Wireless FT not working/available on older Wifi?

bcramer · March 6, 2025, 7:00pm

I’m wondering if the newish FT is not available for older wifi connections? Simple answer is it could be yes, or maybe I’ve got something not set right.
Screenshot 2025-03-06 at 10.43.47 AM.png
On the authtype column I see only a handful marked as ft-wpa3-psk. So is the FT only available on AX supported devices/connections?

Devices all have been updated to the latest:
Screenshot 2025-03-06 at 10.40.41 AM.png
The MT-MH-CORE is my Capsman managing all the wifi devices. Export of wifi configuration:

[admin@MT-MH-CORE] > /interface/wifi export 
# 2025-03-06 10:53:41 by RouterOS 7.18.1
# software id = NU3E-E96P
#
# model = RB4011iGS+5HacQ2HnD
# serial number = A2820A208D61
/interface wifi datapath
add bridge=bridge disabled=no name=LocalWifi

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name="Hill Top Forest SecConf"
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name="Hill Top View Sec Conf"

/interface wifi configuration
add channel.reselect-interval=1h country=Canada disabled=no mode=ap name="Hill Top Forest CapConf" security="Hill Top Forest SecConf" security.ft=yes .ft-over-ds=yes ssid=\
    "Hill Top Forest"
add channel.reselect-interval=1h disabled=no mode=ap name="Hill Top View Conf" security="Hill Top View Sec Conf" security.ft=yes .ft-over-ds=yes ssid="Hill Top View"
add channel.reselect-interval=1h .skip-dfs-channels=disabled country=Canada datapath=LocalWifi disabled=no mode=ap name="Hill Top Forest Basement CapConf" security=\
    "Hill Top Forest SecConf" security.ft=yes .ft-over-ds=yes ssid="Hill Top Forest"

/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=none

/interface wifi provisioning
add action=create-dynamic-enabled comment="Hill Top View Primary 2Ghz" disabled=no master-configuration="Hill Top View Conf" name-format=CAP-%I radio-mac=48:A9:8A:----- \
    slave-configurations="Hill Top Forest CapConf" slave-name-format=CAP-%I
add action=create-dynamic-enabled comment="Hill Top View Primary 5Ghz" disabled=no master-configuration="Hill Top View Conf" name-format=CAP-%I radio-mac=48:A9:8A:----- \
    slave-configurations="Hill Top Forest CapConf" slave-name-format=CAP-%I
add action=create-dynamic-enabled comment="Main House 5Ghz" disabled=no master-configuration="Hill Top Forest CapConf" name-format=CAP-%I radio-mac=48:A9:8A:-----
add action=create-dynamic-enabled comment="Main House 2Ghz" disabled=no master-configuration="Hill Top Forest CapConf" name-format=CAP-%I radio-mac=48:A9:8A:-----
add action=create-dynamic-enabled comment=Outdoors disabled=no master-configuration="Hill Top Forest CapConf" name-format=CAP-%I radio-mac=48:A9:8A:-----
add action=create-dynamic-enabled comment=Outdoors disabled=no master-configuration="Hill Top Forest CapConf" name-format=CAP-%I radio-mac=48:A9:8A:-----
add action=create-dynamic-enabled comment=Basement disabled=no master-configuration="Hill Top Forest Basement CapConf" name-format=CAP-%I radio-mac=74:4D:28:-----

itimo01 · March 6, 2025, 7:16pm

Client support for FT is very “annoying” sometimes.

For example:

Windows doesnt support it on psk only eap (aka radius aka enterprise)
MacOS Only supports it on Apple CPUs (M1/M2/M3)
Android depends on the manufacturer and Version
Linux has full support as long as the Kernel is up to date. And i think it also depends on driver support.
iPhones, I think it was iPhone 6 and higher to support FT (so basically all of them)

But maybe worth a shot googling before taking my answer as the full on truth

mkx · March 6, 2025, 9:07pm

My experience is that some clients do properly roam (verified by checking logs on capsman), but auth type doesn’t have ft- prefix after roaming is complete (and no, client doesn’t disconnect/reconnect, it just roams). OTOH I see both ft-wpa2-psk and ft-wpa3-psk. Which all might indicate, that ft- part of authentication type is only one (optional?) part of roaming procedure and some clients do it while others don’t. And that FT can be done when using both wpa2 and wpa3.
I have ax (wAP ax) and ac (audience) in the mix, all devices (capsman and caps) are currently running 7.18.1.

whatever · March 7, 2025, 9:47am

Yes, FT is not necessary for roaming, but it accelerates authentication to the new AP when roaming. This is especially noticable with EAP authentication, because it saves several roundtrips. With PSK, FT will save a few ms, but you will probably not notice any difference.

By the way: I only enable FT (over the air) and keep FT-over-DS disabled everywhere. Depending on the connection quality to the previous AP, FT-over-DS with PSK can be slower than no FT at all!

Edit: YouTube video recommendation: https://www.youtube.com/watch?v=4Ua2lI6HBhE