IOS 26 and Mikrotik 7.22.x Wifi - bad relationship?

Morning all,

Over the last months I have found a setup for ROS7 Capsman (Wifi) that seems to work well. Handover works as intended.

However, last week I installed a similar setup at 2 different customers using 7.22.1, and at both places some devices connected like a charm (including my Pixel 8 phone and HP notebook) and also some Apple devices, whilst other Apple devices (newer, on IOS 26?) never connect. After entering the password simply nothing happens.

AI told me to try w/o FT and WPA3, I disabled and now this is the setup:.

/interface wifi channel
add band=2ghz-n disabled=no frequency=2412,2437,2462 name=channel-2AX
reselect-interval=6h..12h skip-dfs-channels=10min-cac width=20mhz
add band=5ghz-n disabled=no name=channel-5AX reselect-interval=6h..12h
skip-dfs-channels=10min-cac width=20/40mhz

/interface wifi datapath
add bridge=bridge1 disabled=no name=datapath1

/interface wifi security
add authentication-types=wpa2-psk connect-priority=0/1 disabled=no ft=no
ft-over-ds=no name=sec1 passphrase=MyPass

/interface wifi configuration
add channel=channel-2AX country=Norway datapath=datapath1 disabled=no
interworking.realms-raw="" mode=ap name=cfg-2AX security=sec1 ssid=
MySSID tx-power=23
add channel=channel-5AX country=Norway datapath=datapath1 disabled=no
interworking.realms-raw="" mode=ap name=cfg-5AX security=sec1 ssid=
MySSID tx-power=23

/interface wifi capsman
set enabled=yes interfaces=bridge1 package-path=/ require-peer-certificate=no
upgrade-policy=suggest-same-version

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg-2AX
name-format="%I-2.4GHz AX" supported-bands=2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=cfg-5AX
name-format="%I-5GHz AX" supported-bands=5ghz-n

What I have changed since initial setup is:
-Removed WPA3
-Disabled FT
-DIsabled FT over DS

Customer #1 now reports that his devices connect fine.
Customer #2 haven’t tested yet, will do tonight.

AI says this is about newer IOS versions and newer ROS.

So my question is:
-What is the real problem, is it Apple or MT (or both) that is not complying to standards?
-Am I right in my observation that WPA2 and no FT is the solution?
-Will re-enabling WPA3 and FT make already authenticated clients stick around or will they be disconnected?
-Any rumors of plans to rectify?

This:

is the actual problem, see:

Thanks for your prompt reply!

So short version is that editing Configuration with Winbox inserts the empty interworking.realm-raw param, which breaks IOS26 access?
And MT haven’t addressed it?

I upgraded the controller of one of the customers to 7.22.2 and did a test - just changing a param in Configuration still inserts the setting….so apparently they haven’t.

So when realm-raw is removed I can re-enable WPA3, HT and HT over DS and be a happy man?

AFAIK it is the old Winbox related. So start using the latest Winbox version.

And indeed, this is (the only setting) that is prohibiting from proper operation.

Yep, and likely they won't address it, it looks like the only way to make people use the (stupid, slow, resource hungry) new thingy (Winbox 4.x).
I wouldn't go as far as saying that it was intentional, still ...

Most likely, yes.

I’ve been using Winbox 4 quite a bit, and I am not against it in general.
But I think some of the pages/windows are arranged in a clumsy way, providing little information visible and requring me to access tabs and scroll excessively when I have many WInbox instances stacked on the screen.

Either way, it is certain that at some point some device somewhere will be accessed with Winbox 3, and that this shall break functionality by inserting dummy params is pretty weird.
So they better fix.

Thanks for advise guys
Things now seem to work well at both customers - except for a very old Ipad Air 2 running IOS 15.8.7.
It never sees the network, even if I disable 5GHz and set the 2.4 radio to N only.
Customer has per my instructions done a cold restart and also in-out of flight mode several times.
He also tried to enter the network name and WPA2 psw manually but no luck.
The Ipad sees his old router (from other ISP) and the usual neighbors’ network.

Thought all these chips ought to be backward compatible, so that devices at least should see the beacons from the AP, but maybe there is a limit where device will be re-classified as “paperweight”?
Or can I tweak something, making it appear?
Apple-stuff is not my #1, is there a way to do a “master clear” of all settings regarding the NIC /Wifi?

Nearly there…can you supply current config?

This is the config - just disabled FT and WPA3 - plan to enable these in final cfg.

/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=channel-2AX
reselect-interval=6h..12h skip-dfs-channels=10min-cac width=20mhz
add band=5ghz-ax disabled=no name=channel-5AX reselect-interval=6h..12h
skip-dfs-channels=10min-cac width=20/40mhz

/interface wifi datapath
add bridge=bridge1 disabled=no name=datapath1

/interface wifi security
add authentication-types=wpa2-psk connect-priority=0/1 disabled=no ft=no
ft-over-ds=no name=sec1 passphrase=MyPass

/interface wifi configuration
add channel=channel-2AX country=Norway datapath=datapath1 disabled=no mode=ap
name=cfg-2AX security=sec1 ssid=MySSID tx-power=23
add channel=channel-5AX country=Norway datapath=datapath1 disabled=no mode=ap
name=cfg-5AX security=sec1 ssid=MySSID tx-power=23

/interface wifi capsman
set enabled=yes interfaces=bridge1 package-path=/ require-peer-certificate=no
upgrade-policy=suggest-same-version

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg-2AX
name-format="%I-2.4GHz AX" supported-bands=2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=cfg-5AX
name-format="%I-5GHz AX" supported-bands=5ghz-n