WIFI roaming for WPA3 broken again (somewhere from 7.17.1+- to 7.18beta5)

rbilka · Sat Feb 08, 2025 1:15 am

Hi.

I have 3x Wi-Fi APs (hAP ax^3) and 1x CAPsMAN controller (on hAP ac^2, Wi-Fi interfaces disabled there).

Until yesterday, I had some stable version (probably 7.16.2), and Wi-Fi roaming was working fine there.
Yesterday, I updated to 7.17.1, and Wi-Fi roaming stops working.

Clients just "reconnect" with about a 0.5-1 second interruption to the other AP, and "disconnected" and "connected" messages appear in the log:
C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G disconnected, connection lost, signal strength -80
C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G connected, signal strength -53
and back
C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G disconnected, not responding, signal strength -88
C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G connected, signal strength -56

Before the update, only one "roaming" message was appearing there instead:
C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G, signal strength -48
or back
C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G, signal strength -48

I think the problem is, that I cannot select both "WPA2 PSK" with "WPA3 PSK" together in the security settings.
Perhap issue is combination with the "Management Protection" setting.

1) "WPA3 PSK" only:
When only option "WPA3 PSK" is selected, "Management Protection" must be set to "required".
Otherwise, no clients are able to connect with "allowed" or "disabled".
But even with "required", the "roaming" is not working.
It seems that clients try to roam (client's SW show connected=roamed to the new AP) but are immediately "disconnected" and "connected" again.

2) "WPA2 PSK" only:
When "WPA2 PSK" only is selected, and "Management Protection" is set to "disabled|allowed|required|not set", roaming starts working fine again, as beffore.

3) In the older version of 7.16.X, I had the option "WPA2 PSK + WPA3 PSK" with "Management Protection" set to "required", almost all clients were connected with WPA3 PSK, and roaming was working fine (as expected).
So some changes in mikrotik SW code was changed, perhaps some BUG introduced, which stops roaming worked for all my clients.
I am prepared to create ticket for support, but I am still waiting for registration email to register there.
Please check what can be wrong and perhaps if there is better sollution, than turning WPA3 PSK OFF, and also "Protection Management" to OFF.
It was working few versions behind.

Note:
I see a positive change in version 7.18beta5.
Probably due to option ".2g-probe-delay=yes" clients now ROAM more on 5G, while before they usually tended to roam to 2.4G instead 5G.

Note2:
I added more explanation and my configuration below (3rd post).

Thank you.

mkx · Sat Feb 08, 2025 5:37 pm

Re. "Management Protection" setting: it used to be so that if it wasn't set, then default value was different when different security setups were in use (for WPA2 it was "disabled" and for WPA3 it was "allowed"). This doesn't work the same with setting explicitly set. On my 7.17.2 setups I still don't set it and roaming works for my station devices.

So if you unset the setting, does it work any differently?

rbilka · Sat Feb 08, 2025 6:45 pm

First, thank for respond.
Are you 100% sure, that roaming is working for you?
Are we talking about WIFI "AP" mode?
Can you check it (steps below) to be sure?

1)
Do you have 7.17.1 or newer?

2)
Do you see roaming messages with expicit string "ROAMED" (see bellow) in log?
/log print where topics~"wireless"
2025-02-08 17:36:25 wireless,info C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G, signal strength -44
2025-02-08 17:36:46 wireless,info C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G, signal strength -48
2025-02-08 17:37:03 wireless,info C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_chr_wifi-2G, signal strength -52
2025-02-08 17:37:05 wireless,info C8:9B:D7:0E:B8:39@ap_chr_wifi-2G roamed to C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G, signal strength -70
Roaming is not working for you, if you see in log DISCONNECTED and following CONNECTED messagess, instead single ROAMED message.

3)
What you see in "/interface/wifi/registration-table" ???:

4)
My config withouth WPA3-PSK, that means only WPA2-PSK, where roaming is working is:

/interface/wifi> export
# // ...I removed some lines which were not relevant to this SSID configuration ...
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412 name=2G_ch1-7 skip-dfs-channels=disabled width=20/40mhz-Ce
add band=2ghz-ax disabled=no frequency=2472 name=2G_ch8-14 skip-dfs-channels=disabled width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500 name="5G_ch106(100-112)_f5500(5490-5570)" skip-dfs-channels=disabled width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5580 name="5G_ch122(116-128)_f5580(5570-5650)" skip-dfs-channels=disabled width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5660 name="5G_ch138(132-144)_f5660(5650-5730)" skip-dfs-channels=disabled width=20/40/80mhz
/interface wifi datapath
add bridge=bridgeSwitch disabled=no name=datapath-home vlan-id=110
/interface wifi security
add authentication-types=wpa2-psk disable-pmkid=no disabled=no ft=yes ft-over-ds=yes management-protection=allowed name=security_home wps=disable
/interface wifi configuration
add channel=2G_ch1-7 country=Czech datapath=datapath-home disabled=no mode=ap name=wifi-2G_home_ch1-7 security=security_home ssid=rbhn
add channel=2G_ch8-14 country=Czech datapath=datapath-home disabled=no mode=ap name=wifi-2G_home_ch8-14 security=security_home ssid=rbhn
add channel="5G_ch106(100-112)_f5500(5490-5570)" country=Czech datapath=datapath-home disabled=no mode=ap name="wifi-5G_home_ch106(100-112)_f5500(5490-5570)" security=security_home ssid=rbhn
add channel="5G_ch122(116-128)_f5580(5570-5650)" country=Czech datapath=datapath-home disabled=no mode=ap name="wifi-5G_home_ch122(116-128)_f5580(5570-5650)" security=security_home ssid=rbhn
add channel="5G_ch138(132-144)_f5660(5650-5730)" country=Czech datapath=datapath-home disabled=no mode=ap name="wifi-5G_home_ch138(132-144)_f5660(5650-5730)" security=security_home ssid=rbhn
/interface wifi steering
add 2g-probe-delay=yes disabled=no name=steering_home neighbor-group=dynamic-rbhn-f21aa6c5 rrm=yes wnm=yes
/interface wifi capsman
set enabled=yes interfaces=vlan_home package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no identity-regexp=lvr|bdr master-configuration=wifi-2G_home_ch8-14 name-format=%I_wifi-2G slave-configurations=wifi-2G_guests,wifi-2G_iot supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=chr master-configuration=wifi-2G_home_ch1-7 name-format=%I_wifi-2G slave-configurations=wifi-2G_guests,wifi-2G_iot supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=lvr master-configuration="wifi-5G_home_ch106(100-112)_f5500(5490-5570)" name-format=%I_wifi-5G slave-configurations=wifi-5G_guests supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=chr master-configuration="wifi-5G_home_ch122(116-128)_f5580(5570-5650)" name-format=%I_wifi-5G slave-configurations=wifi-5G_guests supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=bdr master-configuration="wifi-5G_home_ch138(132-144)_f5660(5650-5730)" name-format=%I_wifi-5G slave-configurations=wifi-5G_guests supported-bands=5ghz-ax

4)
So roaming is working only when:
authentication-types=wpa2-psk
... and does not matter how "management-protection" is set (required|allowed|disabled|"not set")
Some clients have "auth-type" set to "ft-wpa2-psk" instead "wpa2-psk", and for those with "ft-", roaming works as expected:

/interface/wifi/registration-table> print
# INTERFACE SSID MAC-ADDRESS UPTIME LAST-ACTIVITY SIGNAL AUTH-TYPE BAND
5 A ap_bdr_wifi-2G rbhn ??:??:??:??:??:?? 27m54s 0ms -55 ft-wpa2-psk 2ghz-ax
6 A ap_chr_wifi-2G rbhn ??:??:??:??:??:?? 27m41s 0ms -40 ft-wpa2-psk 2ghz-n
8 A ap_chr_wifi-2G rbhn ??:??:??:??:??:?? 27m32s 0ms -54 ft-wpa2-psk 2ghz-n
9 A ap_lvr_wifi-5G rbhn ??:??:??:??:??:?? 20m7s 0ms -67 ft-wpa2-psk 5ghz-ac

/log print where topics~"wireless"
2025-02-08 17:36:09 wireless,info C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G connected, signal strength -70
2025-02-08 17:36:25 wireless,info C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G, signal strength -44
2025-02-08 17:36:46 wireless,info C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G, signal strength -48
2025-02-08 17:36:50 wireless,info DC:8D:91:51:7C:14@ap_lvr_wifi-2G roamed to DC:8D:91:51:7C:14@ap_lvr_wifi-5G, signal strength -64
2025-02-08 17:37:03 wireless,info C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_chr_wifi-2G, signal strength -52
2025-02-08 17:37:05 wireless,info C8:9B:D7:0E:B8:39@ap_chr_wifi-2G roamed to C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G, signal strength -70
2025-02-08 17:37:34 wireless,info C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G, signal strength -50

Roaming fails for all wpa3-psk settings:
authentication-types=wpa3-psk ... or ... authentication-types=wpa2-psk,wpa3-psk
and
management-protection=required (or "not set")

When roaming fails, I see "wpa3-psk" only:
/interface/wifi/registration-table> print
# INTERFACE SSID MAC-ADDRESS UPTIME LAST-ACTIVITY SIGNAL AUTH-TYPE BAND
6 A ap_lvr_wifi-2G rbhn ??:??:??:??:??:?? 59s 0ms -52 wpa3-psk 2ghz-n
7 A ap_lvr_wifi-2G rbhn ??:??:??:??:??:?? 58s 0ms -64 wpa3-psk 2ghz-n
8 A ap_lvr_wifi-2G rbhn ??:??:??:??:??:?? 56s 0ms -71 wpa3-psk 2ghz-n
9 A ap_chr_wifi-2G rbhn ??:??:??:??:??:?? 28s 0ms -73 wpa3-psk 2ghz-ax
/log print where topics~"wireless"
2025-02-08 17:20:20 wireless,info C8:9B:D7:0E:B8:39@ap_lvr_wifi-2G connected, signal strength -71
2025-02-08 17:20:57 wireless,info C8:9B:D7:0E:B8:39@ap_lvr_wifi-2G disconnected, not responding, signal strength -79
2025-02-08 17:21:02 wireless,info C8:9B:D7:0E:B8:39@ap_chr_wifi-2G connected, signal strength -78
2025-02-08 17:24:43 wireless,info C8:9B:D7:0E:B8:39@ap_chr_wifi-2G disconnected, not responding, signal strength -76
2025-02-08 17:24:46 wireless,info C8:9B:D7:0E:B8:39@ap_bdr_wifi-2G connected, signal strength -51

When I set management-protection to "allowed" or "disabled", clients are not able even connect to the network at all (which is expected and OK).

mkx · Sat Feb 08, 2025 8:15 pm

7.17.2

(logs are double ... because I have two log destinations, memory and disk)

2025-02-08 09:04:49 wireless,info 34:F0:43:B4:80:B0@cap-audience-2g-42 connected, signal strength -41
 2025-02-08 10:14:06 wireless,info 34:F0:43:B4:80:B0@cap-audience-2g-42 roamed to 34:F0:43:B4:80:B0@cap-audience-5g-42, signal strength -66
 2025-02-08 10:14:06 wireless,info 34:F0:43:B4:80:B0@cap-audience-2g-42 roamed to 34:F0:43:B4:80:B0@cap-audience-5g-42, signal strength -66
 2025-02-08 12:02:13 wireless,info 34:F0:43:B4:80:B0@cap-audience-5g-42 roamed to 34:F0:43:B4:80:B0@cap-wap-2g-42, signal strength -34
 2025-02-08 12:02:13 wireless,info 34:F0:43:B4:80:B0@cap-audience-5g-42 roamed to 34:F0:43:B4:80:B0@cap-wap-2g-42, signal strength -34
 2025-02-08 12:04:49 wireless,info 34:F0:43:B4:80:B0@cap-wap-2g-42 roamed to 34:F0:43:B4:80:B0@cap-wap-5g-42, signal strength -58
 2025-02-08 12:04:49 wireless,info 34:F0:43:B4:80:B0@cap-wap-2g-42 roamed to 34:F0:43:B4:80:B0@cap-wap-5g-42, signal strength -58
 2025-02-08 13:23:17 wireless,info 84:98:66:7C:71:ED@cap-audience-2g-42 roamed to 84:98:66:7C:71:ED@cap-wap-2g-42, signal strength -53
 2025-02-08 13:23:17 wireless,info 84:98:66:7C:71:ED@cap-audience-2g-42 roamed to 84:98:66:7C:71:ED@cap-wap-2g-42, signal strength -53
 2025-02-08 13:33:23 wireless,info 84:98:66:7C:71:ED@cap-wap-2g-42 roamed to 84:98:66:7C:71:ED@cap-audience-5g-42, signal strength -69
 2025-02-08 13:33:23 wireless,info 84:98:66:7C:71:ED@cap-wap-2g-42 roamed to 84:98:66:7C:71:ED@cap-audience-5g-42, signal strength -69
 2025-02-08 14:10:26 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-2g-42, signal strength -68
 2025-02-08 14:10:26 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-2g-42, signal strength -68
 2025-02-08 14:10:41 wireless,info 54:10:4F:DF:55:FF@cap-wap-2g-42 roamed to 54:10:4F:DF:55:FF@cap-audience-5g-42, signal strength -86
 2025-02-08 14:10:41 wireless,info 54:10:4F:DF:55:FF@cap-wap-2g-42 roamed to 54:10:4F:DF:55:FF@cap-audience-5g-42, signal strength -86
 2025-02-08 14:15:26 wireless,info 54:10:4F:DF:55:FF@cap-audience-5g-42 disconnected, group key timeout, signal strength -97
 2025-02-08 14:15:26 wireless,info 54:10:4F:DF:55:FF@cap-audience-5g-42 disconnected, group key timeout, signal strength -97
 2025-02-08 14:26:00 wireless,info 54:10:4F:DF:55:FF@cap-audience-5g-42 connected, signal strength -79
 2025-02-08 14:26:00 wireless,info 54:10:4F:DF:55:FF@cap-audience-5g-42 connected, signal strength -79
 2025-02-08 14:26:05 wireless,info 0A:1E:47:03:74:AD@cap-audience-5g-42 roamed to 0A:1E:47:03:74:AD@cap-audience-2g-42, signal strength -62
 2025-02-08 14:26:05 wireless,info 0A:1E:47:03:74:AD@cap-audience-5g-42 roamed to 0A:1E:47:03:74:AD@cap-audience-2g-42, signal strength -62
 2025-02-08 14:34:45 wireless,info 84:98:66:7C:71:ED@cap-audience-5g-42 roamed to 84:98:66:7C:71:ED@cap-wap-5g-42, signal strength -63
 2025-02-08 14:34:45 wireless,info 84:98:66:7C:71:ED@cap-audience-5g-42 roamed to 84:98:66:7C:71:ED@cap-wap-5g-42, signal strength -63
 2025-02-08 14:45:08 wireless,info 54:10:4F:DF:55:FF@cap-audience-5g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-2g-42, signal strength -50
 2025-02-08 14:45:08 wireless,info 54:10:4F:DF:55:FF@cap-audience-5g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-2g-42, signal strength -50
 2025-02-08 14:47:21 wireless,info 54:10:4F:DF:55:FF@cap-wap-2g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-5g-42, signal strength -72
 2025-02-08 14:47:21 wireless,info 54:10:4F:DF:55:FF@cap-wap-2g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-5g-42, signal strength -72
 2025-02-08 16:49:01 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-2g-42, signal strength -67
 2025-02-08 16:49:01 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-2g-42, signal strength -67
 2025-02-08 16:52:37 wireless,info 54:10:4F:DF:55:FF@cap-wap-2g-42 roamed to 54:10:4F:DF:55:FF@cap-audience-2g-42, signal strength -78
 2025-02-08 16:52:37 wireless,info 54:10:4F:DF:55:FF@cap-wap-2g-42 roamed to 54:10:4F:DF:55:FF@cap-audience-2g-42, signal strength -78
 2025-02-08 16:56:14 wireless,info 54:10:4F:DF:55:FF@cap-audience-2g-42 disconnected, group key timeout, signal strength -81
 2025-02-08 16:56:14 wireless,info 54:10:4F:DF:55:FF@cap-audience-2g-42 disconnected, group key timeout, signal strength -81
 2025-02-08 16:59:26 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 connected, signal strength -77
 2025-02-08 16:59:26 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 connected, signal strength -77
 2025-02-08 17:41:11 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 roamed to 54:10:4F:DF:55:FF@cap-audience-5g-42, signal strength -68
 2025-02-08 17:41:11 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 roamed to 54:10:4F:DF:55:FF@cap-audience-5g-42, signal strength -68

Flags: A - AUTHORIZED
Columns: INTERFACE, SSID, MAC-ADDRESS, UPTIME, LAST-ACTIVITY, SIGNAL, AUTH-TYPE, BAND
#   INTERFACE           SSID    MAC-ADDRESS        UPTIME      LAST-ACTIVITY  SIGNAL  AUTH-TYPE    BAND
0 A cap-wap-2g-42       mkxNet  AC:BD:70:xx:yy:zz  1d8h43m57s  0ms            -39     wpa2-psk     2ghz-n
1 A cap-wap-5g-42       mkxNet  78:F2:38:xx:yy:zz  10h16m32s   15s30ms        -45     ft-wpa2-psk  5ghz-ax
2 A cap-wap-5g-42       mkxNet  34:F0:43:xx:yy:zz  5h59m59s    21s40ms        -56     ft-wpa2-psk  5ghz-ac
3 A cap-audience-2g-42  mkxNet  0A:1E:47:xx:yy:zz  3h38m43s    0ms            -54     wpa3-psk     2ghz-n
4 A cap-wap-5g-42       mkxNet  84:98:66:xx:yy:zz  3h30m3s     24s40ms        -45     wpa2-psk     5ghz-ac
5 A cap-audience-5g-42  mkxNet  54:10:4F:xx:yy:zz  23m37s      0ms            -59     ft-wpa2-psk  5ghz-ac

my config:

/interface wifi channel
add frequency=2412 name=2GHz-1 width=20mhz
add frequency=2432 name=2GHz-5 width=20mhz
add frequency=2452 name=2GHz-9 width=20mhz
add frequency=2472 name=2GHz-13 width=20mhz
add frequency=2412,2432 name=2GHz-1+5 reselect-interval=6h..1d width=20mhz
add frequency=5500,5580,5660 name=5GHz-high reselect-interval=6h..1d width=20/40/80mhz
add frequency=2452,2472 name=2GHz-9+13 reselect-interval=6h..1d width=20mhz
add frequency=5180,5200,5220,5240 name=5GHz-low-80 reselect-interval=8h..12h width=20/40/80mhz
add frequency=5180,5200,5220,5240 name=5GHz-low-20 reselect-interval=8h..12h width=20mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 dh-groups=19,20,21 disable-pmkid=yes encryption=ccmp,ccmp-256 ft=\
    yes ft-over-ds=yes ft-preserve-vlanid=no group-key-update=5m name=wpa2wpa3 wps=disable
/interface wifi steering
add name=steering42 neighbor-group=LAN-42 rrm=yes wnm=yes
add name=steering41 neighbor-group=guest-41 rrm=yes wnm=yes
/interface wifi
# operated by CAP 2E:C8:1B:xx:yy:z6%vlan-99, traffic processing on CAP
add configuration=2GHz-9-noVID disabled=no name=cap-audience-2g-42 radio-mac=2C:C8:1B:xx:yy:z8
# operated by CAP 2E:C8:1B:xx:yyzE6%vlan-99, traffic processing on CAP
add configuration=5GHz-low-41-novid disabled=no name=cap-audience-5g-41 radio-mac=2C:C8:1B:xx:yy:z9
# operated by CAP 2E:C8:1B:xx:yy:z6%vlan-99, traffic processing on CAP
add configuration=5GHz-high-noVID disabled=no name=cap-audience-5g-42 radio-mac=2C:C8:1B:xx:yy:zA
# operated by CAP F6:1E:57:36:CD:D4%vlan-99, traffic processing on CAP
add configuration=2GHz-13-42 disabled=no name=cap-wap-2g-42 radio-mac=F4:1E:57:aa:bb:c6
# operated by CAP F6:1E:57:aa:bb:c4%vlan-99, traffic processing on CAP
add configuration=5GHz-high-42 disabled=no name=cap-wap-5g-42 radio-mac=F4:1E:57:aa:bb:c7
# operated by CAP F6:1E:57:aa:bb:c4%vlan-99, traffic processing on CAP
add configuration=slave-41 disabled=no mac-address=F6:1E:57:aa:bb:c7 master-interface=cap-wap-5g-42 name=cap-wap-5g-virt-41
/interface wifi capsman
set enabled=yes interfaces=vlan-99
/interface wifi configuration
add channel=2GHz-1+5 comment="2GHz low 42" country=<country> datapath=datapath42 mode=ap multicast-enhance=enabled name=2GHz-low-42 \
    security=wpa2wpa3 ssid=<SSID1> steering=steering42
add channel=5GHz-high comment="5GHz high 42" country=<country> datapath=datapath42 mode=ap multicast-enhance=enabled name=\
    5GHz-high-42 security=wpa2wpa3 ssid=<SSID1> steering=steering42
add channel=2GHz-13 comment="2GHz ch13 42" country=<country> datapath=datapath42 mode=ap multicast-enhance=enabled name=2GHz-13-42 \
    security=wpa2wpa3 ssid=<SSID1> steering=steering42
add datapath=datapath41 mode=ap multicast-enhance=enabled name=slave-41 ssid="I\E2\9D\A4MikroTik" steering=steering41
add channel=5GHz-low-80 comment="5GHz low no VLAN ID" country=<country> datapath=datapath-noVID mode=ap multicast-enhance=enabled \
    name=5GHz-low-noVID security=wpa2wpa3 ssid=<SSID1> steering=steering42
add channel=2GHz-9 comment="2GHz ch9 no VLAN ID" country=<country> datapath=datapath-noVID mode=ap multicast-enhance=enabled name=\
    2GHz-9-noVID security=wpa2wpa3 ssid=<SSID1> steering=steering42
add channel=5GHz-high comment="5GHz high no VLAN ID" country=<country> datapath=datapath-noVID mode=ap multicast-enhance=enabled \
    name=5GHz-high-noVID security=wpa2wpa3 ssid=<SSID1> steering=steering42
add channel=5GHz-low-20 comment="5GHz low guest no VLAN ID" country=<country> datapath=datapath-noVID mode=ap multicast-enhance=\
    enabled name=5GHz-low-41-novid ssid="I\E2\9D\A4MikroTik" steering=steering41
/interface wifi datapath
add bridge=bridge comment=LAN name=datapath42 vlan-id=42
add bridge=bridge client-isolation=yes comment="guest WiFi" name=datapath41 vlan-id=41
add bridge=bridge client-isolation=yes comment="no VLAN ID" name=datapath-noVID
/interface wifi provisioning
add action=create-enabled comment="wAP 2Ghz" master-configuration=2GHz-13-42 radio-mac=F4:1E:57:aa:bb:c6
add action=create-enabled comment="wAP 5Ghz" master-configuration=5GHz-high-42 radio-mac=F4:1E:57:aa:bb:c7 slave-configurations=\
    slave-41
add action=create-enabled comment="Audience 5GHz low" master-configuration=5GHz-low-41-novid radio-mac=2C:C8:1B:xx:yy:z9
add action=create-enabled comment="Audience 2GHz" master-configuration=2GHz-9-noVID radio-mac=2C:C8:1B:xx:yy:z8
add action=create-enabled comment="Audience 5GHz high" master-configuration=5GHz-high-noVID radio-mac=2C:C8:1B:xx:yy:zA

rbilka · Sat Feb 08, 2025 9:16 pm

Thank you very much ...
Just from a quick glance I don't see anything that could be a problem. Something to do with VLAN ID maybe ... we'll see.
I will try to replicate parts of your configuration, till it starts working and make some tests, and let you know.

rbilka · Sat Feb 08, 2025 10:11 pm

(deleted, not relevant anymore)

rbilka · Sat Feb 08, 2025 11:46 pm

Interesting ...
... i added "connect-priority" as you have (before was not set) and roaming for WPA3-PSK clients started working fine!
/interface/wifi/security/
connect-priority=0/1

So, for WPA3-PSK clients to be able roaming, that line needs to be there.
Do you know, or better, can you describe, how that line works and what represents?
Information from documentation does not make sense for me:
https://help.mikrotik.com/docs/spaces/R ... Properties

...
If (accept-priority of AP2) = (hold-priority of AP1), a connection to AP2 will be allowed only if the MAC address can no longer be reached via AP1.
...
If omitted, hold-priority is the same as accept-priority.
...
By default, APs, which perform user authentication, have higher priority (lower integer value), than open APs.

So if I understand correctly, default value is:
connect-priority=1/1 (or connect-priority=0/0 ?)

This "default" value is probably the reason, why WPA3-PSK client shows for around 500ms that has roamed to the new AP, but immediatelly disconnects from it and reconnect to the new AP.
And mikrotik does not log anything about client tried roaming, just disconnect due to be not reachable.
So, it seems mikrotik is not accepting MAC frames from new Wifi AP after client roamed to it, because it still register that client (and it's MAC) on the old Wifi AP.

So question is ... why this (that MAC ignoring) is not applied also to the FT-WPA2-PSK clients, only to WPA3-PSK clients.
I will add this discovery to the support ticket I created.

Thank you for help and anybody else, who can add some more information about this problem (setting connect-priority).

mkx · Sun Feb 09, 2025 12:14 pm

Do you know, or better, can you describe, what tjat line works and what represents?

No idea why exactly that setting needs to be that way, I don't recal reading any good explanation of what it does. It was discovered and reported by other forum members quite a while ago so I guess it's a public secret by now

WIFI roaming for WPA3 broken again (somewhere from 7.17.1+- to 7.18beta5)

WIFI roaming for WPA3 broken again (somewhere from 7.17.1+- to 7.18beta5)

Re: WIFI roaming for WPA3 broken again (somewhere from 7.17.1+- to 7.18beta5)

Re: WIFI roaming for WPA3 broken again (somewhere from 7.17.1+- to 7.18beta5)

Re: WIFI roaming for WPA3 broken again (somewhere from 7.17.1+- to 7.18beta5)

Re: WIFI roaming for WPA3 broken again (somewhere from 7.17.1+- to 7.18beta5)

Re: WIFI roaming for WPA3 broken again (somewhere from 7.17.1+- to 7.18beta5)

Re: WIFI roaming for WPA3 broken again (somewhere from 7.17.1+- to 7.18beta5)

Re: WIFI roaming for WPA3 broken again (somewhere from 7.17.1+- to 7.18beta5)