Fast roaming (802.11r) in a WiFi network based on Lede (aka OpenWRT)

    Hello. I decided to fix the result by writing an article. And this result is the combination of several WiFi access points into a network into one inextricable network, it is also called seamless. The meaning of this action was that my "local" home network grew to several WiFi points due to its (network) large area and the inability to achieve the proper quality with just one point.

    image

    The first and frontal solution was to put a few more WiFi APs with the same BSSID and everything seemed to work, but as it turned out, not everything. For example, my Android based phone normally digested this situation, jumping from point to point when losing a signal from one and detecting a signal from another, but users of the wonderful iPhone had a problem with this, these devices completely refused to disconnect from the point that had already disappeared from the range and connect to a new one, albeit with a bold signal. Well, as expected from this contingent (no hostility - just dry facts), it began to stink that everything around G. my wonderful phone could not work with this junk. And I began to look for methods to combat this.

    My searches led me to the 802.11r standard. In which we are promised full transparency for WiFi devices of the network of several APs. And even Apple confirms that it can.

    Well, for the sake of peace of mind and lovers of apples, we will master a new discipline. A cursory study of theory and practice showed that hostapd seems to be able to do this miracle. All my routers have long been on Lede (who does not know, this is the former OpenWRT) and, as it were, in this regard, the configuration should not have created problems. But as always, things are not so simple, or I’m a little tough :)

    First, the wpad-mini package is installed in lede by default, it contains the basic support for WiFi AP with the minimum possible for it to work. I’m not happy with this situation. Therefore, it is necessary to replace the package with wpad.

    In the simplest case, to do this, run the command:

    opkg install wpad

    the package will bring with it everything you need and replace wpad-mini. In the ideal case, it’s not bad to just reassemble the firmware image using ImageBuilder.

    After installing the package you need to configure it. If you use the luci interface, the Enables fast roaming among access points that belong to the same Mobility Domain checkbox will appear in the Wireless Security settings in the Wireless Security section .



    Turning on which we are provided with a bunch of fields for setting up the function of roaming between APs.
    If you do not have luci or you prefer to configure the piece of iron by changing the coffee beans, then this is done with the line:

    option ieee80211r '1'

    in the config wifi-iface section of the / etc / config / wireless configuration file . I hope there is no need to explain that this should be done on all APs involved in roaming.

    It was the simplest. And then the fun began.

    To explain to all points that they are in the same roaming, you need to somehow configure this business. All the manuals that I managed to find stubbornly come down to setting up this whole thing using RADIUS authorization. But I don’t have RADIUS either and I don’t need it, as I think for most of us. Therefore, I had to experiment.

    Let's go over the fields that luci: NAS ID offers us to fill out

    - as I understand the identifier of the current access point in the RADIUS server. And it is not needed in the absence of the latter, but Luci does not allow to save the settings if this field is not filled. Well then - fill it out. Usually everyone recommends entering the MAC address of the device without separators.

    Mobility Domain is the identifier of your particular network. Must be one at all points involved in roaming. It is a 16-bit number in hexadecimal form (HEX).

    External R0 Key Holder List - here NAS ID will participate , and they said it is needed only for RADIUS. Or is this feature not involved without RADIUS? Explain who is in the know? Then I added as many lines as I have access points to the network. In the format: MAC address, NAS-ID, 128-bit key in the form of a HEX string
    For example: 12:fe:ed:6d:bf:ea, 12feed6dbfea, 8a7fcc966ed0691ff2809e1f38c16996
    And so several times with each access point, the key I used is the same. Also, if anyone knows how to do it right?

    External R1 Key Holder List - an analogue of the previous section, only instead of NAS-ID a certain R1KH-ID.

    I filled it out like this: 12:fe:ed:6d:bf:ea, 12:fe:ed:6d:bf:ea, 8a7fcc966ed0691ff2809e1f38c16996

    As a result, it turned out something like this:



    In the form of a config, it all looks like this:

            option ieee80211r '1'
            option mobility_domain '4f57'
            option pmk_r1_push '1'
            list r0kh '12:fe:ed:6d:bf:ea,12feed6dbfea,8a7fcc966ed0691ff2809e1f38c16996'
            list r0kh 'e8:94:f6:e5:46:72,e894f6e54672,8a7fcc966ed0691ff2809e1f38c16996'
            list r1kh '12:fe:ed:6d:bf:ea,12:fe:ed:6d:bf:ea,8a7fcc966ed0691ff2809e1f38c16996'
            list r1kh 'e8:94:f6:e5:46:72,e8:94:f6:e5:46:72,8a7fcc966ed0691ff2809e1f38c16996'
            option nasid '12feed6dbfea'
            option r1_key_holder '12feed6dbfea'
    

    Having saved and rebooted all the devices, it was not the first glance that everything continued to work. On my Android Phone, apparently nothing has changed. Owners of the iPhone are still happy - we will observe. WiFi Analyzer sees my network as a few points, but in addition to WPA-PSK authorization, FT-PSK was added.

    I wrote an article so as not to lose what I found myself and to get criticism and help in understanding what was done :) I would be grateful for any comments.

    Also popular now: