Devices Not Connecting With FT Enabled

ToTheFull · July 4, 2025, 3:15pm

dhcpcd-5.5.6
Model No: TomTom Go 3000
IpadOS 15.8.4
Model No: MNV62B/A

These above devices refuse to connect point blank with FT enabled on Mikrotik.
The Ipad connects to an openwrt device with FT enabled just fine IE below.
The first connect try is with FT over Air, it stumbles a bit but connects and the second try is with FT over DS which seems to connect fine.
Does it matter how the wirless information is set on the cap device and Hap ax2. Meaning I enter all my config info per device by double clicking each, apart from security/steering which share the same config for each SSID. Is it worth trying another config route?
Or anything else I might be missing.

Fri Jul  4 13:02:55 2025 daemon.warn odhcpd[1925]: No default route present, overriding ra_lifetime to 0!
Fri Jul  4 13:03:14 2025 daemon.info hostapd: phy1-ap0: STA de:e2:27 IEEE 802.11: authenticated
Fri Jul  4 13:03:14 2025 daemon.info hostapd: phy1-ap0: STA de:e2:27 IEEE 802.11: associated (aid 1)
Fri Jul  4 13:03:14 2025 daemon.notice hostapd: phy1-ap0: AP-STA-POSSIBLE-PSK-MISMATCH de:e2:27:
Fri Jul  4 13:03:15 2025 daemon.notice hostapd: phy1-ap0: AP-STA-POSSIBLE-PSK-MISMATCH de:e2:27:
Fri Jul  4 13:03:16 2025 daemon.notice hostapd: phy1-ap0: AP-STA-POSSIBLE-PSK-MISMATCH de:e2:27:
Fri Jul  4 13:03:17 2025 daemon.notice hostapd: phy1-ap0: AP-STA-POSSIBLE-PSK-MISMATCH de:e2:27
Fri Jul  4 13:03:44 2025 daemon.info hostapd: phy1-ap0: STA de:e2:27: IEEE 802.11: authenticated
Fri Jul  4 13:03:44 2025 daemon.info hostapd: phy1-ap0: STA de:e2:27: IEEE 802.11: associated (aid 1)
Fri Jul  4 13:03:44 2025 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED de:e2:27: auth_alg=open
Fri Jul  4 13:03:44 2025 daemon.info hostapd: phy1-ap0: STA de:e2:27: WPA: pairwise key handshake completed (RSN)
Fri Jul  4 13:03:44 2025 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED de:e2:27:
Fri Jul  4 13:03:45 2025 daemon.warn odhcpd[1925]: No default route present, overriding ra_lifetime to 0!
Fri Jul  4 13:03:48 2025 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) de:e2:27:
Fri Jul  4 13:03:48 2025 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.124 de:e2:27:



 OpenWrt 24.10.2, r28739-d9340319c6
 
config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option channel '1'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '03'
        option encryption 'psk2'
        option key 'testtest'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

Fri Jul  4 13:29:49 2025 daemon.info hostapd: phy1-ap0: STA de:e2: IEEE 802.11: authenticated
Fri Jul  4 13:29:49 2025 daemon.info hostapd: phy1-ap0: STA de:e2: IEEE 802.11: associated (aid 1)
Fri Jul  4 13:29:49 2025 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED de:e2:27: auth_alg=open
Fri Jul  4 13:29:49 2025 daemon.info hostapd: phy1-ap0: STA de:e2:27: WPA: pairwise key handshake completed (RSN)
Fri Jul  4 13:29:49 2025 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED de:e2:
Fri Jul  4 13:29:50 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.1.124 de:e2:
Fri Jul  4 13:29:50 2025 daemon.warn odhcpd[1925]: No default route present, overriding ra_lifetime to 0!
Fri Jul  4 13:29:50 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.1.124 de:e2:27:



 OpenWrt 24.10.2, r28739-d9340319c6

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option channel '1'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '03'
        option encryption 'psk2'
        option key 'testtest'
        option ieee80211r '1'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'

erlinden · July 4, 2025, 3:23pm

Would be helpful to see the config of the MikroTik:

/interface wifi export

ToTheFull · July 4, 2025, 3:40pm

# 2025-07-04 16:34:32 by RouterOS 7.21_ab216
# software id = 
#
# model = C52iG-5HaxD2HaxD
# serial number =
/interface wifi channel
add band=5ghz-ax comment=25mw disabled=no frequency=5745 name=155 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5180 name=42 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5500 name=106 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2412 name=1 skip-dfs-channels=10min-cac width=20mhz
add band=2ghz-ax disabled=no frequency=2437 name=6 skip-dfs-channels=10min-cac width=20mhz
add band=2ghz-ax disabled=no frequency=2462 name=11 skip-dfs-channels=10min-cac width=20mhz
/interface wifi
set [ find default-name=wifi1 ] channel=42 channel.frequency=5180 configuration.country="United Kingdom" .mode=ap .ssid=02 disabled=\
    no security.authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk .connect-priority=1/0 .encryption=ccmp .management-protection=\
    allowed .wps=disable steering.rrm=no .wnm=no
add configuration.hide-ssid=no .mode=ap .ssid=Radio disabled=no mac-address=1A:FD: master-interface=wifi1 name=wifi3 \
    security.authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk .encryption=ccmp .wps=disable
/interface wifi security
add authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk connect-priority=0/1 disabled=no encryption=ccmp ft=yes ft-over-ds=yes \
    ft-preserve-vlanid=yes management-protection=allowed name=sec1 wps=disable
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-001-d319a8b8 rrm=yes wnm=yes
/interface wifi
# operated by CAP 48:A9:%bridge, traffic processing on CAP
add channel=106 channel.frequency=5500 configuration.country="United Kingdom" .mode=ap .ssid=MWM3001 disabled=no name=cap-1 radio-mac=\
    48:A9: security=sec1 steering=*1
# operated by CAP 48:%bridge, traffic processing on CAP
add channel=1 configuration.country="United Kingdom" .mode=ap .ssid=001 disabled=no name=cap-2 radio-mac=48:A9: security=\
    sec1 steering=*1
set [ find default-name=wifi2 ] channel=11 channel.frequency=2462 configuration.country="United Kingdom" .mode=ap .ssid=001 disabled=\
    no security=sec1 steering=*1
/interface wifi access-list
add action=reject disabled=yes interface=cap-2 mac-address=1C:56:
/interface wifi capsman
set enabled=yes

ToTheFull · July 4, 2025, 7:37pm

Anything standing out ?

erlinden · July 5, 2025, 7:07am

Two things I notice:

.connect-priority=1/0

I have all my FT devices set to:

.connect-priority=0/1

Why did you disable rrm and wnm explicitely on the interface?

steering.rrm=no .wnm=no

Overall…please use the DRY principal: i.e. only set security on one place and refer to it on other places. Instead of this:

/interface wifi
set [ find default-name=wifi1 ] channel=42 channel.frequency=5180 configuration.country="United Kingdom" .mode=ap .ssid=02 disabled=\
    no security.authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk .connect-priority=1/0 .encryption=ccmp .management-protection=\
    allowed .wps=disable steering.rrm=no .wnm=no
add configuration.hide-ssid=no .mode=ap .ssid=Radio disabled=no mac-address=1A:FD: master-interface=wifi1 name=wifi3 \
    security.authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk .encryption=ccmp .wps=disable
/interface wifi security
add authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk connect-priority=0/1 disabled=no encryption=ccmp ft=yes ft-over-ds=yes \
    ft-preserve-vlanid=yes management-protection=allowed name=sec1 wps=disable

Use this:

/interface wifi
set [ find default-name=wifi1 ] channel=42 channel.frequency=5180 configuration.country="United Kingdom" .mode=ap .ssid=02 disabled=no security=sec1 .wps=disable steering.rrm=no .wnm=no
add configuration.hide-ssid=no .mode=ap .ssid=Radio disabled=no mac-address=1A:FD: master-interface=wifi1 name=wifi3 security=sec1.wps=disable
/interface wifi security
add authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk connect-priority=0/1 disabled=no encryption=ccmp ft=yes ft-over-ds=yes ft-preserve-vlanid=yes management-protection=allowed name=sec1 wps=disable

While you don’t use any vlan’s, why did you set?

ft-preserve-vlanid=yes

infabo · July 5, 2025, 7:22am

this looks like a broken reference.

ToTheFull · July 5, 2025, 11:46am

Thanks, it’s a bit of a mess… testing/frustration etc.
It was old stuff I was trying out on the second SSID 002. The main SSID 001 with the 3 radios is set to 0/1 which is correct, I have also set security from the Security Tab now, I think thats where you was leaning.

# 2025-07-05 12:20:29 by RouterOS 7.21_ab216
# software id = 
#
# model = C52iG-5HaxD2HaxD
# serial number = 
/interface wifi channel
add band=5ghz-ax comment=25mw disabled=no frequency=5745 name=155 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5180 name=42 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5500 name=106 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2412 name=1 skip-dfs-channels=10min-cac width=20mhz
add band=2ghz-ax disabled=no frequency=2437 name=6 skip-dfs-channels=10min-cac width=20mhz
add band=2ghz-ax disabled=no frequency=2462 name=11 skip-dfs-channels=10min-cac width=20mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk connect-priority=0/1 disabled=no encryption=ccmp ft=yes ft-over-ds=yes management-protection=\
    allowed name=sec1 wps=disable
add authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk disabled=no encryption=ccmp management-protection=allowed name=sec2 wps=disable
add authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk disabled=no encryption=ccmp management-protection=allowed name=sec3 wps=disable
/interface wifi
set [ find default-name=wifi1 ] channel=42 channel.frequency=5180 configuration.country="United Kingdom" .mode=ap .ssid=002 disabled=no security=sec2
add configuration.hide-ssid=no .mode=ap .ssid=Radio disabled=no mac-address=1A master-interface=wifi1 name=wifi3 security=sec3
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-001-7b407f17 rrm=yes wnm=yes
/interface wifi
# operated by CAP 48%bridge, traffic processing on CAP
add channel=106 channel.frequency=5500 configuration.country="United Kingdom" .mode=ap .ssid=001 disabled=no name=cap-1 radio-mac=48 \
    security=sec1 steering=steering1
# operated by CAP 48%bridge, traffic processing on CAP
add channel=1 configuration.country="United Kingdom" .mode=ap .ssid=001 disabled=no name=cap-2 radio-mac=48 security=sec1 steering=\
    steering1
set [ find default-name=wifi2 ] channel=11 channel.frequency=2462 configuration.country="United Kingdom" .mode=ap .ssid=001 disabled=no security=sec1 \
    steering=steering1
/interface wifi access-list
add action=reject disabled=yes interface=cap-2 mac-address=1C
/interface wifi capsman
set enabled=yes

But I have got no further down the road with this, I can connect to SSID 002&Radio fine but not to 001 with FT enabled.

ToTheFull · July 5, 2025, 11:47am

Yes thanks I’ve had a tidy up.

ToTheFull · July 8, 2025, 5:04pm

I think I have it solved, new device aquired and up and running with a Main SSID 001 and Guest SSID Radio Both set to Roam hopefully!
Config:

# 2025-07-08 17:32:37 by RouterOS 7.21_ab273
# software id =
#
# model = C52iG-5HaxD2HaxD
# serial number = 
/interface wifi channel
add band=5ghz-ax comment=25mw disabled=no frequency=5745-5745 name=155 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5180-5180 name=42 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5500-5500 name=106 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2412-2412 name=1 skip-dfs-channels=10min-cac width=20mhz
add band=2ghz-ax disabled=no frequency=2437-2437 name=6 skip-dfs-channels=10min-cac width=20mhz
add band=2ghz-ax disabled=no frequency=2462-2462 name=11 skip-dfs-channels=10min-cac width=20mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk connect-priority=0/1 disabled=no encryption=ccmp ft=yes ft-over-ds=yes \
    management-protection=allowed name=sec1 wps=disable
add authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk connect-priority=0/1 disabled=no encryption=ccmp ft=yes ft-over-ds=yes \
    management-protection=allowed name=sec3 wps=disable
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-001-5a6559f0 rrm=yes wnm=yes
add disabled=no name=steering2 neighbor-group=dynamic-Radio-ab860900 rrm=yes wnm=yes
/interface wifi
# operated by CAP 48:04%bridge, traffic processing on CAP
add channel=106 configuration.country="United Kingdom" .mode=ap .ssid=001 disabled=no name=cap-1 radio-mac=48:06 \
    security=sec1 steering=steering1
# operated by CAP 48:04%bridge, traffic processing on CAP
add channel=1 configuration.country="United Kingdom" .mode=ap .ssid=001 disabled=no name=cap-2 radio-mac=48:07 security=\
    sec1 steering=steering1
set [ find default-name=wifi1 ] channel=42 configuration.country="United Kingdom" .mode=ap .ssid=001 disabled=no security=sec1 \
    steering=steering1
set [ find default-name=wifi2 ] channel=11 configuration.country="United Kingdom" .mode=ap .ssid=001 disabled=no security=sec1 \
    steering=steering1
add configuration.hide-ssid=yes .mode=ap .ssid=Radio disabled=no mac-address=1A:B2 master-interface=wifi1 name=wifi3 \
    security=sec3 steering=steering2
add configuration.hide-ssid=yes .mode=ap .ssid=Radio disabled=no mac-address=1A:B3 master-interface=wifi2 name=wifi4 \
    security=sec3 steering=steering2
/interface wifi access-list
add action=reject disabled=yes interface=cap-2 mac-address=1C:
/interface wifi capsman
set enabled=yes

Are we good here now, I can’t decide if I need to select the neighbour group/steering explicit or not, as it seems to be created and added anyway ?

IE This…

nonolk · July 10, 2025, 8:56am

@ToTheFull may I ask you if the latest config solved the issue with IpadOS 15.8.4 not connecting with FT enabled or not ?

I have exactly the same issue (I openned a support ticket open a long time ago), and it looks like just adapting my config to looks like your is not enough, the only diffrence is ROS version, I’m on 7.19.3 your are on an Alpha one.

ToTheFull · July 10, 2025, 1:59pm

Sorry if any confusion was caused, I was being pedantic.

At the moment I’m rocking 7.21ab273 with same SSID and FT Enabled and I’m afraid it’s a no go.
I am happy to keep testing though and will keep an eye out if you get any movement.
Devices not working:

Current Config…

/interface wifi channel
add band=5ghz-ax disabled=no frequency=5745-5745 name=155 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5180-5180 name=42 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5500-5500 name=106 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2412-2412 name=1 skip-dfs-channels=10min-cac width=20mhz
add band=2ghz-ax disabled=no frequency=2437-2437 name=6 skip-dfs-channels=10min-cac width=20mhz
add band=2ghz-ax disabled=no frequency=2462-2462 name=11 skip-dfs-channels=10min-cac width=20mhz

/interface wifi security
add authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk connect-priority=0/1 disabled=no encryption=ccmp ft=yes ft-over-ds=yes \
    management-protection=allowed name=sec1 wps=disable

add authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk connect-priority=0/1 disabled=no encryption=ccmp ft=yes ft-over-ds=yes \
    management-protection=allowed name=sec3 wps=disable

/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-001-5a6559f0 rrm=yes wnm=yes
add disabled=no name=steering2 neighbor-group=dynamic-Radio-ab860900 rrm=yes wnm=yes

/interface wifi
# operated by CAP %bridge, traffic processing on CAP
add channel=106 configuration.country="United Kingdom" .mode=ap .ssid=001 disabled=no name=cap-1 radio-mac=48:06 security=sec1 steering=steering1

# operated by CAP %bridge, traffic processing on CAP
add channel=1 configuration.country="United Kingdom" .mode=ap .ssid=001 disabled=no name=cap-2 radio-mac=48:07 security=sec1 steering=steering1

set [ find default-name=wifi1 ] channel=42 configuration.country="United Kingdom" .mode=ap .ssid=001 disabled=no security=sec1 steering=steering1
set [ find default-name=wifi2 ] channel=11 configuration.country="United Kingdom" .mode=ap .ssid=001 disabled=no security=sec1 steering=steering1

add configuration.hide-ssid=yes .mode=ap .ssid=Radio disabled=no mac-address=1A:B2 master-interface=wifi1 name=wifi3 security=sec3 steering=steering2
add configuration.hide-ssid=yes .mode=ap .ssid=Radio disabled=no mac-address=1A:B3 master-interface=wifi2 name=wifi4 security=sec3 steering=steering2

/interface wifi capsman set enabled=yes

erlinden · July 10, 2025, 2:32pm

Not sure if it is related to the problem of @nonolk…
When using authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk
my iPad won’t connect. I have to remove wpa2-psk-sha2 to get it to work again.

Or is this not supported on v7.20beta5?

ToTheFull · July 10, 2025, 2:44pm

Last time I checked no It’s further down the road

erlinden · July 10, 2025, 4:14pm

In addition, when attempting to connect with the iPad I get the message “invalid AKMP”.
Shown when debug & wireless logging is enabled.

A1phaM4trix · July 10, 2025, 4:29pm

AFAIK when using WPA2-PSK AND WPA3-PSK (= Transition Mode) remove the Encryption (no CCMP or GCMP - it will be chosen automatically).

ToTheFull · July 10, 2025, 4:35pm

If you look at the openwrt logging of the Ipad in question connecting in post 1 you will see just that, I was curious and thought I had a setting wrong when I tested. On double checking it was all correct.

erlinden · July 10, 2025, 4:41pm

Do you mind giving it a try when only wpa2-psk and wpa3-psk are set as authentication-type, @ToTheFull?

A1phaM4trix · July 10, 2025, 4:42pm

I was referring to the MT config. @ToTheFull

ToTheFull · July 10, 2025, 4:53pm

It’s a no still, what Model do you have?

/interface wifi security
add authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk connect-priority=0/1 disabled=no encryption=ccmp \
    ft=yes ft-over-ds=yes management-protection=allowed name=sec1 wps=disable
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disabled=no encryption=ccmp ft=yes \
    ft-over-ds=yes management-protection=allowed name=sec3 wps=disable

Debug

2025-07-10 17:51:54 wireless,debug 5E:86:E6:A7:56:9B@wifi3(Radio) associated, signal strength -67
2025-07-10 17:51:54 wireless,debug 5E:86:E6:A7:56:9B@wifi3(Radio) disassociated, connection lost, signal streng
th -66

erlinden · July 10, 2025, 5:15pm

RB4011 as CAPsMAN, wAP AX (multiple) as CAP.
iOS version is 18.5.