MLO Beta - not working properly

GiuseppeR

Hello everyone,

I moved from 6x AP Wifi 5 on premise to 6x AP Wifi 7 on Nebula.

I copied the same settings from previous wifi to the new one, I wanted to save time leaving everything working smooth as expected.

Consider this network name as SSID1.

It did not happen.

I started to notice that all IoT went oflline, they were unable to onboard the 2.4 GHz band network.

I created SSID2, the most simple SSID that I could create: only 2.4 GHz without band steering, fast roaming, MLO and so on and everything went online again.

The problem was with SSID1.

I tried to connect to SSID1 also an iPad 5th iPadOS 16.7.10 but I get errors.

The problem was the fact I enabled MLO:

Considering that info panel:

I thought it was compatible with my APs:

But it was not so.

Zyxel_Kay

Hi @GiuseppeR

We've encountered similar issues before where some Wi-Fi 5 or older devices have trouble connecting to MLO-enabled SSIDs. This issue isn't related to WPA3 security but rather the MLO-enabled SSID itself. When the Wi-Fi 7 AP broadcasts the MLO-related information element (IE) in the packet, some older devices, like Wi-Fi 5 clients, may not recognize it properly, leading to connection failures. This could explain why your iPad 5th gen (a Wi-Fi 5 device) is unable to connect, even though it supports WPA3.

To address this, we recommend the following options for users with older Wi-Fi 5 devices:

1. Disable MLO: This will allow older devices to connect to individual SSIDs on each frequency band (2.4GHz, 5GHz, or 6GHz).
2. Create a separate SSID: If you need to keep MLO enabled for other devices, you can set up a dedicated SSID for older devices that operates on a single frequency band.

GiuseppeR

@Zyxel_Kay

in my environments I'm going to use this config that I suggest to everyone:

• SSID with 2.4 GHz only for IoT things (separate VLAN)
• SSID standard with 2.4 - 5 - 6 GHz bands for general purpose
• SSID with MLO enable for lightning fast devices

Separating VLANs in other SSIDs could lead to problems if you stream media online with mixed hardware linked via LAN/WiFi

Zyxel_Kay

Hi @GiuseppeR

When your SSID is set to operate on 2.4GHz/5GHz/6GHz with MLO enabled, the SSID broadcast on the 6GHz band automatically enforces WPA3 security settings, as per specifications. Many IoT devices, which may not support WPA3, are unable to connect to this network. To resolve this, we recommend creating a separate SSID for your IoT devices, configured with security settings they can support (such as WPA2).

For further details, you can refer to this post:

https://community.zyxel.com/en/discussion/25355/why-cant-some-clients-connect-to-ssid-after-enabling-mlo

Regarding the connection issues with your iPad 5th generation (iPadOS 16.7), we’d like to gather more details for troubleshooting. Could you please enable Zyxel Support and provide us with your organization and site name via private message? Additionally, please share the following details:

1. The time frame when the iPad 5th was attempting to connect to SSID1.
2. The MAC address of the iPad 5th.
3. A wireless packet capture while the iPad 5th attempts to connect to SSID1. You can follow this guide to capture wireless packets:
   How to Remote Capture Wireless Packets through an Access Point? — Zyxel Community

GiuseppeR

Hello @Zyxel_Kay

I read about the fact that with MLO option WiFi forced WPA3.

I knew that WPA3 was mandatory for 6 GHz but -as per retrocompatibility standard- not for others WiFi bands so if IoT device sees only 2.4 GHz I expected that it could access network via WPA2. My mistake not considering WPA3 forced for all bands.

Anyway I tried a separate SSID (my SSID2) and I noticed that it worked, so I accepted the solution because I needed that IoT network to be online.

Honestly I expected that MLO will enable advanced multi link operations only if the wireless device was MLO compatible, not forcing the behaviour of the SSID for everything connected.

The other aspect is the behaviour of other Apple devices, like that iPad that I used as a test, and now I have a doubt: these devices were linked to the previous SSID1 with WPA2. Have I to delete the SSID1 network from devices and re-enjoy it with WPA3 password?

As per your infos for MLO forcing WPA3 I think right now that they could not join the SSID1 network because those devices think that SSID1 uses WPA2 while it is working only with WPA3.

Maybe is this the problem?

Have a nice day

Zyxel_Kay

Hi @GiuseppeR

We've encountered similar issues before where some Wi-Fi 5 or older devices have trouble connecting to MLO-enabled SSIDs. This issue isn't related to WPA3 security but rather the MLO-enabled SSID itself. When the Wi-Fi 7 AP broadcasts the MLO-related information element (IE) in the packet, some older devices, like Wi-Fi 5 clients, may not recognize it properly, leading to connection failures. This could explain why your iPad 5th gen (a Wi-Fi 5 device) is unable to connect, even though it supports WPA3.

To address this, we recommend the following options for users with older Wi-Fi 5 devices:

1. Disable MLO: This will allow older devices to connect to individual SSIDs on each frequency band (2.4GHz, 5GHz, or 6GHz).
2. Create a separate SSID: If you need to keep MLO enabled for other devices, you can set up a dedicated SSID for older devices that operates on a single frequency band.

GiuseppeR

@Zyxel_Kay

in my environments I'm going to use this config that I suggest to everyone:

• SSID with 2.4 GHz only for IoT things (separate VLAN)
• SSID standard with 2.4 - 5 - 6 GHz bands for general purpose
• SSID with MLO enable for lightning fast devices

Separating VLANs in other SSIDs could lead to problems if you stream media online with mixed hardware linked via LAN/WiFi