Framework 16 can't connect to cAP ax using WPA3-PSK

I recently migrated from Ubiquiti to Mikrotik, and was hoping to use this migration as an opportunity to remove WPA2 from my network. My Framework 16 running Windows 11 supports WPA3 when connecting to my previous Ubiquiti IW-HD, as well as a hotspot from a Google Pixel 8, but when attempting to connect to this cAP ax it fails to connect. Other devices on my network did not have this problem. Adding WPA2 PSK SHA2 to the configuration resolved the connection issue, but is not what I would like long term. Since the laptop works with two other hardware vendors my suspicion is my Mikrotik configuration, but I did also post on their forum just in case.

My network is using a pfSense as a router and DHCP server, a CRS112-8P-4S-IN as a PoE switch and CAPsMAN manager, a CRS326-24G-2S+RM as additional not-PoE ports fed from SFP on the CRS112, and a cAP ax acting as an access point in CAPs mode powered by the CRS112 and looking to that CRS112 as its CAPsMAN manager. Sorry if CAPsMAN manager is like saying ATM machine. CRS326 mentioned only to be thorough, it should not interact with this problem.

CRS112 export:

# 2025-10-25 06:11:54 by RouterOS 7.20.1
# software id = secret
#
# model = CRS112-8P-4S
# serial number = secret
/interface bridge add name=bridge
/interface ethernet set [ find default-name=sfp11 ] auto-negotiation=no
/interface vlan add interface=bridge name=manage vlan-id=168
/interface ethernet switch set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether5,ether6,ether7,sfp11
/interface wifi configuration add country="United States" datapath.bridge=bridge .vlan-id=11 disabled=no hide-ssid=yes name=automation-cfg security.authentication-types=wpa2-psk-sha2,wpa3-psk ssid=automation
/interface wifi configuration add country="United States" datapath.bridge=bridge .vlan-id=24 disabled=no name=work-cfg security.authentication-types=wpa2-psk-sha2,wpa3-psk ssid=work
/interface wifi configuration add country="United States" datapath.bridge=bridge .vlan-id=160 disabled=no hide-ssid=yes name=admin-cfg security.authentication-types=wpa2-psk-sha2,wpa3-psk ssid=admin
/interface wifi configuration add country="United States" datapath.bridge=bridge .vlan-id=241 disabled=no name=sharing-cfg security.authentication-types=wpa2-psk-sha2,wpa3-psk ssid=sharing
/interface wifi configuration add country="United States" datapath.bridge=bridge .vlan-id=312 disabled=no name=interwebs-cfg security.authentication-types=wpa2-psk-sha2,wpa3-psk ssid=interwebs
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/port set 0 name=serial0
/caps-man manager set ca-certificate=auto enabled=yes
/caps-man manager interface add disabled=no interface=manage
/certificate settings set builtin-trust-anchors=not-trusted
/interface bridge port add bridge=bridge interface=ether1
/interface bridge port add bridge=bridge interface=ether2
/interface bridge port add bridge=bridge interface=ether3
/interface bridge port add bridge=bridge interface=ether4
/interface bridge port add bridge=bridge interface=ether5
/interface bridge port add bridge=bridge interface=ether6
/interface bridge port add bridge=bridge interface=ether8
/interface bridge port add bridge=bridge interface=sfp9
/interface bridge port add bridge=bridge interface=sfp10
/interface bridge port add bridge=bridge interface=sfp11
/interface bridge port add bridge=bridge interface=sfp12
/interface bridge port add bridge=bridge interface=ether7
/interface ethernet switch egress-vlan-tag add comment=automation tagged-ports=ether1,ether2,sfp11 vlan-id=11
/interface ethernet switch egress-vlan-tag add comment=work tagged-ports=ether1,ether2,sfp11 vlan-id=24
/interface ethernet switch egress-vlan-tag add comment=admin tagged-ports=ether1,ether2,sfp11 vlan-id=160
/interface ethernet switch egress-vlan-tag add comment=manage tagged-ports=switch1-cpu,ether1,ether2,sfp11 vlan-id=168
/interface ethernet switch egress-vlan-tag add comment=sharing tagged-ports=ether1,ether2,sfp11 vlan-id=241
/interface ethernet switch egress-vlan-tag add comment=interwebs tagged-ports=ether1,ether2,sfp11 vlan-id=312
/interface ethernet switch ingress-vlan-translation add customer-vid=0 new-customer-vid=160 ports=ether5
/interface ethernet switch ingress-vlan-translation add customer-vid=0 new-customer-vid=11 ports=ether6
/interface ethernet switch ingress-vlan-translation add customer-vid=0 new-customer-vid=168 ports=ether7
/interface ethernet switch vlan add comment=automation ports=ether1,ether2,ether6,sfp11 vlan-id=11
/interface ethernet switch vlan add comment=work ports=ether1,ether2,sfp11 vlan-id=24
/interface ethernet switch vlan add comment=admin ports=ether1,ether2,ether5,sfp11 vlan-id=160
/interface ethernet switch vlan add comment=manage ports=switch1-cpu,ether1,ether2,ether7,sfp11 vlan-id=168
/interface ethernet switch vlan add comment=sharing ports=ether1,ether2,sfp11 vlan-id=241
/interface ethernet switch vlan add comment=interwebs ports=ether1,ether2,sfp11 vlan-id=312
/interface wifi capsman set ca-certificate=auto enabled=yes interfaces=manage package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning add action=create-dynamic-enabled disabled=no master-configuration=sharing-cfg slave-configurations=admin-cfg,automation-cfg,interwebs-cfg,work-cfg supported-bands=5ghz-a
/interface wifi provisioning add action=create-dynamic-enabled disabled=no master-configuration=sharing-cfg slave-configurations=admin-cfg,automation-cfg,interwebs-cfg,work-cfg supported-bands=2ghz-ax
/ip address add address=172.16.8.11/24 interface=manage network=172.16.8.0
/ip dns set servers=172.16.8.1
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=172.16.8.1 routing-table=main suppress-hw-offload=no
#error exporting "/ip/ssh" (timeout)
/system clock set time-zone-name=America/Chicago

cAP ax export

# 2025-10-25 06:16:52 by RouterOS 7.20.1
# software id = secret
#
# model = cAPGi-5HaxD2HaxD
# serial number = secret
/interface bridge add frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface wifi
# managed by CAPsMAN secret%manage, traffic processing on CAP
# mode: AP, SSID: sharing, channel: 2462/ax/eC
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath.bridge=bridge .vlan-id=241 disabled=no name=sharing-2.4ghz-caps
/interface wifi
# managed by CAPsMAN secret%manage, traffic processing on CAP
# mode: AP, SSID: sharing, channel: 5865/ax/eeCe
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath.bridge=bridge .vlan-id=241 disabled=no name=sharing-5ghz-caps
/interface wifi
# managed by CAPsMAN secret%manage, traffic processing on CAP
# mode: AP, SSID: work
add configuration.mode=ap datapath.bridge=bridge .vlan-id=24 disabled=no mac-address=secret master-interface=sharing-2.4ghz-caps name=work-2.4ghz-caps
/interface wifi
# managed by CAPsMAN secret%manage, traffic processing on CAP
# mode: AP, SSID: work
add configuration.mode=ap datapath.bridge=bridge .vlan-id=24 disabled=no mac-address=secret master-interface=sharing-5ghz-caps name=work-5ghz-caps
/interface vlan add interface=bridge name=manage vlan-id=168
/interface wifi
# managed by CAPsMAN secret%manage, traffic processing on CAP
# mode: AP, SSID: admin
add configuration.mode=ap datapath.bridge=bridge .vlan-id=160 disabled=no mac-address=secret master-interface=sharing-2.4ghz-caps name=admin-2.4ghz-caps
/interface wifi
# managed by CAPsMAN secret%manage, traffic processing on CAP
# mode: AP, SSID: admin
add configuration.mode=ap datapath.bridge=bridge .vlan-id=160 disabled=no mac-address=secret master-interface=sharing-5ghz-caps name=admin-5ghz-caps
/interface wifi
# managed by CAPsMAN secret%manage, traffic processing on CAP
# mode: AP, SSID: automation
add configuration.mode=ap datapath.bridge=bridge .vlan-id=11 disabled=no mac-address=secret master-interface=sharing-2.4ghz-caps name=automation-2.4ghz-caps
/interface wifi
# managed by CAPsMAN secret%manage, traffic processing on CAP
# mode: AP, SSID: automation
add configuration.mode=ap datapath.bridge=bridge .vlan-id=11 disabled=no mac-address=secret master-interface=sharing-5ghz-caps name=automation-5ghz-caps
/interface wifi
# managed by CAPsMAN secret%manage, traffic processing on CAP
# mode: AP, SSID: interwebs
add configuration.mode=ap datapath.bridge=bridge .vlan-id=312 disabled=no mac-address=secret master-interface=sharing-2.4ghz-caps name=interwebs-2.4ghz-caps
/interface wifi
# managed by CAPsMAN secret%manage, traffic processing on CAP
# mode: AP, SSID: interwebs
add configuration.mode=ap datapath.bridge=bridge .vlan-id=312 disabled=no mac-address=secret master-interface=sharing-5ghz-caps name=interwebs-5ghz-caps
/certificate settings set builtin-trust-anchors=not-trusted
/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 trusted=yes
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=168
/interface bridge port add bridge=bridge interface=sharing-5ghz-caps
/interface bridge port add bridge=bridge interface=sharing-2.4ghz-caps
/interface bridge vlan add bridge=bridge comment=automation tagged=ether1,sharing-5ghz-caps,sharing-2.4ghz-caps vlan-ids=11
/interface bridge vlan add bridge=bridge comment=work tagged=ether1,sharing-5ghz-caps,sharing-2.4ghz-caps vlan-ids=24
/interface bridge vlan add bridge=bridge comment=admin tagged=ether1,sharing-5ghz-caps,sharing-2.4ghz-caps vlan-ids=160
/interface bridge vlan add bridge=bridge comment=sharing tagged=ether1,sharing-5ghz-caps,sharing-2.4ghz-caps vlan-ids=241
/interface bridge vlan add bridge=bridge comment=interwebs tagged=ether1,sharing-5ghz-caps,sharing-2.4ghz-caps vlan-ids=312
/interface bridge vlan add bridge=bridge comment=automation tagged=ether1,sharing-5ghz-caps,sharing-2.4ghz-caps,bridge vlan-ids=168
/interface wifi cap set caps-man-addresses=172.16.8.11 certificate=request discovery-interfaces=manage enabled=yes slaves-static=yes
/ip address add address=172.16.8.51/24 interface=manage network=172.16.8.0
/ip dns set servers=172.16.8.1
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=172.16.8.1 routing-table=main suppress-hw-offload=no
/system clock set time-zone-name=America/Chicago

Thanks for the help,

I have the feeling you mixed up both wifi-qcom and wifi-qcom-ac setup on the CAPS.
While all you need is (something like) this:

/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=manage vlan-id=168
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface wifi datapath
add bridge=bridge comment=defconf disabled=no name=capdp
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath=capdp disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether1
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1 vlan-ids=11
add bridge=bridgeLocal tagged=ether1 vlan-ids=24
add bridge=bridgeLocal tagged=ether1 vlan-ids=160
add bridge=bridgeLocal tagged=ether1 vlan-ids=241
add bridge=bridgeLocal tagged=ether1 vlan-ids=312
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=168
add bridge=bridgeLocal tagged=ether1 vlan-ids=53
/interface wifi cap
set caps-man-addresses=172.16.8.11 certificate=request discovery-interfaces=manage enabled=yes
/ip address
add address=172.16.8.51/24 interface=manage network=172.16.8.0
/ip dns
set servers=172.16.8.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.8.1 routing-table=main suppress-hw-offload=no
/system clockset time-zone-name=America/Chicago

Adding all the interfaces as port to vlan is handled by CAPsMAN.

But this has nothing to do with your problem in regards to wpa3-psk.
You might want to reprovsion to the cAPS (manually) after setting wpa3-psk only. And remove and afterwards add your wireless network to the Framework 16.

Anything in the logging, either on the Framework 16 or the CAPsMAN (you can enable debug logging on wifi).

Thanks for the suggestions!
I tried removing WPA2 from three of the wireless configurations, forgetting the network on the Framework, manually provisioning the cAP, and adding the network configuration. The log in CAPsMAN says “wrong passphrase” but I am certain it is the right one as it wasn’t modified in the configuration and I’m copying it from a password manager to prevent typos. Another log entry shortly after says “action timeout”.

What does this suggest?

Does this problem also occur when booting from Linux (USB)?

If you have non-7-bit ASCII characters in your password, that could be the issue.

Only for test, change your wi-fi password to an "insecure" one, plain text, no special characters, and check if the behaviour is the same.

Have you tried your laptop on another WiFi network running WPA3?

Recently I’ve had an issue with a Lenovo Ideapad laptop, two actually - same model, bought different years. One of them was able to establish WPA3-PSK without issues, the other one refused to connect.

What was the difference? Well, the one using WPA3-PSK was having Intel AX200 WFi card, the other - MediaTek one. The easiest way to resolve this for me was to buy Intel AX200 and replace the MediaTek.

One thing I didn’t know or more likely realised before this was that on the client OS - Windows, or any other, usually you do not have control which WPA version would be used, so on your SSID once you start advertising WPA3 capabilities - the client would try to connect to the highest and safest encryption, if it does not succeed like in my case, it would never fall back to WPA2 for example, which is also advertised. But what happens with the old clients - they just use WPA2 and never even try WPA3.

In my case I even did WiFi packet capture in order to understand what is happening. I then realised the MediaTek card was failing the last step of the encryption negotiation process. Most likely a driver issue though, it has nothing to do with the wireless capabilities.

Thanks for the suggestions!
I did try my laptop on a hotspot from a pixel configured to be wpa3 only, and the laptop worked well. I’ll relearn Wireshark soon, it has been on my to-do list for a while, and see if that shows anything new and interesting.

Thanks for the suggestion! I tried a simple letter only password, it worked on my pixel 9 it did not work on my Framework 16. I did delete the remembered network from the Framework 16 between trying old, insecure, and new passwords.

I found some very high packet loss on the network, but only when routing between VLANs, so I thought maybe it would be related. It turned out to be a mismatch in L2MTU and was resolved by increasing and matching across all switches and access point. CRS326, CRS112, and cAP AX all L2MTU set to 9000. Unfortunately this was an unrelated problem.