Page 1 of 1

Apple can't see wlan

Posted: Wed Jan 30, 2019 12:38 am
by omberli
Have a customer who has been running a Mac - connected to wifi on a RB951. Has worked well for a long time.
When trying to connect to his wlan recently he couldn't see his wlan, but detected a couple of near-by networks. I did a lot of checking and found that I could log on from my windows PC, from my Samsung phone. He could also see the network on his Apple phone.
Tried to define a new network on the Mac by entering the ssid and the password and got message "Network not found".
Also tried to turn off the WPA2 encryption, and then he could connect without any problem.

This problem seems to have shown up after upgrading to ROS 6.43.8.
Downgrading to previous version 6.42.6, but it didn't change anything.

Had a very similar problem with another customer also with a hap ac lite - after upgrading to 6.43.8 apple devices got connection problems. Replaced it wirh a unifi ap, and the apple devices started to connect properly again.

Any ideas what is going on?

-Olaf-

Re: Apple can't see wlan

Posted: Wed Jan 30, 2019 4:26 am
by R00tKit
Hi. Same problem here, but with wAP ac, as well as a RB435G with wifi cards on it (running CAPSMAN).

All configs are the same, haven't had the time to troubleshoot this properly. Only thing I noticed was that -in my case- switching to the 2.4 GHz connection, the iphone was working properly. On 5GHz after the upgrade I have had occasional connectivity issues. Not with all destinations though, mainly with Apple ones (app store for instance). It might have something with IPv6 being also configured on the devices. If I encounter this again, I will troubleshoot it further.

Re: Apple can't see wlan

Posted: Wed Feb 06, 2019 11:30 am
by omberli
After some more investigations, it seems like the encryption on the access point and on the Mac may be the problem.
What I found is:
1. The (rather old) Mac seems to have only WPA encryption.
2. If running the AP without any encryption, the Mac connects fine
3. If running the AP with just WPA encryption, the Mac connects fine
4. If running the AP with WPA/WPA2 encryption, the Mac can't see the AP and can't connect.

Not sure why the Mac don't see the AP when WPA/WPA2 is used. ... Maybe a Mac problem or maybe a Mikrotik issue???

-Olaf-

Re: Apple can't see wlan

Posted: Wed Feb 06, 2019 5:40 pm
by Reinis
On 5GHz after the upgrade, I have had occasional connectivity issues. Not with all destinations though, mainly with Apple ones (app store for instance). It might have something with IPv6 being also configured on the devices. If I encounter this again, I will troubleshoot it further.
If the Apple product you mention uses latest Intel network controller, (iPhone Xs, IPad etc. from 2018+) then the issue has been fixed and will be released in next RouterOS version.
You can find a whole thread where people were discussing the issues. viewtopic.php?f=7&t=139608

Referring to OP, please provide either more detailed information or if you think this is a bug and not misconfiguration, contact support@mikrotik.com
Make sure that the configuration you are trying to achieve is actually compatible with your device, like encryption, frequency and other settings which might be regulated by Apple, not be accepted.

Re: Apple can't see wlan

Posted: Wed Feb 06, 2019 6:44 pm
by zandhaas
Lately I had an issue with my iPhone 6.
I had changde to security profile and had checked both "WPA2-PSK" and "WPA2-EAS" authentication types.
After unchecking the "WPA2-EAS" and just leaving WPA2-PSK my phone was able to connect again.

Re: Apple can't see wlan

Posted: Tue Feb 12, 2019 12:52 pm
by omberli
After some more investigations, it seems like the encryption on the access point and on the Mac is the problem.

What I found is:
1. The (quite old) Mac seems to have only WPA encryption.
2. If running the AP without any encryption, the Mac connects fine
3. If running the AP with just WPA encryption, the Mac connects fine
4. If running the AP with WPA/WPA2 encryption, the Mac can't see the AP and can't connect.

Not sure why the Mac doesn't see the AP when WPA/WPA2 is used. ... Maybe a Mac problem or maybe a Mikrotik issue???
No connection problems when using a Ubiquiti Unifi access point. The encryption is set to WPA Personal on the Unifi unit.

When it comes to the RouterOS version mentioned in my initial post, I'm not able to verify this, but customer started complaining after I upgraded ROS to 6.43.8. Can't say for sure if everything worked well before, however - only the customer's saying...

Re: Apple can't see wlan

Posted: Tue Feb 12, 2019 4:14 pm
by normis
can you post the full config? there might be some other issue.

Re: Apple can't see wlan

Posted: Tue Feb 12, 2019 7:00 pm
by omberli
Have done an export of the configuration and replaced some characters in the WPA/WPA2 keys.
The AP is currently running with the normal wlan interface as well as a virtual ap. Normally the WPA/WPA2 key is applied to the main interface. When this is done, the Mac can't see the ssid. The Mac can see the virtual interface with the WPA encryption.

I notice in the export file that there are some entries from the interface list. I haven't used these in my config in Winbox.

Here is the export file:
# feb/12/2019 17:21:20 by RouterOS 6.42.6
# software id = R5WC-9DBR
#
# model = 951G-2HnD
# serial number = 4F43041E5438
/interface bridge
add admin-mac=4C:5E:0C:53:5D:BB auto-mac=no fast-forward=no mtu=1500 name=\
bridge-local protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=norway disabled=no distance=indoors frequency=2452 \
frequency-mode=regulatory-domain mode=ap-bridge radio-name=K92-nett ssid=\
K92 wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-slave-local
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-key-update=1h \
management-protection=allowed mode=dynamic-keys name=wpa-aes \
supplicant-identity="" wpa-pre-shared-key=Name-i-Address \
wpa2-pre-shared-key=Name-i-Address
add authentication-types=wpa-psk eap-methods="" management-protection=allowed \
mode=dynamic-keys name=test supplicant-identity="" wpa-pre-shared-key=\
NameiAddress
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=4E:5E:0C:53:5D:BF \
master-interface=wlan1 multicast-buffering=disabled name=k92test \
security-profile=test ssid=k92test wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.1.30-192.168.1.99
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge-local lease-time=1d name=default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
add bridge=bridge-local interface=k92test
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether1-gateway list=discover
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=bridge-local list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=wlan1 list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
/ip address
add address=192.168.1.1/24 comment="default configuration" interface=\
bridge-local network=192.168.1.0
add address=195.159.145.185/25 interface=ether1-gateway network=\
195.159.145.128
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" dns-server=\
192.168.1.1,195.159.0.100,195.159.0.200 gateway=192.168.1.1 netmask=24
/ip dns
set servers=195.159.0.100
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established
add action=accept chain=input comment="default configuration" \
connection-state=related
add action=accept chain=input dst-port=8291 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
ether1-gateway
add action=accept chain=forward comment="default configuration" \
connection-state=established
add action=accept chain=forward comment="default configuration" \
connection-state=related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=10001 protocol=tcp to-addresses=\
192.168.1.2 to-ports=8291
add action=dst-nat chain=dstnat dst-port=10002 protocol=tcp to-addresses=\
192.168.1.42 to-ports=80
/ip route
add distance=1 gateway=195.159.145.129
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Oslo
/system identity
set name="Rune-\C5 router"
/system leds
set 0 interface=wlan1
/system logging
add action=disk disabled=yes topics=dhcp
/system ntp client
set enabled=yes primary-ntp=129.240.2.6
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

Re: Apple can't see wlan

Posted: Tue Feb 12, 2019 8:41 pm
by neutronlaser
Try using 2412 frequency and see if that works.

Re: Apple can't see wlan

Posted: Sun Feb 24, 2019 4:08 pm
by omberli
Thanks for all the info and suggestions....

Some further results / observations:
- Changed wifi channel to 2412. Still same result: Virtual net with WPA shows up, and main net with WPA/WPA2 does not show up and can't be reached on the Mac
- Customer's Mac is a 10+ year old iMac (21.5")
- Running WPA on the main wifi interface seems to work well. The net shows up on the Mac, and customer is able to connect without problems.
- Also disabled WPS (since this was active on main wifi interface only. Not sure if this has any influence, however....

Re: Apple can't see wlan

Posted: Sun Feb 24, 2019 8:49 pm
by nichky
omberli, focus on wireless export, are you able to export like:

/interface wireless export verbose

Re: Apple can't see wlan

Posted: Sun Feb 24, 2019 11:54 pm
by omberli
nichky:
Here is the export. Have changed the keys and ssid in the export file.

# feb/24/2019 22:43:41 by RouterOS 6.42.6
# software id = R5WC-9DBR
#
# model = 951G-2HnD
# serial number = 4F43041E5438
/interface wireless security-profiles
set [ find default=yes ] authentication-types="" eap-methods=passthrough \
group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
management-protection=disabled management-protection-key="" mode=none \
mschapv2-password="" mschapv2-username="" name=default \
radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=\
"" wpa2-pre-shared-key=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
aes-ccm group-key-update=1h interim-update=0s management-protection=\
allowed management-protection-key="" mode=dynamic-keys mschapv2-password=\
"" mschapv2-username="" name=wpa-aes radius-eap-accounting=no \
radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=\
disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity="" tls-certificate=none \
tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=\
Xxxxx-aa-Yyyyyyy wpa2-pre-shared-key=Xxxxx-aa-Yyyyyyy
add authentication-types=wpa-psk eap-methods="" group-ciphers=aes-ccm \
group-key-update=5m interim-update=0s management-protection=allowed \
management-protection-key="" mode=dynamic-keys mschapv2-password="" \
mschapv2-username="" name=test radius-eap-accounting=no \
radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=\
disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity="" tls-certificate=none \
tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=\
XxxxxaaYyyyyyy wpa2-pre-shared-key=""
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=none allow-sharedkey=\
no ampdu-priorities=0 amsdu-limit=8192 amsdu-threshold=8192 antenna-gain=\
0 area="" arp=enabled arp-timeout=auto band=2ghz-b/g/n basic-rates-a/g=\
6Mbps basic-rates-b=1Mbps bridge-mode=enabled channel-width=20/40mhz-Ce \
compression=no country=norway default-ap-tx-limit=0 \
default-authentication=yes default-client-tx-limit=0 default-forwarding=\
yes disable-running-check=no disabled=no disconnect-timeout=3s distance=\
indoors frame-lifetime=0 frequency=2412 frequency-mode=regulatory-domain \
frequency-offset=0 guard-interval=any hide-ssid=no ht-basic-mcs=\
mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-supported-mcs="mcs-0,mc\
s-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,m\
cs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-2\
3" hw-fragmentation-threshold=disabled hw-protection-mode=none \
hw-protection-threshold=0 hw-retries=7 interworking-profile=disabled \
keepalive-frames=enabled l2mtu=1600 mac-address=4C:5E:0C:53:5D:BF \
max-station-count=2007 mode=ap-bridge mtu=1500 multicast-buffering=\
enabled multicast-helper=default name=wlan1 noise-floor-threshold=default \
nv2-cell-radius=30 nv2-downlink-ratio=50 nv2-mode=dynamic-downlink \
nv2-noise-floor-offset=default nv2-preshared-key="" nv2-qos=default \
nv2-queue-count=2 nv2-security=disabled nv2-sync-secret="" \
on-fail-retry-time=100ms preamble-mode=both radio-name=AAA-nett \
rate-selection=advanced rate-set=default rx-chains=0,1 scan-list=default \
secondary-channel="" security-profile=test ssid=A33 \
station-bridge-clone-mac=00:00:00:00:00:00 station-roaming=enabled \
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 \
tx-chains=0,1 tx-power-mode=default update-stats-interval=disabled \
vlan-id=1 vlan-mode=no-tag wds-cost-range=50-150 wds-default-bridge=none \
wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled \
wireless-protocol=802.11 wmm-support=disabled wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M\
bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:\
17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\
T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-\
7:17"
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=\
3200 framer-policy=none
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
frames-per-second=25 receive-all=no ssid-all=no
/interface wireless cap
set bridge=none caps-man-addresses="" caps-man-certificate-common-names="" \
caps-man-names="" certificate=none discovery-interfaces="" enabled=no \
interfaces="" lock-to-caps-man=no static-virtual=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no