Have an SSID that is configured for WPA2-Enterprise using Radius/802.1x-PEAP. 802.11w is set to required. SSID is running in NAT mode.
At times I am seeing errors like the following:
Client made an 802.1X authentication request to the RADIUS server, but it did not respond. auth_mode='wpa3-802.1x' radius_proto='ipv4' radius_ip='192.168.xxx.xxx' reason='radius_login_failure' radio='0' vap='3' channel='6' rssi='42'
The client is configured for WPA2. The client was successfully connected and then all the sudden couldn't roam to this AP and the above error was seen in the connection log. Eventually, with no changes to the client or on the dashboard, the client was able to connect.
APs are MR42s and they are running MR 29.4.1
Disable 802.11w and all will be fine.
Some legacy devices that do not support 802.11w may not be able to connect to an SSID even if in mixed mode. This may be due to the device improperly handling the advertised information contained within the beacons.
If I wasn't getting hammered with deauthentications from a neighbor then I would disable 802.11w.
Why would 802.11w trigger WPA3 errors?
Disable 802.11w and all will be fine.
Some legacy devices that do not support 802.11w may not be able to connect to an SSID even if in mixed mode. This may be due to the device improperly handling the advertised information contained within the beacons.
That the thing, the device does support 802.11w. It was previously connected and was able to connect after the fact eventually.
WPA3 Transition Mode
WPA3 SAE has a transition mode (sometimes called mixed mode) created to allow WPA2 clients to co-exist on the same SSID used for WPA3. Although WPA3 needs to have Management Frame Protection (MFP/802.11w) set to Required, the Dashboard can also be set to Enabled, so that the STA which are not compliant with either WPA3 or MFP can still connect seamlessly.
802.11w can be set to Required, however WPA2 clients which do not support MFP will not be able to associate.
WPA3 transition mode is only if you are doing PSK. Isn't available for WPA3-Enterprise.
Ok, but it explains the following behaviors that you informed us about, you can open a support case to confirm. 😉
Opened a case. This behavior is a known bug.
Do you have any update from the case? when it will be solved?
Thanks man 🙂 you saved my day!!!
Instead of having the SSID in NAT mode, try putting the device directly on the network, using Bridge Mode.