Wifi-qcom vs. wireless package, wpa2-psk and an old client device

novalis · March 31, 2025, 8:44pm

Hello,
I am successully using Capsman with older AC devices like cAP AC with “wireless” package.

Now I have bought new AX devices (hAP AX3, hAP AX lite as cAP + new hEX as capsman) and I am testing it on the table before I replace the old ones.

I have it all running with new capsman, vlans etc, but I have one problem with old phone Samsung Galaxy S2.

On the old devices, I have only WPA2-PSK + CCMP enabled

On the new ones, I have the same enabled

But the S2 cannot connect. I have found out, that it only connects, when I have only WPA-PSK enabled, with WPA2-PSK disabled (or with authentication completely disabled)

What is the difference between WPA2-PSK in AC devices (with “wireless” package) and AX devices (with “wifi-qcom” package)? Should’t it be completely the same?

I know S2 is an old device and I won’t normaly be using it, but sometimes I need to use it for a while so it would be nice to solve this problem.

Thanks for any help.

mkx · April 1, 2025, 5:59am

CCMP in wifi should be identical to AES CCM on wireless.

But there are other things which might upset your S2, e.g. FT … if I’m not much mistaken, FT is only available for WPA2 and WPA3, but not for old WPA. So do check that FT tab and try to disable it if it’s enabled.

Generally it seems that some wifi devices get upset if AP announces certain features that legacy devices don’t support. They should ignore availability of unknown features (and most do), but some get upset and won’t connect.

erlinden · April 1, 2025, 6:06am

For comparison reason it would be helpfull to get your config for both old and new:

/caps-man export
/interface wifi export

Remove serial and any other private info, post between code tags by using the </> button.

novalis · April 1, 2025, 7:44pm

Old config:

# 2025-04-01 21:23:01 by RouterOS 7.18.2
#
# model = RB750Gr3
/caps-man channel
add band=2ghz-g/n control-channel-width=\
    20mhz extension-channel=disabled frequency=2412,2437,2462 name=2g-gn \
    reselect-interval=1w3d save-selected=no skip-dfs-channels=no tx-power=17
/caps-man datapath
add bridge=bridge-nn-guest client-to-client-forwarding=no \
    local-forwarding=no name=datapath-nn-guest
/caps-man security
add authentication-types=wpa2-psk eap-methods=passthrough encryption=aes-ccm \
    group-encryption=aes-ccm name=nn-guest
/caps-man configuration
add channel=2g-gn country="czech republic" datapath=datapath-nn-guest \
    distance=indoors installation=indoor mode=ap name=cfg-nn-guest-2g \
    security=nn-guest ssid=guest
/caps-man manager
set ca-certificate=CAPsMAN-CA-C4xxxxA71 certificate=CAPsMAN-C4xxxxA71 \
    enabled=yes require-peer-certificate=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn,g \
    master-configuration=cfg-nn-guest-2g name-format=identity name-prefix=2G

New config:

# 2025-04-01 21:31:27 by RouterOS 7.18.2
#
# model = E50UG
/interface wifi datapath
add bridge=bridge-vlan client-isolation=yes disabled=no name=\
    datapath-nn-guest vlan-id=30
/interface wifi security
add authentication-types=wpa2-psk disabled=no encryption=\
    ccmp ft=no ft-over-ds=no group-encryption=ccmp \
    management-encryption=cmac management-protection=allowed name=nn-guest
/interface wifi configuration
add country=Czech datapath=datapath-nn-guest \
    disabled=no mode=ap name=nn-guest security=nn-guest ssid=\
    guest
/interface wifi capsman
set ca-certificate=WiFi-CAPsMAN-CA-Fxxxxxxxx2 certificate=\
    WiFi-CAPsMAN-Fxxxxx2 enabled=yes interfaces=vlan10-lan package-path=\
    "" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled comment="2G AX" disabled=no \
    master-configuration=nn-guest name-format=%I-2G-AX \
    slave-name-format=%m%v supported-bands=2ghz-ax
add action=create-dynamic-enabled comment="2G N" disabled=yes \
    master-configuration=nn-guest name-format=%I-2G-N slave-name-format=%m%v \
    supported-bands=2ghz-n

Thanks

dikey422 · June 27, 2025, 11:28am

Good day! Were you able to solve the problem? There is a similar problem with a robot vacuum cleaner.

akakua · June 27, 2025, 1:16pm

Set management protection to disabled