Windows 11 "Unable to connect to this network"

I’m a Mikrotik beginner. I’ve recently bought two hAP ax S. Below you’ll find both export scripts. One of them - which I’ll call the “main“ AP - is connected to everything in my household and that includes the second one, which I’ll reference as “office“ AP. That way I can relay everything to my homeserver, where I manage the entire home network with OpnSense (I won’t be using the APs/RouterOS with their firewalls). I’ve setup “main“ AP as CAPsMAN and “office“ AP as a CAP. Every device in my home network works flawlessly with the two WiFi bands (2 and 5 ghz) I’ve set up… except the Windows 11 Laptop:

When I want to connect to either 2ghz or 5ghz SSID it’ll tell me "Unable to connect to this network". The password is correct. The network chip of that laptop is a “MediaTek Wi-Fi 6 MT7921“, which is on the latest driver version and should support WPA2-PSK / WPA3-PSK with CCMP. My both RouterOS are on 7.22.1, I’d wish to upgrade, but currently it doesn’t want to, it just tells me: “finding out latest version“, aside from that I doubt that the update would fix the issue as the change-logs do not mention such a Windows issue. Something odd: When the laptop tries to connect through the CAP (“office“ AP) I see in the logs: F4:4E:B4:21:D4:11@cap-wifi1(home.34_2) connected, signal strength -73 and after about exactly 5 minutes I get in the logs: F4:4E:B4:21:D4:11@cap-wifi1(home.34_2) disconnected, connection lost, signal strength -70 When I try to connect through the CAPsMAN (“main“ AP) I instead get the log about the “disconnection“ right away. I don’t know what to make of it, maybe you can hint with that info at something.

Currently, I do not see the issue originating from Windows 11 since other WiFis / Ethernet-connections work perfectly out of the box f.e. the TP-Link APs I’ve had before or any device offering Hotspot. Neither do I see my OpnSense as the root of cause since I didn’t mess with the firewall config.

What do you propose? Please help.

export script of “main“ AP:

/interface bridge
add admin-mac=D0:EA:11:3D:E0:96 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=5ghz-ax disabled=no frequency=5150-5250,5250-5350,5470-5725 name=\
    channel_5ghz skip-dfs-channels=10min-cac width=20/40mhz
add band=2ghz-ax disabled=no frequency=2412,2432,2472 name=channel_2ghz width=\
    20mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes ft-preserve-vlanid=yes name=\
    sec1 wps=push-button
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-home.34_5-7e02348a rrm=yes \
    wnm=yes
/interface wifi configuration
add channel=channel_5ghz country=Germany disabled=no mode=ap name=cfg_5ghz \
    security=sec1 security.authentication-types=wpa2-psk,wpa3-psk .encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 ssid=home.34_5 steering=steering1
add channel=channel_2ghz country=Germany disabled=no mode=ap name=cfg_2ghz \
    security=sec1 security.authentication-types=wpa2-psk,wpa3-psk .encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 ssid=home.34_2 steering=steering1
/interface wifi
set [ find default-name=wifi1 ] channel=channel_2ghz configuration=cfg_2ghz \
    configuration.mode=ap disabled=no name="2ghz (wifi2)" security=sec1 \
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 steering=steering1
set [ find default-name=wifi2 ] channel=channel_5ghz configuration=cfg_5ghz \
    configuration.mode=ap disabled=no name="5ghz (wifi1)" security=sec1 \
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 steering=steering1
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface="2ghz (wifi2)"
add bridge=bridge comment=defconf interface="5ghz (wifi1)"
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/interface wifi capsman
set enabled=yes upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg_2ghz \
    supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cfg_5ghz \
    supported-bands=5ghz-ax
/ip address
add address=10.0.0.10/24 comment=defconf interface=bridge network=10.0.0.0
/ip dhcp-client
add disabled=yes interface=ether2 name=client1
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.10 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.0.1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN

export script of “office“ AP:

/interface bridge
add admin-mac=D0:EA:11:3D:DC:1A auto-mac=no comment=defconf name=bridge
/interface wifi
# managed by CAPsMAN D0:EA:11:3D:E0:96%bridge, traffic processing on CAP
# mode: AP, SSID: home.34_2, channel: 2412/ax
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.manager=capsman .mode=ap .ssid=MikroTik-2MSAQ \
    datapath.bridge=bridge disabled=no name=2ghz security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
# managed by CAPsMAN D0:EA:11:3D:E0:96%bridge, traffic processing on CAP
# mode: AP, SSID: home.34_5, channel: 5700/ax/Ce/D
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.manager=capsman .mode=ap .ssid=MikroTik-3DDC1F \
    datapath.bridge=bridge disabled=no name=5ghz security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=2ghz
add bridge=bridge comment=defconf interface=5ghz
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/interface wifi cap
set caps-man-addresses=10.0.0.10 certificate=request discovery-interfaces=\
    bridge enabled=yes
/ip address
add address=10.0.0.20/24 comment=defconf interface=bridge network=10.0.0.0
/ip dhcp-client
add disabled=yes interface=ether2 name=client1
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.20 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.0.1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN

At first sight I cannot see anything "wrong" in the wifi settings.
BUT you have a lot of "cruft" coming from the default configuration (that you are not using).

The moment you add all interfaces to the bridge, you have - for all practical effects - a switch and not (anymore) a router, so you can remove the firewall(s) and nat.
As well you can remove the interface list part (in case, since you have added ether1 to the bridge, it makes no sense to have it categorized as WAN).
And also the DHCP settings, you surely have a DHCP server running on your "main" Opensense device or router.

For the second AP (since you have CAPSMAN running on the first) it would make sense to reset to default configuration and then reset it again to CAPS mode.

But all the above should be unrelated to the Windows11 connection issues.

You can (should) update Ros to 7.22.2 (latest stable) that has some improvements on wifi
(general and specific Mediatek ) that your hAP Ax S have.
If for any reason the online update doesn't work, you can download the needed files and upload them manually to the hAP (you will need the routerOS and the wifi-mediatek):
https://download.mikrotik.com/routeros/7.22.2/routeros-7.22.2-arm.npk
https://download.mikrotik.com/routeros/7.22.2/wifi-mediatek-7.22.2-arm.npk

I would also disable Management Protection

It tells me that Management Protection is required for WPA2 and WPA3.

I’ve now also updated to 7.22.2 (I didn’t have my OpnSense as DNS Server configured).
Unfortunately, it didn’t fix the issue.

Hey thanks for the quick reply.
I disabled the firewall and NAT defconf, as you’ve suggested (either way I wanted to implement FastTrack / FastPath whatever… still don’t get the difference). The DHCP server of my “main“ AP is listed as disabled (same goes for my “office“ AP), my OpnSense takes care of DHCP.

Coming to my second AP: I manually configured it since I remember having issues with the CAPS mode. Is there a specific reason to reset to CAPS mode?

Only required for WPA3. If you try to disable it. Remove WiFi profile in windows laptop and reconnect again

Yes, as a test, trying with WPA2 only may (or may not) show if the issue is about authentication [1].

About CAPS mode, it is -as always - debatable, the "theory of operation" is that, once a CAPSMAN is running, CAPS should be configured by it (only). But of course it is not that straightforward in practice as a number of settings (as an example VLANs) need to be configured manually on the CAP anyway. Since you have no particularly complex or advanced settings CAPS mode should be enough, and this would exclude possible conflicts between the "local" and the CAPSMAN configurations.

[1] This is something that personally I don't (and probably won't ever ) understand, I understand WPA3 only and WPA2 only but having both seems to me a lot like closing your front door with three latrches and leaving the back door unlocked.
Possibly the "right" way is having separated WPA2 and WPA3 SSID's, but (again personally and IMHO) I fail to see the real world advantage, all I know is that mixed mode WPA2/WPA3 is often cause of connection issues.

When it comes to management protection: as already written, it's required for WPA3 and it is optional for WPA2 ... and many if not most stations don't support it in WPA2. So when setting up mixed WAP2/WPA3 SSID, simply don't set that property at all. If it's not set, then default is used ... and default is very sensible: use it for WPA3 and "allow" it for WPA2.

As to why to use mixed WPA2/WPA3 ...why not? It makes some stations happier (because they prefer WPA3 just because) and allow older stations work ... all of that without using excessive number of SSIDs. It was the same when running WEP/WPA/WPA2 a while ago ... most of APs did it.

But it doesn't seem set in the posted configurations ...

I was replying to concerns about management protection. Default setting is to leave it unset, but some admins overthink this option.

There's another setting, shown in configuration, that can make stations unhappy: selection of encryption algorithms. My experience is that only few stations support ccmp-256 or gcmp-256 (or even gcmp) but there are many which barf even seeing those in list of supported sent out by AP. Solution is to only set encryption=ccmp (and possibly add others while verifying that stations can still connect). BTW, ccmp is the WPA3 name for "AES with CCMP" in WPA2-parlance, so pretty much standard.

Yep, but it makes little sense to suggest to someone to not set something that he didn't actually set and then argumenting why it should not have been set (as it has not been set) .

But the point about encryption algorithms is a good one , and testing starting with ccmp only and then add one by one the other ones is simple enough as troubleshooting approach.

For WPA3 Transition mode maybe give this a try.

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=yes disabled=no ft=yes ft-over-ds=no management-protection=allowed name=sec1 passphrase=secret wps=disable
/interface wifi steering
add disabled=no name=steering1 rrm=yes wnm=yes

IMHO I don’t recommend to set the encryption anymore, because it might cause a cypher mismatch.

Now that I’m thinking more thoroughly I think the fix might’ve happened because I unintentionally cleaned up my configs: What annoys me is that there is a bug (in Winbox) which doesn’t save options residing in drop downs (f.e. “Encryption” and “Authentication”). When you select some options in a drop down (f.e. in security) and want to apply that security profile on a cfg profile, it will apply everything, but the selected options in drop downs. I guess this caused some inconsistency because my drop down choices in my security- and cfg-profile didn’t match since I had to manually select those options in cfg.

Thanks for all your replies, the issue resolved itself out of thin air (I’m not joking).

I’ve followed your recommendations and nothing helped. Here is what I did and my observation:

In CMD netsh wlan show drivers tells me that the MediaTek chip infact only supports CCMP. It also supports WPA2-PSK and WPA3-PSK, so I’m assuming that offering both on a SSID shouldn’t be the issue, to be sure I tried with only WPA2-PSK and CCMP and it still didn’t work, however even after rebooting my phone told me that its connection relied on WPA3-PSK?? Anyways…

Having Management Protection on allowed or even disabled also doesn’t fix the issue.

Since WPA3 requires Management Protection I went ahead and tried giving my Windows Hotspot from my phone with only WPA3. It worked flawlessly. Now this TOLD ME that the issue must reside deeper within MikroTik (config?). Why told me - you ask?

Well… as it turns out after WPA3 Hotspot from my phone worked out, I wanted to scan the traffic with WireShark on Windows… So I tried again connecting to my home WiFi and suddenly… IT WORKED!

Seriously guys I have no idea why it’s suddenly working… The Windows image must’ve really sh*t its pants when it realized I was going to go deeper with WireShark (Windows tells me its using WPA3 on my home network)

This situation I’m left with seems rather akward, so I guess… thanks for your recommendations and of course Wireshark for fixing Windows?

It’s not visible in export for some reason, but if WPA3 is enabled and requires management protection then it must’ve be allowed by default.

I pitched that idea because it seemed to resolve similar connectivity issues for me with one windows laptop and imaging scanner few weeks ago. Maybe it wasn’t and simply resolved itself

Possible settings should be "allowed" (that should be good for WPA2/WPA3), for WPA3 only It could be set to "required", or It can be "disabled".
The default value (not seen in export) has probably been changed from "disabled" to "allowed"?

The default is not configured at all and that translates to two behaviours as explained in WiFi manual:

Since these are not compatible and there's only one setting for all encryption profiles (WPA2 and WPA3 are only 2 of many) it's somehow to be expected to see such a "confused" default "non-setting".

If one sets this property to required, then many WPA2 stations won't be able to connect. If one sets this property to allowed, then some (if not all) WPA3 stations will reject connection.

And this interpretation of default "non-setting" is the same ever since wifiwave2 package introduced support for WPA3.

Nope. WPA3 stations will connect.

https://mrncciew.com/2019/11/29/wpa3-sae-transition-mode/

So it is a "floating-default" .

1. If NO Wifi it is configured the default is "disabled".

2. if WIFI is set to WPA2 (only) the default may become "allowed".

3. if WIFI is set to WPA3(only) the default should become "required".

4. if WIFI is set to WPA2/WPA3 the default should become "allowed".

But if it is not seen in a plain export, it should mean that it is "default" and appropriate to the chosen authentication method.