Hi,
I’ve deployed a site (student dorm) with a RB5009 router as CAPSMAN controller, a CRS354 poe switch and 40 wAP AX in CAP mode.
Until now I used Hotspot on all our sites, but I wanted to test the new PPSK functionnality to replace it, so each student could have its own private VLAN.
I’ve configured the following VLANs:
- VLAN99 → management
- VLAN100 → hotspot
- VLAN101 → student1 private network
… - VLAN140 → student40 private network
Default wifi passphrase points to legacy hotspot network (VLAN100), and each student will have its own passphrase pointing to its private vlan.
It works as expected, but on some devices (Pixel 6a, Xiaomi Note 10, Ubuntu laptop…) I have an error the first time I try to join the network when PPSK is enabled, saying that Wi-Fi password maybe wrong. Most of the time it works at second try on these devices, and after that next connections always work, but this is annoying and will generate user complaints.
It works directly on other devices like MacBook pro, some Windows 10/11 laptops, and newer Pixel (8 and 8a).
I’ve checked on logs, but cannot find any error or valuable information, even with wireless debug enabled.
There is my RB5009 config (only kept two students VLANs for lisibility):
/interface bridge
add name=lan port-cost-mode=short vlan-filtering=yes
/interface vlan
add interface=lan name=vlan99_mgmt vlan-id=99
add interface=lan name=vlan100_hotspot vlan-id=100
add interface=lan name=vlan101 vlan-id=101
add interface=lan name=vlan102 vlan-id=102
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=channel_2.4_ax width=20mhz
add band=5ghz-ax disabled=no frequency=5180-5240 name=channel_5ghz_ax skip-dfs-channels=all width=20/40mhz
/interface wifi datapath
add bridge=lan disabled=no name=datapath vlan-id=1
/interface wifi security
add authentication-types=wpa2-psk disabled=no multi-passphrase-group=residence name=ppsk
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-student_test-3cdf6736 rrm=yes wnm=yes
/interface wifi configuration
add channel=channel_2.4_ax country=France datapath=datapath datapath.client-isolation=no disabled=no mode=ap name=student_2ghz security=ppsk security.ft=yes .ft-over-ds=yes ssid=student_test steering=steering1
add channel=channel_5ghz_ax country=France datapath=datapath disabled=no name=student_5ghz security=ppsk security.ft=yes .ft-over-ds=yes ssid=student_test steering=steering1
/ip hotspot profile
add dns-name=hotspot.xxxxx hotspot-address=172.16.0.1 html-directory=hotspot_html_v2 login-by=mac,https,http-pap,mac-cookie mac-auth-password="B{Zv=2a=TLw]3M2m" name=hsprof2 ssl-certificate=hotspot.u-link.fr.cer_0 use-radius=yes
/ip hotspot
add addresses-per-mac=unlimited disabled=no interface=vlan100_hotspot name=hotspot1 profile=hsprof2
/ip hotspot user profile
set [ find default=yes ] shared-users=20
/ip pool
add name=dhcp_pool0 ranges=172.16.0.2-172.16.3.254
add name=dhcp_pool2 ranges=10.0.0.2-10.0.0.254
add name=dhcp-vlan101 ranges=172.16.101.10-172.16.101.254
add name=dhcp-vlan102 ranges=172.16.102.10-172.16.102.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan100_hotspot name=dhcp1
add address-pool=dhcp_pool2 interface=vlan99_mgmt name=dhcp3
add address-pool=dhcp-vlan101 interface=vlan102 name=dhcp-vlan101
add address-pool=dhcp-vlan102 interface=vlan102 name=dhcp-vlan102
/queue simple
add max-limit=100M/100M name=limit-vlan101 target=vlan101
add max-limit=100M/100M name=limit-vlan102 target=vlan102
/interface bridge port
add bridge=lan interface=ether6 internal-path-cost=10 path-cost=10
add bridge=lan interface=ether7 internal-path-cost=10 path-cost=10
/interface bridge vlan
add bridge=lan tagged=ether6,lan vlan-ids=99,100,101-150
/interface wifi access-list
add action=accept allow-signal-out-of-range=1m disabled=no interface=any signal-range=-80..0
add action=reject allow-signal-out-of-range=1s disabled=no interface=any signal-range=-120..-80 ssid-regexp=""
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=lan package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=student_5ghz name-format=%I_5Ghz slave-configurations="" supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=student_2ghz name-format=%I_2Ghz supported-bands=2ghz-ax
/interface wifi security multi-passphrase
add disabled=no group=residence vlan-id=100 passphrase=DefaultPassphrase
add disabled=no group=residence vlan-id=101 passphrase=Student1Passphrase
add disabled=no group=residence vlan-id=102 passphrase=Student2Passphrase
/ip address
add address=172.16.0.1/22 interface=vlan100_hotspot network=172.16.0.0
add address=10.0.0.1/24 interface=vlan99_mgmt network=10.0.0.0
add address=172.16.101.1/24 interface=vlan101 network=172.16.101.0
add address=172.16.102.1/24 interface=vlan102 network=172.16.102.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=172.16.0.0/22 dns-server=172.16.0.1 gateway=172.16.0.1
add address=172.16.101.0/24 dns-server=172.16.101.1 gateway=172.16.101.1
add address=172.16.102.0/24 dns-server=172.16.102.1 gateway=172.16.102.1
CRS354 switch plugged on RB5009 ether6, WAN router on ether1.
Switch is configured with all ports as trunks allowing tagged VLANs 99-140
Any idea on what could cause these first PPSK connections errors?