Hi all - just got some AP6-Pro’s and went through setting them up just like the FortAP’s I moved from -
Fast Roaming - I did have this enabled on the FortiAP’s before switching
PMF
BSS Transition
Multi-VLAN
WPA3
Everything connected totally fine to the network expect the Apple TV that kept coming back as “Incorrect Password”. I did also notice my iPhone was having difficulty connecting.
Disabled Fast Roaming and things are working again but we have multiple AP’s so Fast Roaming is somewhat essential for WiFi calling etc.
Any ideas what is up here? AP’s are on the latest firmware (2.2g) also. Thanks!
Yep sure are. I did also forget the network on the affected devices and attempt to re-add it. Nothing I could do would get it connected.
Even the “Share WiFi Network” prompt on the iPhone couldn’t get the Apple TV connected. As soon as Fast Roaming was turned off it connected straight away without any issues.
As a temporary workaround to ensure that WiFi calling is not negatively impacted, create another SSID with Fast Roaming disabled. Use that for your affected devices.
Yep that’s what I’ve done for now. Just more interested to know if this is a current bug (like the Sonos bug last year) or something else is a little iffy with them.
Hey all! Any luck here? Would be good to get this one sorted
I’ve also found the packet loss issue seemed to be with WPA3 and was unrelated to Fast Roaming so disabling this fixed that issue but WPA3 Transition is normally enabled on networks I setup. This isn’t as much of a biggie as it does enable me to use Alta Pass but would be nice to get sorted.
Talking to others who have been using Alta Labs AP’s for quite some time I don’t think I’m alone here with Apple products and either WPA3 or Fast Roaming issues where other products don’t seem to have these issues (Aruba, Cisco, Ubiquiti, Grandstream & Fortinet).
Interesting… we’ve heard the exact opposite from our customers, that WiFi calling works better than it ever has after switching to Alta APs. Keep in mind that you do need to make sure you have all Alta Labs APs if you enable the Fast Roaming feature, as there is no universal protocol to enable this between vendors on the same network. Also, it looks like you are enabling WPA3, and in general we recommend that you default all advanced settings, EXCEPT for fast roaming, which we recommend that you enable if you want seamless roaming. You also need to make sure that all of the APs are on the same management VLAN, and that there is no port isolation enabled between APs (which is the default setting for nearly all switches).
Yeah I don’t doubt it with some situations at all but the main point of the post was things breaking rather badly with it enabled (eg, Apple TV’s oddly enough) then WPA3 causing other problems on top of this.
So regarding this - this is exactly what I had configured. The management VLAN allows traffic to pass too:
But as per the original post it seems Apple devices have difficulties + the Apple TV outright refuses to connect.
Lastly, I’ve been unable to capture the kernel log of the access points (/var/log/messages doesn’t show the event) but I’ve had 2 situations where I’ve had AP’s crash fully going offline in the portal. Only way to bring them back online is to cycle the PoE port on the switch.
Sorry for the troubles, but this is not something we are able to reproduce. If you can scp the /var/log/messages* files off the AP, and DM them, I can take a look at what is going on. If you are having troubles scp’ing, please give more details on how you are attempting to do that.
So if this is related to the Apple TV’s unable to connect to the network with Fast Roaming enabled well, I can reproduce it on a different AP with 3x different generation Apple TV’s (First Generation 4K, 2nd generation 4K and third generation 4K) with a new SSID and the settings in the above screenshot and all come back with “Incorrect Password” indicating a potential handshake issue.
I was also running a tail -f /var/log/messages at the same time but nothing shows up in the log during those attempts. As soon as Fast Roaming is turned off, those Apple TV’s all connect fine. For sanity sake, I’ve tested with other access points by creating a test network with the same settings and those connect totally fine. I’ve only just migrated to Alta AP’s in my case from FortiAP 231G’s.
As per the log, there is a whole lot of noise (for example, lots of too many IP6s) but otherwise I don’t see anything there. I’ll flick it to you.
I can assure you I’ve done a whole lot of testing to come to the conclusion it has to be something a little weird with how the Alta AP’s handle Fast Roaming. Happy to be proven if it is user error…
We are trying to get a release out that adds On/Off/Optional settings for PMF, but have hit some snags so it is taking a little longer than normal. Thank you for your patience. Hopefully these knobs will help in understanding the issue.
I was finally able to reproduce the issue you are seeing, and after looking at the AP logs, the Apple TV connects successfully, performing SAE, and then the 4-way handshake, but then disconnects immediately without sending any Layer-2 traffic (no DHCP, etc.). I also installed the WiFi debug profile on the Apple TV, and there is no indication as to why the connection fails in Apple’s WiFi logs, so we’d likely need to work with Apple to add more debug to understand why they disconnect immediately after successful WiFi authentication.
As a side note, we generally do not recommend enabling WPA3 in production environments, due to all of the compatibility issues that still exist. However, we would like to understand this specific issue better so that it is a viable use case in the near future.
