Roaming Issue on CAPsMAN

I’m a MikroTik user who has set up a WiFiWave2 network with support for the 802.11kvr roaming protocol. However, I’m encountering some issues in the operation of the network, and I’m seeking your assistance and insights to address these problems.

Here’s a brief overview of my hardware setup:

CAPsMAN Controller: RB5009UPr+S+
CAPs (Access Points):
2 x C52iG-5HaxD2HaxD
2 x C53UiG+5HPaxD2HPaxD
All devices are running RouterOS version 7.11rc3.

Configuration on RB5009UPr+S+ (CAPsMAN Controller):

/interface bridge
add name=BRG-LAN-76
/interface bridge port
add bridge=BRG-LAN-76 ingress-filtering=no interface=ETH-2-LAN
...
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=WLAN-PROFILE
/interface wifiwave2 configuration
add channel.band=2ghz-n frequency=2412-2472 width=20mhz country=China disabled=no \
    name=2GHz_N security=WLAN-PROFILE ssid=LINK-2G steering.rrm=yes wnm=yes
add channel.band=5ghz-ax skip-dfs-channels=disabled width=20/40/80mhz country=China \
    disabled=no mode=ap name=5GHz_AX security=WLAN-PROFILE ssid=LINK steering.rrm=yes \
    wnm=yes
/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes interfaces=BRG-LAN-76 package-path="" \
    require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=5GHz_AX \
    name-format=%I-5G- supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=2GHz_N \
    name-format=%I-2G- supported-bands=2ghz-n

Configuration on hAPax^3 and hAPax^2 (CAPs):

/interface bridge
add name=BRG-LAN
/interface bridge port
add bridge=BRG-LAN interface=all
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.manager=capsman mode=ap disabled=no \
    name=WLAN-1-5G
set [ find default-name=wifi2 ] configuration.manager=capsman mode=ap disabled=no \
    name=WLAN-2-2G
/interface wifiwave2 cap
set discovery-interfaces=BRG-LAN enabled=yes

The Issue:
After initial configuration, the network works well, and roaming for various devices, including Android and some iOS devices, functions correctly. However, after a period of time, typically around 1 day, some iOS devices (such as iPhone 13 and iPad mini 5 with the latest updates) experience a roaming issue. These devices fail to switch APs even when they are in close proximity to a new AP. Restarting the WiFi on the affected devices usually restores proper roaming behavior. Android devices do not exhibit this issue.

I’m unsure whether the problem lies in my configuration or if there might be a bug in RouterOS. I’d greatly appreciate any suggestions, solutions, or insights you could provide to help me troubleshoot and resolve this roaming issue.

Thank you in advance for your assistance and support!

Best regards,
peri

https://support.apple.com/en-us/HT203068

hi you can try “ft-over-ds=yes” to no.

It was working with problems for me too. It disrupts the connection between AP and router. The Ethernet interface was disconnected and connected again at a lower speed and remained at 100mbps.

edit:it is fixed

i’ve similar problem with roaming on my Android Oneplus and my Notebook with Intel AX.
i tested with and without ft and steering (rrm, wnm), but i had same results, wifi drops and reconnects
here my wifi conf on capsman 7.17

/interface wifi datapath
add disabled=no name=datapath-guest vlan-id=200
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes name=sec-lan
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes name=sec-guest
/interface wifi steering
add disabled=no name=steering-lan neighbor-group=dynamic-Home-WiFi-9a91126b rrm=yes wnm=yes
add disabled=no name=steering-guest neighbor-group=dynamic-Guest-WiFi-1c2b9b73 rrm=yes wnm=yes
/interface wifi configuration
add antenna-gain=0 country=Italy disabled=no name=cfg-lan security=sec-lan ssid=Home-WiFi steering=steering-lan
add datapath=datapath-guest disabled=no name=cfg-guest security=sec-guest ssid=Guest-WiFi steering=steering-guest
/interface wifi capsman
set ca-certificate=WiFi-CAPsMAN-CA-789A18C31229 certificate=WiFi-CAPsMAN-789A18C31229 enabled=yes interfaces=bridge-vlan70-cap package-path="" require-peer-certificate=yes upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=cfg-lan slave-configurations=cfg-guest supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=cfg-lan slave-configurations=cfg-guest supported-bands=2ghz-ax

To have roaming working for all devices, I had to add connect-priority=0/1 on security besides ft=yes and ft-over-ds=yes.

@nclmrc, you are missing country on the guest network. I think it doesn’t matter as it is the slave config, but still…
And antenna-gain is incorrect (and shouldn’t be used at all, unless you attach a different antenna to your Routerboard).
At last (I see a lot of things in your config), you are mixing tagged and untagged. I prefer to use explicit VLAN’s per network, not only for guest.

Fixed country for slave and remove antenna gain.
What does doing connect priority 0/1?

SecurityProperties

Same results, when signal is very poor, wifi drop, and phone reconnects to the new AP

Please show adjusted config and logging.
As well, add RouterOS and firmware version.

# 2025-01-21 08:24:02 by RouterOS 7.17
# software id = FZII-NFF9
#
# model = RB5009UG+S+
# serial number = HFE094B31YA
/interface wifi datapath
add client-isolation=yes disabled=no name=datapath-guest vlan-id=200
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disabled=no encryption=ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes name=sec-lan
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disabled=no encryption=ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes name=sec-guest
/interface wifi steering
add disabled=no name=steering-lan neighbor-group=dynamic-Home-WiFi-9a91126b rrm=yes wnm=yes
add disabled=no name=steering-guest neighbor-group=dynamic-Guest-WiFi-1c2b9b73 rrm=yes wnm=yes
/interface wifi configuration
add country=Italy disabled=no name=cfg-lan security=sec-lan ssid=Home-WiFi steering=steering-lan
add country=Italy datapath=datapath-guest disabled=no name=cfg-guest security=sec-guest ssid=Guest-WiFi steering=steering-guest
/interface wifi capsman
set ca-certificate=WiFi-CAPsMAN-CA-789A18C31229 certificate=WiFi-CAPsMAN-789A18C31229 enabled=yes interfaces=bridge-vlan70-cap package-path="" require-peer-certificate=yes upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=cfg-lan slave-configurations=cfg-guest supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=cfg-lan slave-configurations=cfg-guest supported-bands=2ghz-ax

Could you do these steps (at least for testing purposes):

1. Remove encryption settings (leaving it to ccmp as default)
2. Remove wpa3-psk
3. Reboot all CAP’s
4. Remove wifi network from client and add it again (and check if that improved anything?)

it’s ok?

/interface wifi datapath
add client-isolation=yes disabled=no name=datapath-guest vlan-id=200
/interface wifi security
add authentication-types=wpa2-psk connect-priority=0/1 disabled=no encryption=ccmp ft=yes ft-over-ds=yes name=sec-lan
add authentication-types=wpa2-psk connect-priority=0/1 disabled=no encryption=ccmp ft=yes ft-over-ds=yes name=sec-guest
/interface wifi steering
add disabled=no name=steering-lan neighbor-group=dynamic-Home-WiFi-9a91126b rrm=yes wnm=yes
add disabled=no name=steering-guest neighbor-group=dynamic-Guest-WiFi-1c2b9b73 rrm=yes wnm=yes
/interface wifi configuration
add country=Italy disabled=no name=cfg-lan security=sec-lan ssid=Home-WiFi steering=steering-lan
add country=Italy datapath=datapath-guest disabled=no name=cfg-guest security=sec-guest ssid=Guest-WiFi steering=steering-guest
/interface wifi capsman
set ca-certificate=WiFi-CAPsMAN-CA-789A18C31229 certificate=WiFi-CAPsMAN-789A18C31229 enabled=yes interfaces=bridge-vlan70-cap package-path="" require-peer-certificate=yes upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=cfg-lan slave-configurations=cfg-guest supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=cfg-lan slave-configurations=cfg-guest supported-bands=2ghz-ax

@nclmrc
Remove “encryption=ccmp”, it’s better do not specify encryption.

Agree with @massinia (hence I suggested to remove encryption settings).
Hope this makes things better for you. Keep us posted.

Why is manual steering configuration?

/interface wifi steering
add disabled=no name=steering-lan neighbor-group=dynamic-Home-WiFi-9a91126b rrm=yes wnm=yes
add disabled=no name=steering-guest neighbor-group=dynamic-Guest-WiFi-1c2b9b73 rrm=yes wnm=yes

group is dynamic but config is necessary, i think

same result roaming doesn’t work, transition from 5ghz to 2ghz work

any suggestions on how to configure STP on capsman and caps?

Why?

It seems that the signal is really bad…how come? Disconnectiong with a signal of -90dB isn’t strange at all.
Can the device (what is it?) be tested in the -40 to -60 range of the CAP?

when i’m at -90db and phone disconnects, i’m in proximity of the cap of 2nd floor at -40db.
i imagine the transition should happen around -70db/-80db