v7.19beta [testing] is released!

pe1chl · April 28, 2025, 2:25pm

I didn’t enable WPA3 this time and did set
management-protection=disabled
Now the naughty clients behave, it wasn’t related to what I’ve said above. I’ll move them to another SSID in the future.

That is quite common, also with other manufacturers. WPA3 requires management protection, but even setting it to optional (to allow a WPA2/WPA3 transitional setup) breaks some clients.

Znevna · April 28, 2025, 2:34pm

MikroTik by my understanding does this (by default, WMP (Wireless Management Protection) untouched):

If WPA3 isn’t set, WMP = allow
If WPA3 is set WMP, = required, and can’t be set to allow because it’s mandatory for WPA3.
Even with it set to allow (or unset, which defaults to allow) (case 1.) some clients are bitchy.

BrateloSlava · April 28, 2025, 3:31pm

In most cases, WPA2+WPA3 is enabled. How do you suggest to be in such a case?

pe1chl · April 28, 2025, 3:37pm

That is the problem, WPA2+WPA3 will not work with all clients. Especially old and IoT clients have trouble with that.
You can only use WPA2 and when you want WPA3 you need to put that on a different SSID.

Znevna · April 28, 2025, 3:43pm

That’s case nr. 2. from above, if WPA3 is one of the chosen auth types, no matter what others you choose, you have no say over WMP, it gets set to Required if you leave it unset, but if you force it to Allowed or Disabled the wireless interface will not go up due to misconfiguration (it will say so in the logs too).

BrateloSlava · April 28, 2025, 4:10pm

The idea is understood. And why it should be configured this way to reduce problems is also clear.
However, such “division” of WiFi network by authentication type into several subnets is absolutely inconvenient for mass use. Explaining to users that their phones should be connected to one WiFi network and their laptops to another… If their laptops don’t normally want to work on the same network as their smartphones. With ioT devices it’s easier - dedicate a separate WiFi network for it. Just like CCTV cameras.

Znevna · April 28, 2025, 4:34pm

I’ve only encountered issues with IoT devices, so laptops and smartphones should be safe on the same SSID (no explaining required :P)

TrevinLC1997 · April 28, 2025, 5:08pm

*) wifi - add information on CAP uptime and connection uptime in "Remote CAP" list;
*) wifi - added "eap-identity" to registration table;

Just curious has anyone seen these? I’ve upgraded my capsman server and cap AX to 7.19 beta8 but don’t see these options on the capsman server.

pe1chl · April 29, 2025, 7:23am

Unfortunately, the fact that it is “inconvenient” will not make it go away.
Just visit some other WiFi manufacturer’s forums and you will see that it is the same all over the place: once you enable advanced protocols like WPA3 or 802.11r (fast roaming), the trouble with old and tiny clients will begin.
The problem is in the clients, and there is absolutely no way the AP manufacturer can solve them, the only workaround is to have different networks (SSIDs).

ToTheFull · April 29, 2025, 7:48am

I came to this conclusion a long time ago, even some old apple devices wont connect when FT is enabled. It’s Infuriating actually and not as I envisaged my New Mikrotik WiFi 6 setup to be. Whats that saying… “You Can’t Always Get What You Want, But if you try sometimes, well, you might find You get what you need”

strods · April 29, 2025, 11:43am

Version 7.19rc has been released:
http://forum.mikrotik.com/t/v7-19rc-testing-is-released/183473/1