hAP ax2 station mode

Fructose3075 · Wed Mar 20, 2024 12:16 pm

Hi

I'm trying to setup a new hAP ax2 running 7.14.1 in a 'station' mode in the office where wifi is the default connection method.
I've completely deleted the configuration on the device and configured a bare minimum for the connection to be established, but the router keeps jumping between 'Scanning' and 'Connecting' modes and not establishing a connection.
Here is the config:

# software id = DSQQ-JU0R
#
# model = C52iG-5HaxD2HaxD
/interface wifi
set [ find default-name=wifi1 ] configuration.country=\
    Netherlands .mode=station .ssid=WIFI-PUB security.authentication-types=\
    wpa2-psk
/system logging
add topics=wireless,debug
/system note
set show-at-login=no

There is also a passphrase configured as well, but it is not reflected in the export.

So far I've tried to connect to a couple of other wireless networks/SSIDs and it worked just fine - one was my phone acting as a modem, the other was my personal hotspot. I've connected a cheap Keenetic device in Wireless ISP mode to this particular SSID to make sure there are no restrictions for wireless routers as stations and it worked fine. I've mimicked the SSID and passphrase on the phone to make sure there are no 'special characters' issues or something. I've even changed the MAC on the ax2 wireless interface to my iPhone's MAC address just in case. Changed it back once it did not help.
Wireless debug logging does not catch the connection attempts ax2 is making, no information at all. I'm stuck for a full day now experimenting and looking for root cause with no luck.
I've tried the other 2.4GHz interface with no luck too.

I have no idea where to look anymore. What can be the root cause?

erlinden · Wed Mar 20, 2024 12:31 pm

Do you have a passphrase configured?
Is this the complete config?

Fructose3075 · Wed Mar 20, 2024 12:37 pm

Do you have a passphrase configured?
Is this the complete config?

Yes. Ive double-checked it.

erlinden · Wed Mar 20, 2024 12:42 pm

I ran into such a situation once when the radio I tried to connect to was running with 40MHz bandwidth (2.4GHz).
Can you supply all information about the radio you want to connect to?

Fructose3075 · Wed Mar 20, 2024 1:12 pm

It is out of my control. All I know is that it is a Cisco AP. Here is the scan result

Wireless Scan Results

Device identity: MikroTik
Interface: wifi1
Frequencies: 5180,5200,5220,5240,5260,5280,5300,5320,5500,5520,5540,5560,5580,5600,5620,5640,5660,5680,5700,5720,5745,5765,5785,5805,5825,5845,5865,
Time: 2024-03-20 12:06:44

ADDRESS,SSID,CHANNEL,SECURITY,SIGNAL,NOISE-FLOOR,LAST-SEEN-[s],
F0:1D:2D:xx:xx:xx,WIFI-PUB,5660/ax/Ce,WPA2-PSK,-73,0,2.90,
F0:1D:2D:xx:xx:xx,WIFI-PUB,5180/ax/Ce,WPA2-PSK,-61,0,8.10,
F0:1D:2D:xx:xx:xx,WIFI-PUB,5280/ax/eC,WPA2-PSK,-53,0,6.31,
F0:1D:2D:xx:xx:xx,WIFI-PUB,5320/ax/eC,WPA2-PSK,-74,0,5.73,
F0:1D:2D:xx:xx:xx,WIFI-PUB,5220/ax/Ce,WPA2-PSK,-83,0,21.47,

erlinden · Wed Mar 20, 2024 1:27 pm

Can you give it a try with fixed channel and bandwidth?

Fructose3075 · Wed Mar 20, 2024 1:36 pm

Can you give it a try with fixed channel and bandwidth?

Same behaviour.
If I /interfaces/wifi/monitor wifi1, I get this and it keeps attempting, but falls back to scanning

# 2024-03-20 12:30:25 by RouterOS 7.14.1
# software id = DSQQ-JU0R
#
               state: scanning
  available-channels: 5200/ax/eC,5240/ax/eC,5280/ax/eC,5320/ax/eC,5520/ax/eC,
                      5560/ax/eC,5600/ax/eC,5640/ax/eC,5680/ax/eC,5720/ax/eC,
                      5765/ax/eC,5805/ax/eC,5845/ax/eC
# 2024-03-20 14:30:33 by RouterOS 7.14.1
# software id = DSQQ-JU0R
#
               state: connecting
          ap-address: F0:1D:2D:xx:xx:xx
  available-channels: 5200/ax/eC,5240/ax/eC,5280/ax/eC,5320/ax/eC,5520/ax/eC,
                      5560/ax/eC,5600/ax/eC,5640/ax/eC,5680/ax/eC,5720/ax/eC,
                      5765/ax/eC,5805/ax/eC,5845/ax/eC

Current config is

/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .width=20/40mhz-eC \
    configuration.country=Netherlands .mode=station .ssid=WIFI-PUB disabled=\
    no security.authentication-types=wpa2-psk
/system logging
add topics=wireless,debug
/system note
set show-at-login=no

Fructose3075 · Wed Mar 20, 2024 1:41 pm

There are no errors in the logs or anywhere even if I purposefully enter a wrong passphrase. I guess things don't hook up wvwn before the passphrase is to be checked.
I don't know it this can be helpful in any way, I don't have any other bright ideas to troubleshoot this. First time ever I must say that there is lack of logs in a Mikrotik router

mkx · Wed Mar 20, 2024 9:27 pm

/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .width=20/40mhz-eC \
configuration.country=Netherlands .mode=station .ssid=WIFI-PUB disabled=\
no security.authentication-types=wpa2-psk

Just throwing in some random idea: can you unset channel.band and channel.width? I guess that without setting these two, device would act in a more flexible way and would thus have better chances to successfully connect to AP.

gotsprings · Thu Mar 21, 2024 1:09 am

I used to be able to get hAP AC2s to join the network of just about anything back in 6.x.

But I couldn't run it as straight "bridge". I always ended up having to make the WLAN a WAN feed and make a LAN subnet.

Fructose3075 · Thu Mar 21, 2024 7:57 am

Just throwing in some random idea: can you unset channel.band and channel.width? I guess that without setting these two, device would act in a more flexible way and would thus have better chances to successfully connect to AP.

That's the config I've started with up in this thread - as flexible as possible, nothing set besides auth method, ssid and passkey. Setting channel parameters was the most recent experiment we've tried with @erlinden.

Fructose3075 · Thu Mar 21, 2024 8:08 am

I used to be able to get hAP AC2s to join the network of just about anything back in 6.x.

But I couldn't run it as straight "bridge". I always ended up having to make the WLAN a WAN feed and make a LAN subnet.

Technically 802.11 was not designed for bridges. It is all about access points, thus a single client is expected at the far end, not a whole network. You have to make the network look like a client, so you make your router a client and hide a LAN subnet behind it.
This is partly the reason why there are so many 'implementations' of this wireless 'bridging'.

All that said, it has nothing to do with my Mikrotik not communicating with this Cisco AP..

Fructose3075 · Thu Mar 21, 2024 8:09 am

Can you give it a try with fixed channel and bandwidth?

Thanks for investing your time in trying to help me! I appreciate it. I guess you are out of ideas as I am?

erlinden · Thu Mar 21, 2024 10:50 am

Thanks for investing your time in trying to help me! I appreciate it. I guess you are out of ideas as I am?

Last thing I can think of is setting frequency as well as bandwidth. And then I'm out of ideas.

gotsprings · Thu Mar 21, 2024 12:20 pm

I used to be able to get hAP AC2s to join the network of just about anything back in 6.x.

But I couldn't run it as straight "bridge". I always ended up having to make the WLAN a WAN feed and make a LAN subnet.
Technically 802.11 was not designed for bridges. It is all about access points, thus a single client is expected at the far end, not a whole network. You have to make the network look like a client, so you make your router a client and hide a LAN subnet behind it.
This is partly the reason why there are so many 'implementations' of this wireless 'bridging'.

All that said, it has nothing to do with my Mikrotik not communicating with this Cisco AP..

I think I was supposed to use WDS or something if I needed a straight up bridge.

But found the Ubnt AirOS stuff to be easier to deal with. So there are a lot of ancient Picos out there working as a "wifi to Ethernet adapter".

But then again... Directed DHCP. That caused me to just connect as a single client and route my LAN.

But back to where I was going with that...

A lot of features went away with the WAVE2 driver initially.

Could this be one of the "quirks"?

robertkjonesjr · Thu Mar 21, 2024 12:23 pm

Packet capture could help. Can you get a monitor mode capture on that channel which is failing? Might indicate where the fault lies.

No idea in this particular case, but certain settings can trigger this type of behavior - for example, if AP indicates to use PMF, or if multiple types of authentication are supported, etc., it can cause clients to not even try and authenticate.

Fructose3075 · Thu Mar 21, 2024 1:21 pm

A lot of features went away with the WAVE2 driver initially.

Could this be one of the "quirks"?

I don't think so as ax^2 works fine and does what I want it to do with other wireless networks. It's connecting to my iPhone sharing data over wifi just fine. I took it to another WISP network and it did just fine there too. It's only this one that causes me trouble. On the other hand, a cheapo Keenetic hooked up to this network in a blink of an eye. I can't pinpoint the requirement that is not met in this combination.

I'll try the packet inspection route.

Fructose3075 · Thu Mar 21, 2024 1:34 pm

Packet capture could help. Can you get a monitor mode capture on that channel which is failing? Might indicate where the fault lies.

No idea in this particular case, but certain settings can trigger this type of behavior - for example, if AP indicates to use PMF, or if multiple types of authentication are supported, etc., it can cause clients to not even try and authenticate.

I could not find a way to set up packet capture on this level. I honestly never dealt with a Layer 1-2 issue ever before. May I ask for your help setting up this capture you are referring to? Just being a little more specific would help a ton. I will dig into details then

robertkjonesjr · Thu Mar 21, 2024 2:08 pm

If you have never done monitor mode capture before, it may be a steep learning curve. Here are Wireshark's instructions: https://wiki.wireshark.org/CaptureSetup/WLAN. Do you have a Macbook? That is likely the fastest way to get there for an external capture system.

Mikrotik devices can do some capture as well, but I always recommend to not analyze with the system that is failing, so you would want a different device to capture while the primary system is failing. A v7.7 HAPac device has 'Wireless Sniffer' button in the Wireless Tables section of Winbox but with the change in wireless drivers, there could be some impact to this capability which is why I listed the HW and SW version as capabilities can and do change.

Someone created instructions: https://networktik.com/mikrotik-wireless-sniffer-tool/ on how to do this if you are interested.

Fructose3075 · Thu Mar 21, 2024 3:11 pm

Do you have a Macbook? That is likely the fastest way to get there for an external capture system.

I don't have a macbook with me today, but I've given it a shot and tried to sniff with ax2 itself. I definitely don't know what I'm looking for, but I thought I'd ask. Would a broadcast packet from AP be sufficient to understand what AP is expecting of a client trying to connect to it? I will probably be able to record the whole communication tomorrow or early next week, but in the meantime, I've attached the broadcast pcap file with that single broadcast packet that seems to be repeated a lot. In case it really does mean something for an expert.

The reason I'm asking is that I see some capabilities encoded in there.

wireshark.png

robertkjonesjr · Thu Mar 21, 2024 6:57 pm

What is more insightful is to see the packet flow when the client is trying to connect, but obviously fails. There is a sequence and reviewing what is expected vs what actually happens might indicate the problem. The beacon is good place to see what the AP is advertising, but my experience with this HAP ax2 in station mode (used all last summer through Europe) was fine - it always worked.

I did have a look at the security-relevant config of the AP as that can trip up clients but note that is pretty vanilla - nothing weird.

Tag: RSN Information
    Tag Number: RSN Information (48)
    Tag length: 20
    RSN Version: 1
    Group Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
    Pairwise Cipher Suite Count: 1
    Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM)
    Auth Key Management (AKM) Suite Count: 1
    Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK
    RSN Capabilities: 0x0028

The supported rates are set for a high density deployment - I have seen that cause client issues, too, but without testing this particular client, I don't know the impact.

Tag: Supported Rates 24(B), 36, 48, 54, [Mbit/sec]

Fructose3075 · Fri Mar 22, 2024 9:01 am

What is more insightful is to see the packet flow when the client is trying to connect, but obviously fails. There is a sequence and reviewing what is expected vs what actually happens might indicate the problem.

@robertkjonesjr you've made me better than I was two days ago. I now know how to set up Wireshark to capture 802.11 packet exchange, how to filter it, color, alter and look for anomalies. Thank you! It did not help me connect ax^2 though.

I've managed to capture the packet flow when ax^2 tries to connect to the Cisco AP.
The only difference I see is that ax^2 talks at 6 Mb/s while Cisco is at 24 Mb/s.
There is no further packet exchange between the nodes. Am I missing something? Other than data rate they seem to expect/provide the same set of capabilities.

robertkjonesjr · Fri Mar 22, 2024 12:18 pm

Progress! But not really good... so we see the client, the mikrotik device, probing for the SSID. In this selection, we do see a probe response - return signal strength is not very good so would check placement of devices - but the mikrotik does not commence with the next step: send an Authentication frame. This tells me one thing: the mikrotik does not like what is in the probe response for whatever reason, so refuses to accept that as a candidate bssid to connect to. Ideally, since the mikrotik device is making the decision of 'not correct', it might provide a log message of why it is not correct. Is the wifi logging set to debug? Probably won't help because the log message will probably say something to the effect of 'no AP found', which is kind of true - the probe responses did not contain the right information to continue a connection.

One alternative here is from the capture - clients usually cycle through the channels, probing, and then looking at all the responses, finally selecting the best one to connect to. This is not a great response (RSSI for the probe response: -77 which is not great, prefer -65 or better in a perfect world). So it is possible that the capture you provide is just one of many channels that has an AP with our supported SSID, but this isn't preferred, so the authentication/association attempt is on a different channel. Then again, and likely scenario, is they all look like this

Anyway, task would be force it - make sure the mikrotik only sees one channel and sniff there, so we know for sure. This capture may represent that, but I don't know that.

The AP is a 4x4 / WiFi6 (802.11ax) / and either 6GHz is disabled or not supported. But it is likely the config that is the issue, no evidence that the HW is a problem. I have Cisco APs of this family and the same mikrotik device - I can setup a similar config based on the probe response/beacon you provided and check with my HAP AX2 and see if I get same results from my lab. I regret it will be several days before I can look at this.

Fructose3075 · Fri Mar 22, 2024 2:41 pm

Is the wifi logging set to debug? Probably won't help because the log message will probably say something to the effect of 'no AP found', which is kind of true - the probe responses did not contain the right information to continue a connection.

Logging is set to debug, but there is exactly 0 lines in the log while these attempts are made. It is populated heavily when the connection is established with other APs, so I suppose this decision not to proceed to Authentication is not worth logging for some reason.

I've tried to connect to other frequencies in the meantime. The symptoms are the same no matter what the signal strength is. One last thing I didn't try is force it in 2.4 GHz and see whether there is a different packet exchange. 2.4 on the second interface visually behaves the same way - silently ignoring the Cisco AP.

Thank you, you've helped me come a long way. I'd appreciate if you will be able to test this pair in your lab sometime later. We might uncover some area for improvement for Mikrotik or learn a configuration lesson.

I will update the thread if I will uncover anything additionally.

Fructose3075 · Fri Mar 22, 2024 3:39 pm

The 2.4 exchange looks very different. There is an actual authentication attempt, an association request, but it fails too.
I've attached the pcap

Surprisingly, log is still silent. I wonder if 'wireless, debug' is the correct option to log the 'new' wifi..

robertkjonesjr · Fri Mar 22, 2024 6:28 pm

Some more info, maybe:

Frame 10: 107 bytes on wire (856 bits), 107 bytes captured (856 bits) on interface en0, id 0
Radiotap Header v0, Length 56
802.11 radio information
IEEE 802.11 Association Response, Flags: .........
IEEE 802.11 Wireless Management
    Fixed parameters (6 bytes)
        Capabilities Information: 0x1411
        Status code: Cipher suite rejected because of security policy (0x002e)
        ..00 0000 0000 0000 = Association ID: 0x0000
    Tagged parameters (17 bytes)
        Tag: Supported Rates: Undecoded
        Tag: Extended Capabilities (8 octets)
        Tag: BSS Max Idle Period

Look at the status code. I am not in a position to test, but one difference I see is mikrotik is indicating PMF/MFP capable and provides a cipher suite for this (BIP); AP does not indicate capability in the Probe response. Test: disable Management Protection in the mikrotik config.

This is for the client (mikrotik device):

Tag: RSN Information
    Tag Number: RSN Information (48)
    Tag length: 26
    RSN Version: 1
    Group Cipher Suite: 00:0f:ac (Ieee 802.11) AES (CCM)
    Pairwise Cipher Suite Count: 1
    Pairwise Cipher Suite List 00:0f:ac (Ieee 802.11) AES (CCM)
    Auth Key Management (AKM) Suite Count: 1
    Auth Key Management (AKM) List 00:0f:ac (Ieee 802.11) PSK
    RSN Capabilities: 0x0080
        .... .... .... ...0 = RSN Pre-Auth capabilities: Transmitter does not support pre-authentication
        .... .... .... ..0. = RSN No Pairwise capabilities: Transmitter can support WEP default key 0 simultaneously with Pairwise key
        .... .... .... 00.. = RSN PTKSA Replay Counter capabilities: 1 replay counter per PTKSA/GTKSA/STAKeySA (0x0)
        .... .... ..00 .... = RSN GTKSA Replay Counter capabilities: 1 replay counter per PTKSA/GTKSA/STAKeySA (0x0)
        .... .... .0.. .... = Management Frame Protection Required: False
        .... .... 1... .... = Management Frame Protection Capable: True
        .... ...0 .... .... = Joint Multi-band RSNA: False
        .... ..0. .... .... = PeerKey Enabled: False
        ..0. .... .... .... = Extended Key ID for Individually Addressed Frames: Not supported
        .0.. .... .... .... = OCVC: False
    PMKID Count: 0
    PMKID List
    Group Management Cipher Suite: 00:0f:ac (Ieee 802.11) BIP (128)

robertkjonesjr · Sun Mar 24, 2024 6:30 pm

Good news/bad news: good news is that my hAPax2 is failing to connect in station mode to a Cisco 11ax AP (9117) so it seems somewhat repeatable. Bad news is that my failure mode is slightly different: it gets through association but the AP immediately sends a deauth with Reason Code 0x002e.

2024-03-24 12_04_38-5GHz.png

I have access to the Cisco infrastructure here and it has some relatively advanced troubleshooting tools, so I put this MAC address of the tik through it during a failure (they call it Radioactive Trace) and it gives this output:

Connection attempt #2
2024/03/24 16:01:09.124	client-orch-sm	Client made a new Association to an AP/BSSID: BSSID 0cd0.f8xx.xxxx, WLAN WIFI-PUB, Slot 1 AP 0cd0.f8xx.xxxx, APabc123, Site tag west, Policy tag west-policy, Policy profile west_vlan90, Switching Local, Socket delay 0ms

2024/03/24 16:01:09.125	dot11	Association failure, reason code sent: 46, interpretation: WLAN security policy doesn't support the requested cipher suite

2024/03/24 16:01:09.127	client-orch-sm	Controller initiated client deletion with code: CO_CLIENT_DELETE_REASON_DOT11_CIPHER_SUITE_REJECTED. Explanation: During RSN Information element processing, the group key provided by client is invalid. Actions: This is probable client side issue. Check RA traces, and contact client manufacturer

The reason code listed by Cisco 0x002e is 46d but that might be the Status Code per 802.11-2020 table 9-50. Seems that number got used as the reason code in the deauth frame per table 9-49. Anyway, the Cisco debug is quite helpful here; I made sure my tik config matched yours and matched the Cisco config from the beacons you provided. So we have the same scenario already mentioned: the tik advertised for PMF but the AP does not and that matches with the Cisco error code. So for me, there are two solutions: either disable PMF in the tik, or enable as optional on the CIsco side. I confirm that both worked for me and the tik was then able to complete the association and communicate.

So why is my symptom the same but the exact failure mode appears different? A couple of possibilities:

we have different problems and they are not really related

I have a different AP/different AP software than you do

I did notice that the tik will probe often but not actually try to connect so perhaps the short capture you show is not representative of what is happening

maybe other reasons too

Fructose3075 · Mon Mar 25, 2024 9:39 am

So for me, there are two solutions: either disable PMF in the tik, or enable as optional on the CIsco side. I confirm that both worked for me and the tik was then able to complete the association and communicate.

I wish I could buy you a beer

Setting Management Protection to DISABLED immediately solved the issue.
This is a very strange configuration approach, to be honest. My expectation is that when things are not set, they are not interfering. Not the case with this setting. I do agree that a more secure default stance is a good choice, but it should be indicated as a selected choice in the UI, otherwise I don't expect a particular setting to be influencing the connectivity.

Thanks for your help, roertkjonesjr! Great finding!

hAP ax2 station mode [SOLVED]

hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode

Re: hAP ax2 station mode [SOLVED]

Re: hAP ax2 station mode

Who is online