WIFI Wave2 WPA2/WPA3

blingblouw · April 14, 2022, 8:39am

Not sure if anyone else has this issue.

Running wpa2-psk/wpa3-psk on a SSID causes constant disconnects ± 10 - 15 minutes. (tested ROS7.3)

Tested clients are iphone13, iphone13 pro and two macbooks (everything on latest software updates), unfortunately no other devices to test with

config is very simple

/interface wifiwave2
set [ find default-name=wifi1 ] configuration.country="South Africa" .mode=ap \
    .ssid="i dont know" disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] configuration.country="South Africa" .mode=ap \
    .ssid="i dont know" disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk

Ovic · April 16, 2022, 10:04am

I have an Samsung Galaxy A52s 5G who doesn’t connect at all when using WPA2/WPA3-PSK with wifiwave2. Also pretty simple config.

vkp · May 20, 2022, 11:10am

I also have a Samsung Galaxy A52s 5G which can only connect with wifiwave2 when only WPA2 is enabled. With WPA2/WPA3 or WPA3 only it will result in “Incorrect password”.
All other WPA2 clients are able to connect (older iphone, Windows, Linux laptops) and a single Windows WPA3 compliant laptop can connect without problems.
Older 2.4GHz only devices connect fine with WPA2 even when WPA2/WPA3 is enabled.

I don’t have any other devices nor access points to test whether its a problem with the phone’s drivers or Mikrotik, but for now I’m forced to turn WPA3 off.
If anyone has wifiwave2-capable mikrotik (or other vendor) equipment and Samsung (or other) phones with Android 12, they could test to see whether the issue is with Samsung, Android, Mikrotik or some kind of combination between them.

My equipment: hap ac3 with RouterOS 7.2.3 and wifiwave2 package - working as an access point and a bridge (no routing)
Phone: Samsung A52s 5G Android 12 (May 2022 security update)

Ovic · May 20, 2022, 1:00pm

My phone runs fine with WPA3 enabled on other AP i have from Unifi. So must be something with the drivers from Mikrotik and Samsung. Incorrect password is what I also get on HAP AC3. Other devices I have, such as an OPPO Reno 5 5G phone with Android 12 and some HP & Lenovo laptops work fine with Mikrotik’s wifiwave2 and WPA3. So for the moment there is nothing we can do, but just to wait for an updated version from Mikrotik and/or Samsung.

vkp · June 10, 2022, 8:50am

I reported the bug to Mikrotik Support with various logs and it seems they have posted some kind of fix for it in 7.3.1.
I won’t have time to check it out today, just letting you know.

Ovic · June 10, 2022, 3:49pm

Hi. I’ve just installed it on the router and everything works as expected. Kudos to Mikrotik for the fix-up.

twinsen · September 8, 2023, 4:12pm

I have two devices: Samsung Galaxy S20+ and S23 Ultra. WiFi has WPA2/WPA3 enabled only, and it’s dual-band setup (same SSID). Works like a charm, but sometimes when I enter home I see no WiFi on the phones, after checking it shows ‘incorrect password’. But if I tap on the network, it immediately connects, proving that password in fact is OK.
This behaviour is on wifiwave2, cAP ax is the AP and RB5009UPr+S+ is the main unit ruling AP via CAPsMAN. RoS is 7.11.2, and all packages as well.
Does anyone has the same issue?

EDIT: I turned off WPA3, issue vanished.

Stibila · April 9, 2024, 1:08pm

I have similar problems with WPA3 on new cAP AX with the latest ROS 7.14.2 usinf Wifi menu (wifi-qcom package on AP). I have CRS112-8P-4S as CAPsMAN.

When WPA3 is enabled I am unable to connect from Android device, Apple devices have also problems and Linux was mostly unable to connect, but sometimes it connected. It felt random with maybe 20% probability of connecting. Windows did not have any problems.

After some troubleshooting I was able to determine that problem is not WPA3-PSK per se, but it is somehow connected to SAE Anti Clogging Threshold.
If I disable this option, I am able to connect without problems even with WPA3-PSK enabled:

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes
ft-preserve-vlanid=yes group-key-update=5m name=t_Test-psk
sae-anti-clogging-threshold=disabled

Also if I keep this enabled, but increase sae-max-failure-rate to something like 300, it works:

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes
ft-preserve-vlanid=yes group-key-update=5m name=t_Test-psk
sae-max-failure-rate=300

I do not understand WPA3 or SAE very well and documentation is not detailed on those two parameters. It would be great if someone from Mikrotik could look at this. Also for those who have similar problems please provide ROS version. And those, who have WPA3 working correctly, also provide ROS version and configuration, so we can pinpoint root cause of this problem.

Changelog for 7.8 states:

*) wifiwave2 - fixed SAE authentication for interfaces in station mode when trying to connect to APs which require an anti-clogging token (introduced in RouterOS 7.4);

That would indicate, that problematic functionality was introduced in 7.4, but changelog for 7.4 does not include any mention of anything like anti-clogging, SAE or anything similar.

Also on one network I use WPA2-EAP and WPA3-EAP with Radius server does work correctly so far (on Linux, other devices will be tested in near future). So far it seems to be limited to WPA3-PSK only.

robmaltsystems · April 9, 2024, 11:28pm

Just a “me too” having problems with disconnects on hAP ax2. Just my home network with the usual stuff. Laptop struggles to maintain a connection and my mobile often can’t see the 5GHz network at all. There are several topics on the same/similar subject.

kryztoval · June 10, 2024, 10:30am

Me too.

I also have a lot of issues connecting to AX wifi networks. I have a couple AX2 and a hAP AX and they can connect between each other with no issues, but any other brand or device will not connect to them at all. I do not know if it is a misconfiguration or something else.

A little bit of clarification. I can’t connect using devices that connect to the 5GHz wifi. Whether or not they use AX, whether or not AX is enabled in the mikrotik router. If AX is disabled most devices will disconnect and not connect again.

However Mikrotik AX devices will connect to other Mikrotik AX devices with no problems.

Even connecting a Mikrotik AX to the existing network as client and then changing the setting to AP will not let devices connect.

ips · June 18, 2024, 12:48pm

Manually set the frequency of the 5GHz interface to something like 5200 will likely solve your problem.

erlinden · June 18, 2024, 1:47pm

Turn on wireless debug logging, perhaps that will give you some insights.