable when it isn't.

Side note, when using mixed-mode, 802.11w is required as it is part of the WPA3 specification. Config should be using option ieee80211w '2'

This is consistent with my experience having a guest visiting using windows 10 laptop. The laptop was up-to-date and purchased in late 2019 so the hardware should definitely support it. It would not connect to the pure WPA3 SSID. In contrast, a 4-year-old iphone 7 connects just fine.

I have two rather recent Win10 clients who both refuse to recognise my WPA3 AP. I'm suspecting it's the Windows wireless drivers

I tried

option ieee80211w '2'

and wpad-wolfssl instead of wpad-openssl, but the results are the same.

Here are the sequence of events on the Win10 client:

After reboot, the first association fails with a driver error resulting in a one-minute delay in auto-connections. The second association succeeds, and curiously it does so with WPA3? I could not find a way to tell on the AP what security protocol is in use for a particular client when mixed mode is enabled.