I've been running an FT-SAE network with two R7800 routers for some time now, and I've noticed that it's actually not working properly. What happens is that clients attempt to roam between the two APs, but instead of successfully roaming with 802.11r the roam fails and they're forced to do a full authentication. I get the following message in the log: IEEE 802.11: did not acknowledge authentication response. Since the message in the log was quite generic I also did a packet capture and found out that the AP rejects the authentication request due to an invalid PMKID. I get the same results with four clients that I've tried:
Laptop 1: Fedora 34, Intel 7260AC and wpa_supplicant v2.9
It might also be something in our hostapd config scripts.
See this observation from month ago:
(That shouldn't affect your scenatio, with two identical routers, but something similar might be happening under the hood. E.g. One part of hostapd thinks bigendian/littleendian, but part of it thinks hex byte stream)
I asked on the hostapd mailing list and I finally got some help that helped me fix the issue. Basically, I assumed that I could do the same as with WPA2 and 802.11r where I could set ft_psk_generate_local to 1 and avoid having to deal with all the r0kh/r1kh parameters, but that's not possible with WPA3. The ft_psk_generate_local has no effect on FT-SAE. However, it's still simple to get things up and running: just set ft_psk_generate_local to 0 in the Luci interface and leave everything else blank. I made a quick test and it seems like the default settings enable my iPad to roam without issues between my two APs.
