Hi all,
I was experimenting with some different settings to enable WiFi on AX APs, using CAPsMAN and assigning VLANs through Access List MAC address definition on a single SSID.
In term of VLAN assignment I can see that each device, based on their MAC address, gets assigned a properly VLAN as configured on the single SSID available through WiFi APs.
However the fast transitioning from APs to APs does not seem to work properly, when compared to a more standard setup with CAPsMAN, datapath setting each VLANs and multiple SSID per VLAN.
This is what I have done so far on CAPsMAN controller:
So I’m not really sure whether this is still an on-going development by MikroTik or something that would never make FT working properly when using the single SSID setup and VLANs.
Anyone else has tested such config or have an opinion on this ?
Thanks.
Apparently only WiFi6 clients do not roam to the next APs with this setup, while old WiFi5 devices switch from one AP to the other while moving around.
I have tried with some iPhone/iPad (WiFi5 only) and they get the correct VLAN and can roam while moving; when I try with an iPhoneSE (which supports 802.11ax) it won’t roam automatically.
Check ft-preserve-vlanid setting documentation, it defaults to yes.
ft-preserve-vlanid (no | yes )
no - when a client connects to this AP via 802.11r fast BSS transition, it is assigned a VLAN ID according to the access and/or interface settings
yes (default) - when a client connects to this AP via 802.11r fast BSS transition, it retains the VLAN ID, which it was assigned during initial authentication
The default behavior is essential when relying on a RADIUS server to assign VLAN IDs to users, since a RADIUS server is only used for initial authentication.
Thanks for the hint, but I saw that option when I initially set CAPsMAN and decided to leave it at default as I want to keep the VLAN id based on initial assignment.
Even if I’m not using RADIUS but the Access list, VLANs get assigned when client is authorized and I can see VLAN id is properly retained during transition from AP to AP (on those devices which roams).
I was reading several notes on Internet and it seems 802.11k/r/v is not widely supported by clients, so that could be the main reason why some of my devices do not roam automatically.
The iPhoneSE is not roaming at all and it stays connected to the same AP (even after I tried ft-preserve-vlanid no); one Windows11 PC did change, but not through roaming (checked ROS log and it said disconnected / connected event, not the roaming one).
On iPhoneXS and iPadPro (they are WiFi5 AC devices) they roam properly and very fast, while keeping VLANs per default settings.
I haven’t tried to play with other parameters, like 802.11w as I’m using WPA3 with PSK and all my clients are Ok with it.
So it might be some device not willing to move; for Apple iOS I’m on latest version on all of them, so that should not be the issue.
Thank you @andriys for that mention.
I have now included also connect-priority=0/1 in my security settings; however that iPhone devices is still sitting on the same AP as when initially connected.
I will try to play little bit more with TX power to reduce it, but what I guess it will happen is that by lowering the RXed signal, phone will be disconnected earlier and will reconnect to better AP signal, but it won’t use the roaming feature as far as I’m seeing from the log.
I have tried on single VLAN/SSID and on that iPhone the same behavior as when using Access list, just to check that this is not related to that particular config, but more on device behavior.
In both setup each VLAN is properly tagged on the AP and it’s assigned to the client correctly.
So for now as far as FT I might have to live with these device’s behavior.
At this point all about VLAN assignment works fine using Access list and single SSID (which was my main goal with this setup); I mitigated the roaming issue on that single iPhone by applying the RSSI threshold to it within the Access list, so that AP kicks it out when no longer in range.
However is still strange that such client is not able to get support from 802.11k/v/r as it’s indicated by Apple as one that should work.
Hello! Did you do some additional configurations to make it work? I’m still facing the same issue “client was disconnected because could not assign vlan”. My CAPsMAN controller is hap AX3 and clients are wAP and CAP. So basically it is a mix of AC and AX.
I know it’s pretty old but I wasn’t able to figure this out. The setup suggested in the doc didn’t work for me. Devices was losing connection when roaming between AX and AC access points.
So far the only working solution for me was setting up the AX device similarly to the AC - with static slaves and manual VLAN assignments, which is a shame.
I toyed with it in the past and the main key for me was to use different configurations for AX and AX devices because the datapath settings are different as well.
With vlan for ax, no vlan but settings on device for Ac.
Is really solved this issue ?
I got VLAN on one WLAN, ax devices in wifi and when enabling ft-preserve-vlanid=yes with mac air i didn’t get an IP → just connect and just after disconnect,
wireless,info F0:99:19:D3:XX:XX@5ghz-wlan-ap03-k1m-2F disconnected, connection lost, signal strength -35
when is set ft=no then it works.
The strange behaivor is that with ipad works with the ft active
Do you use any feature which actually requires this setting? Such as: RADIUS which assigns VLAN ID per user or ACLs which assign VLAN ID per station or PPSK?
This setting has potential to screw mobility while without it roaming action might succeed. And it explicitly doesn’t work on APs running wifi-qcom**-ac** which can’t handle VLAN tags.