2.4.2021 03:21
This assumes the following scenario:
ps -w|grep hostapd and look at the processes. There are configuration files used for each SSID. Look into them by using cat /etc/aaa1.cfg and copy the configuration to a text file in your computer. Each network configuration is different, while the same SSID on different radios have the same mobility domain and keys.
Now configure your Wi-Fi network in OpenWRT LuCI. At the time of writing this, OpenWRT version was 19.07.7. The resulting configuration should look like this in your /etc/config/wireless file.
This works OK with this UniFi network configuration:
[attachment=177]
This is verified to work. I learned it the hard way: I configured the channels to the same number on both APs, booted up a live Kali Linux, switched NIC to monitor mode, selected that channel and captured packets using Wireshark. Should you need to do this debugging as well, look for packets marked as Probe Response and carefully compare that packet from UniFI AP with the one from OpenWRT, preferably in two windows side-by-side. There will be many different capabilities, but they mostly don't matter. Unlike some of them, that do matter.
Also, initially I thought it is desirable to have the same authentication capabilities displayed in WiFi Analyzer on my phone. I was mistaken, that Management Frame Protection (ieee80211w) needs to match even though it extends the capabilities with SHA256 strings. It is probably a feature in newer hostapd version present on OpenWRT.
To test roaming working properly, you can use Ubiquiti WiFiMan from Google Play store. Naturally the roaming doesn't appear in UniFi Controller Alerts, because that is UniFi proprietary add-on.
As a side-note, I was genuinely surprised to see UniFi firmware is based on old OpenWRT version 17.x (when it was forked to LEDE).
Sadly, this short guide took a lot of time to make as it didn't want to work until the very end. The main thing that kept me going was the idea, that "It's just an old OpenWRT, it is possible, unless..."
- you have an existing UniFi network of one or more APs with Fast roaming enabled
- you also want to utilize your central router with modern wi-fi support with 802.11ac (eg. TP-Link Archer C7) and save on buying an extra AP
- you want to roam between APs with minimal outages
ps -w|grep hostapd and look at the processes. There are configuration files used for each SSID. Look into them by using cat /etc/aaa1.cfg and copy the configuration to a text file in your computer. Each network configuration is different, while the same SSID on different radios have the same mobility domain and keys.
Now configure your Wi-Fi network in OpenWRT LuCI. At the time of writing this, OpenWRT version was 19.07.7. The resulting configuration should look like this in your /etc/config/wireless file.
Code:
option encryption 'psk2+ccmp'
option ieee80211r '1'
option ssid '<YOUR_SSID>'
option key '<YOUR_KEY>'
option mobility_domain '<YOUR_MOBILITY_DOMAIN>'
option pmk_r1_push '1'
option ft_over_ds '0'
option reassociation_deadline '3000'
option nasid '<YOUR_IAPP_KEY>'
list r0kh '<YOUR_R0KH_WITH_COMMAS_INSTEAD_OF_SPACES>'
list r1kh '<YOUR_R1KH_WITH_COMMAS_INSTEAD_OF_SPACES>'
option skip_inactivity_poll '1'
option wpa_disable_eapol_key_retries '1'
option ft_psk_generate_local '1'
option short_preamble '0'
option ieee80211w '1'
This works OK with this UniFi network configuration:
[attachment=177]
This is verified to work. I learned it the hard way: I configured the channels to the same number on both APs, booted up a live Kali Linux, switched NIC to monitor mode, selected that channel and captured packets using Wireshark. Should you need to do this debugging as well, look for packets marked as Probe Response and carefully compare that packet from UniFI AP with the one from OpenWRT, preferably in two windows side-by-side. There will be many different capabilities, but they mostly don't matter. Unlike some of them, that do matter.
Also, initially I thought it is desirable to have the same authentication capabilities displayed in WiFi Analyzer on my phone. I was mistaken, that Management Frame Protection (ieee80211w) needs to match even though it extends the capabilities with SHA256 strings. It is probably a feature in newer hostapd version present on OpenWRT.
To test roaming working properly, you can use Ubiquiti WiFiMan from Google Play store. Naturally the roaming doesn't appear in UniFi Controller Alerts, because that is UniFi proprietary add-on.
As a side-note, I was genuinely surprised to see UniFi firmware is based on old OpenWRT version 17.x (when it was forked to LEDE).
Sadly, this short guide took a lot of time to make as it didn't want to work until the very end. The main thing that kept me going was the idea, that "It's just an old OpenWRT, it is possible, unless..."