Fast roaming (802.11r) on a Lede-based WiFi network (aka OpenWRT)
Hello. I decided to fix the result by writing an article. And the result of this - is the union of several WiFi access points to the network into one inseparable network, also called seamless. The meaning of this action was that my "local" home network has grown to several WiFi points because of its (network) large area and the inability to achieve proper quality with just one point.
The first and head-on solution was to install several more WiFi APs with the same BSSID and it looked like everything worked, but as it turned out, not everything turned out. For example, my Android based phone normally digested this situation by jumping from point to point when the signal was lost from one and the signal was detected from another, but the users of the wonderful iPhone had a problem with this, the device completely refused to disconnect from the point already missing from the radius of action and connect to a new, albeit with a bold signal. Well, as it should be for this contingent (no hostility - just dry facts), the stench began that everything around G. my wonderful telephone could not work with this junk. And I began to look for methods to combat this.
My searches led me to the 802.11r standard. In which we are promised full transparency for WiFi devices on the network of several APs. And even Apple confirms that it can.
')
Well, for the sake of peace of mind and apple lovers we will master a new discipline. A cursory study of theory and practice showed that hostapd seems to be able to do this miracle. All my routers have long been on Lede (who does not know, this is the former OpenWRT) well, as if in this regard, the setting should not have created problems. But as always, not everything is so simple, or I am tight :)
To begin with, the default wpad-mini package is installed in the lede, it contains the main support for the WiFi AP with the minimum possible in order to work. I do not like this alignment. Therefore it is necessary to replace the package with wpad.
In the simplest case, you need to run the command:
the package will pull in everything you need and replace wpad-mini. Ideally, it’s not bad to just re-assemble the firmware image with ImageBuilder.
After installing the package, you need to configure it. If you are using the luci interface, then in the WiFi network settings in the Wireless Security section a tick will appear.
By enabling which we are provided with a bunch of fields to configure the roaming function between APs.
If you do not have luci or you prefer to tune the piece of iron by changing cofigs, then the same is done with the line:
in the config section of the wifi-iface configuration file / etc / config / wireless . I hope there is no need to explain that this needs to be done on all APs involved in roaming.
It was the easiest. But then the fun began.
In order to explain to all points that they need to be somehow configured in one roaming. All the manuals that I managed to find persistently boil down to setting up this whole case using RADIUS authorization. But I don’t have RADIUS either and I don’t need it, as I think most of us do. So I had to experiment.
Let's run through the fields that we have to fill in luci:
NAS ID - as I understood the identifier of the current access point in the RADIUS server. And it is not needed in the absence of the latter, but Luci does not allow to save the settings, if this field is not filled. Well, let's fill it up. Usually everyone is recommended to enter the MAC address of the device without separators there.
Mobility Domain - specific identifier of your network. Must be one for all roaming points. It is a 16bit number in hexadecimal form (HEX).
External R0 Key Holder List - this is where NAS ID will be involved, and they said it is needed only for RADIUS. Or does this feature not participate without RADIUS? Explain who in the know? Here I added as many lines as I have access points to the network. In the format: MAC address, NAS-ID, 128-bit key in the form of a HEX string
Example:
And so several times with each access point, I used the same key. Also, if anyone knows how to?
External R1 Key Holder List is an analogue of the previous section, only instead of a NAS-ID is some R1KH-ID.
I filled it out like this:
The result was something like this:
In the form of a config, it all looks like this:
Having saved and rebooted all devices, it was not at first glance that everything continued to work. Nothing has changed on my Android Phone. The owners of the iPhone are satisfied so far - we'll be watching. WiFi The analyzer still sees my network as a few points, but in addition to WPA-PSK authorization, FT-PSK was added.
I wrote an article in order not to lose myself, and to get criticism and help in understanding what was done :) I would be grateful for any comments.
The first and head-on solution was to install several more WiFi APs with the same BSSID and it looked like everything worked, but as it turned out, not everything turned out. For example, my Android based phone normally digested this situation by jumping from point to point when the signal was lost from one and the signal was detected from another, but the users of the wonderful iPhone had a problem with this, the device completely refused to disconnect from the point already missing from the radius of action and connect to a new, albeit with a bold signal. Well, as it should be for this contingent (no hostility - just dry facts), the stench began that everything around G. my wonderful telephone could not work with this junk. And I began to look for methods to combat this.
My searches led me to the 802.11r standard. In which we are promised full transparency for WiFi devices on the network of several APs. And even Apple confirms that it can.
')
Well, for the sake of peace of mind and apple lovers we will master a new discipline. A cursory study of theory and practice showed that hostapd seems to be able to do this miracle. All my routers have long been on Lede (who does not know, this is the former OpenWRT) well, as if in this regard, the setting should not have created problems. But as always, not everything is so simple, or I am tight :)
To begin with, the default wpad-mini package is installed in the lede, it contains the main support for the WiFi AP with the minimum possible in order to work. I do not like this alignment. Therefore it is necessary to replace the package with wpad.
In the simplest case, you need to run the command:
opkg install wpad the package will pull in everything you need and replace wpad-mini. Ideally, it’s not bad to just re-assemble the firmware image with ImageBuilder.
After installing the package, you need to configure it. If you are using the luci interface, then in the WiFi network settings in the Wireless Security section a tick will appear.
By enabling which we are provided with a bunch of fields to configure the roaming function between APs.
If you do not have luci or you prefer to tune the piece of iron by changing cofigs, then the same is done with the line:
option ieee80211r '1' in the config section of the wifi-iface configuration file / etc / config / wireless . I hope there is no need to explain that this needs to be done on all APs involved in roaming.
It was the easiest. But then the fun began.
In order to explain to all points that they need to be somehow configured in one roaming. All the manuals that I managed to find persistently boil down to setting up this whole case using RADIUS authorization. But I don’t have RADIUS either and I don’t need it, as I think most of us do. So I had to experiment.
Let's run through the fields that we have to fill in luci:
NAS ID - as I understood the identifier of the current access point in the RADIUS server. And it is not needed in the absence of the latter, but Luci does not allow to save the settings, if this field is not filled. Well, let's fill it up. Usually everyone is recommended to enter the MAC address of the device without separators there.
Mobility Domain - specific identifier of your network. Must be one for all roaming points. It is a 16bit number in hexadecimal form (HEX).
External R0 Key Holder List - this is where NAS ID will be involved, and they said it is needed only for RADIUS. Or does this feature not participate without RADIUS? Explain who in the know? Here I added as many lines as I have access points to the network. In the format: MAC address, NAS-ID, 128-bit key in the form of a HEX string
Example:
12:fe:ed:6d:bf:ea, 12feed6dbfea, 8a7fcc966ed0691ff2809e1f38c16996And so several times with each access point, I used the same key. Also, if anyone knows how to?
External R1 Key Holder List is an analogue of the previous section, only instead of a NAS-ID is some R1KH-ID.
I filled it out like this:
12:fe:ed:6d:bf:ea, 12:fe:ed:6d:bf:ea, 8a7fcc966ed0691ff2809e1f38c16996The result was something like this:
In the form of a config, it all looks like this:
option ieee80211r '1' option mobility_domain '4f57' option pmk_r1_push '1' list r0kh '12:fe:ed:6d:bf:ea,12feed6dbfea,8a7fcc966ed0691ff2809e1f38c16996' list r0kh 'e8:94:f6:e5:46:72,e894f6e54672,8a7fcc966ed0691ff2809e1f38c16996' list r1kh '12:fe:ed:6d:bf:ea,12:fe:ed:6d:bf:ea,8a7fcc966ed0691ff2809e1f38c16996' list r1kh 'e8:94:f6:e5:46:72,e8:94:f6:e5:46:72,8a7fcc966ed0691ff2809e1f38c16996' option nasid '12feed6dbfea' option r1_key_holder '12feed6dbfea' Having saved and rebooted all devices, it was not at first glance that everything continued to work. Nothing has changed on my Android Phone. The owners of the iPhone are satisfied so far - we'll be watching. WiFi The analyzer still sees my network as a few points, but in addition to WPA-PSK authorization, FT-PSK was added.
I wrote an article in order not to lose myself, and to get criticism and help in understanding what was done :) I would be grateful for any comments.
Source: https://habr.com/ru/post/327166/
All Articles