Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5

How to add an OpenWRT device to UniFi network with 802.11r Fast Transition roaming
#1

This assumes the following scenario:
  • you have an existing UniFi network of one or more APs with Fast roaming enabled
  • you also want to utilize your central router with modern wi-fi support with 802.11ac (eg. TP-Link Archer C7) and save on buying an extra AP
  • you want to roam between APs with minimal outages
First use your UniFi controller, use Devices page, Manage an AP, click Debug to open a Terminal. Next step depends on your firmware. Basically type
ps -w|grep hostapd and look at the processes. There are configuration files used for each SSID. Look into them by using cat /etc/aaa1.cfg and copy the configuration to a text file in your computer. Each network configuration is different, while the same SSID on different radios have the same mobility domain and keys.

Now configure your Wi-Fi network in OpenWRT LuCI. At the time of writing this, OpenWRT version was 19.07.7. The resulting configuration should look like this in your /etc/config/wireless file.
Code:
option encryption 'psk2+ccmp'
option ieee80211r '1'
option ssid '<YOUR_SSID>'
option key '<YOUR_KEY>'
option mobility_domain '<YOUR_MOBILITY_DOMAIN>'
option pmk_r1_push '1'
option ft_over_ds '0'
option reassociation_deadline '3000'
option nasid '<YOUR_IAPP_KEY>'
list r0kh '<YOUR_R0KH_WITH_COMMAS_INSTEAD_OF_SPACES>'
list r1kh '<YOUR_R1KH_WITH_COMMAS_INSTEAD_OF_SPACES>'
option skip_inactivity_poll '1'
option wpa_disable_eapol_key_retries '1'
option ft_psk_generate_local '1'
option short_preamble '0'
option ieee80211w '1'

This works OK with this UniFi network configuration:
   

This is verified to work. I learned it the hard way: I configured the channels to the same number on both APs, booted up a live Kali Linux, switched NIC to monitor mode, selected that channel and captured packets using Wireshark. Should you need to do this debugging as well, look for packets marked as Probe Response and carefully compare that packet from UniFI AP with the one from OpenWRT, preferably in two windows side-by-side. There will be many different capabilities, but they mostly don't matter. Unlike some of them, that do matter.

Also, initially I thought it is desirable to have the same authentication capabilities displayed in WiFi Analyzer on my phone. I was mistaken, that Management Frame Protection (ieee80211w) needs to match even though it extends the capabilities with SHA256 strings. It is probably a feature in newer hostapd version present on OpenWRT.

To test roaming working properly, you can use Ubiquiti WiFiMan from Google Play store. Naturally the roaming doesn't appear in UniFi Controller Alerts, because that is UniFi proprietary add-on.

As a side-note, I was genuinely surprised to see UniFi firmware is based on old OpenWRT version 17.x (when it was forked to LEDE).

Sadly, this short guide took a lot of time to make as it didn't want to work until the very end. The main thing that kept me going was the idea, that "It's just an old OpenWRT, it is possible, unless..."

[Image: kavove-zrnka-lajna.jpg]
Coffee phreak!
Reply
#2

Hi, thank for your share, do you still use unifi and openwrt now? I have a problem with unifi ap ac and openwrt 21.02, if i move from unifi ap to openwrt, roaming works great but if i move from openwrt to unifi, roaming is not working. i can see that in wireshark. Of course roaming works perfectly between 2 openwrt devices. Could you please try it again, thanks. Sorry for my english.
Reply
#3

(29.11.2021 11:38)supperchym Wrote:  Hi, thank for your share, do you still use unifi and openwrt now? I have a problem with unifi ap ac and openwrt 21.02, if i move from unifi ap to openwrt, roaming works great but if i move from openwrt to unifi, roaming is not working. i can see that in wireshark. Of course roaming works perfectly between 2 openwrt devices. Could you please try it again, thanks. Sorry for my english.

Hi. Yes, I still use the set-up. My OpenWRT is currently on 21.02.1, my U6-Lite is on 5.60.1 and UAP-AC-Lite are on 5.43.49. I tried to move to places where signal would force the phone to switch and I watched the transitions using WiFiMan. I started on OpenWRT, roamed to UAP-AC-Lite, roamed to U6-Lite, roamed back to the initial OpenWRT. It was successful, all transitions were done using roaming. I haven't tried using more OpenWRTs, but it should not be a problem if wifi configuration among them is identical.

[Image: kavove-zrnka-lajna.jpg]
Coffee phreak!
Reply
#4

(30.11.2021 03:05)Ashus Wrote:  Hi. Yes, I still use the set-up. My OpenWRT is currently on 21.02.1, my U6-Lite is on 5.60.1 and UAP-AC-Lite are on 5.43.49. I tried to move to places where signal would force the phone to switch and I watched the transitions using WiFiMan. I started on OpenWRT, roamed to UAP-AC-Lite, roamed to U6-Lite, roamed back to the initial OpenWRT. It was successful, all transitions were done using roaming. I haven't tried using more OpenWRTs, but it should not be a problem if wifi configuration among them is identical.

Can you show me your configs ?I have tried many different configurations but it doesn't work. Thanks.
This is my config:
unifi
Code:
interface=ath5
ctrl_interface=/var/run/hostapd
vlan_naming=1
bridge=br0
driver=atheros
nas_identifier=$bssid
mobility_domain=XXXX
rkh_pos_timeout=10000
reassociation_deadline=3000
pmk_r1_push=1
ft_over_ds=0
r0kh=ff:ff:ff:ff:ff:ff * KEY
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 KEY
ssid=SSID
wpa_group_rekey=3600
wpa_group_update_count=4
wpa_gmk_rekey=86400
wpa_passphrase=PASSWORD
wpa=2
eapol_version=2
wpa_pairwise=CCMP
wpa_key_mgmt=WPA-PSK FT-PSK
logger_syslog=-1
logger_syslog_level=2
wlan_id=XXXX
iapp_key=KEY
own_ip_addr=ip
Openwrt:

Code:
config wifi-iface 'wifinet3'
    option device 'radio1'
    option mode 'ap'
    option ssid 'SSID'
    option key 'PASSWORD'
    option encryption 'psk2+ccmp'
    option network 'lan'
    option ieee80211r '1'
    option ft_over_ds '0'
    option mobility_domain 'XXXX'
    option nasid 'MAC openwrt'
    option reassociation_deadline '20000'
    list r1kh '00:00:00:00:00:00,00:00:00:00:00:00,KEY'
    list r0kh 'ff:ff:ff:ff:ff:ff,*,KEY'
    option ft_psk_generate_local '1'
    option pmk_r1_push '1'
I tried changing r0kh and r1kh but it still doesn't work. With ft_psk_generate_local '1' and same mobility_domain roaming works great between 2 openwrt devices and roaming only works when i move from unifi to openwrt.
Reply
#5

OpenWRT config:
Code:
config wifi-iface 'wifinet2'
        option device 'radio5'
        option mode 'ap'
        option network 'lan'
        option key 'MyPassphrase'
        option encryption 'psk2+ccmp'
        option skip_inactivity_poll '1'
        option ieee80211r '1'
        option ssid 'MySSID'
        option mobility_domain '2ff5'
        option pmk_r1_push '1'
        option ft_over_ds '0'
        option reassociation_deadline '3000'
        list r0kh 'ff:ff:ff:ff:ff:ff,*,111222333444555666777888999aaabb'
        list r1kh '00:00:00:00:00:00,00:00:00:00:00:00,111222333444555666777888999aaabb'
        option wpa_disable_eapol_key_retries '1'
        option nasid '111222333444555666777888999aaabb'
        option ft_psk_generate_local '1'
        option short_preamble '0'
        option ieee80211w '1'

Unifi UAP-AC-Lite config:
Code:
interface=ath2
ctrl_interface=/var/run/hostapd
vlan_naming=1
bridge=br0
driver=atheros
nas_identifier=$bssid
mobility_domain=2ff5
rkh_pos_timeout=10000
reassociation_deadline=3000
pmk_r1_push=1
ft_over_ds=0
r0kh=ff:ff:ff:ff:ff:ff * 111222333444555666777888999aaabb
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 111222333444555666777888999aaabb
ssid=MySSID
wpa_group_rekey=3600
wpa_group_update_count=4
wpa_gmk_rekey=86400
wpa_passphrase=MyPassphrase
wpa=2
eapol_version=2
ieee80211w=1
wpa_pairwise=CCMP
wpa_key_mgmt=WPA-PSK FT-PSK
logger_syslog=-1
logger_syslog_level=2
wlan_id=2ff5
iapp_key=111222333444555666777888999aaabb
own_ip_addr=192.168.6.3

[Image: kavove-zrnka-lajna.jpg]
Coffee phreak!
Reply
#6

It doesn't work, roaming only when move from unifi ap to openwrt ap. In my memory it works with old firmware versions, i don't know why but thank you very much.
Reply




Users browsing this thread: 1 Guest(s)