Interworking for Wi-Fi 6
Interworking for Wi-Fi 6
Section titled “Interworking for Wi-Fi 6”Summary
Section titled “Summary”Interworking for Wi-Fi 6 implements IEEE 802.11u and Hotspot 2.0 specifications for MikroTik devices running the wifi package (RouterOS 7.13+). This enables enhanced network discovery and selection for Wi-Fi 6 (802.11ax) access points, allowing client devices to make informed decisions before association.
This document covers the wifi-qcom package configuration for Wi-Fi 6 devices.
Overview
Section titled “Overview”What is Interworking?
Section titled “What is Interworking?”Interworking is the capability that allows network systems to work together. Standard beacons and probe requests contain limited information about the network. The IEEE 802.11u-2011 standard was created to address this limitation by specifying how devices should exchange extended network information.
Key benefits include:
- Enhanced network discovery and selection criteria for client devices
- Support for public, private, and guest network classification
- Information about internet availability and network access requirements
- Emergency services reachability indicators
Hotspot 2.0
Section titled “Hotspot 2.0”Hotspot 2.0 is a Wi-Fi Alliance specification designed to provide a more cellular-like experience when connecting to Wi-Fi networks. It builds upon IEEE 802.11u interworking and adds:
- Mandatory WPA2 authentication for improved security
- Additional ANQP (Access Network Query Protocol) elements
- Operator and venue information advertising
- WAN status reporting for load balancing
Configuration
Section titled “Configuration”Interworking can be configured in two ways:
- As a profile - Create an interworking profile in
/interface/wifi/interworkingand apply it to the interface - Directly on interface - Configure interworking settings directly in the interface settings
Sub-menu: /interface/wifi/interworking
Information Elements in Beacon and Probe Response
Section titled “Information Elements in Beacon and Probe Response”These parameters control information included in beacon and probe response packets:
| Property | Description |
|---|---|
| esr (yes | no; Default: no) | Emergency Services Reachable. Set to yes to indicate emergency services are accessible through this AP. |
| hessid (MAC address) | Homogenous Extended Service Set Identifier. Identifies APs providing access to the same external networks. Should be globally unique - typically use one of the AP MAC addresses. |
| internet (yes | no; Default: yes) | Indicates whether internet access is available through this connection. |
| network-type (see below; Default: wildcard) | Network access type classification |
| uesa (yes | no; Default: no) | Unauthenticated Emergency Service Accessible. Indicates whether unauthenticated emergency services are reachable. |
| venue (venue; Default: unspecified) | Venue where the AP is located. Examples: business-bank, mercantile-shopping-mall, educational-university-or-college |
Network Type Values
Section titled “Network Type Values”- emergency-only: Network dedicated to emergency services only
- personal-device: Network of personal devices (e.g., camera attached to printer)
- private: Network for users with accounts (enterprise/employee use)
- private-with-guest: Private network with guest access available
- public-chargeable: Public network requiring payment (subscription, hotel internet)
- public-free: Free public network (municipal, airport)
- test: Testing/experimental network (not for production)
- wildcard: Client-side wildcard to match all network types
ANQP Elements
Section titled “ANQP Elements”ANQP (Access Network Query Protocol) allows clients to query for detailed network information before association:
| Property | Description |
|---|---|
| 3gpp-raw (hex string) | 3GPP cellular network advertisement (country/network codes). Helps Hotspot 2.0 clients select APs for 3GPP network access. |
| 3gpp-info (mcc/mnc) | Cellular network info in “mcc/mnc” format. Multiple pairs can be comma-separated. |
| authentication-types (url) | Required authentication types when asra=yes. Options: dns-redirection:url, https-redirection:url, online-enrollment:url, terms-and-conditions:url |
| connection-capabilities (protocol:port:state) | IP protocol/port availability information. Format: `protocol:port:closed |
| domain-names (list) | FQDNs of the Hotspot operator. Clients can check for credential suffix matches. |
| ipv4-availability (see below; Default: not-available) | IPv4 address availability type |
| ipv6-availability (available | not-available | unknown; Default: not-available) | IPv6 address availability |
| realms (string:eap-method) | Supported realms and EAP methods. Format: example.com:eap-tls,foo.bar:not-specified |
| realms-raw (hex string) | Manual NAI Realm ANQP element configuration |
| roaming-ois (hex string) | Organization Identifiers for roaming partners. Format: 03E48D8C036C3B6B (length + OI) |
| venue-names (name:lang) | Venue names with language codes. Example: CoffeeShop:eng,TiendaDeCafe:es |
IPv4 Availability Values
Section titled “IPv4 Availability Values”- not-available: No IPv4 available
- public: Public IPv4 address
- port-restricted: Port-restricted IPv4
- single-nated: Single NATed private IPv4
- double-nated: Double NATed private IPv4
- port-restricted-single-nated: Both port-restricted and single NATed
- port-restricted-double-nated: Both port-restricted and double NATed
- unknown: Availability unknown
Hotspot 2.0 ANQP Elements
Section titled “Hotspot 2.0 ANQP Elements”Additional ANQP elements specific to Hotspot 2.0:
| Property | Description |
|---|---|
| hotspot20 (yes | no; Default: yes) | Enable Hotspot 2.0 capability advertisement |
| hotspot20-dgaf (yes | no; Default: yes) | Downstream Group-Addressed Forwarding. no disables multicast/broadcast to clients. Use with multicast-helper=full. |
| operational-classes (list) | Available operational classes for other bands in the same ESS |
| operator-names (name:lang) | Operator names with language codes |
| wan-at-capacity (yes | no; Default: no) | Indicates AP/network at maximum capacity |
| wan-downlink (kbps; Default: 0) | WAN downlink speed in kbps (0 = unknown) |
| wan-downlink-load (0-255; Default: 0) | WAN downlink load (0=unknown, 255=100%) |
| wan-measurement-duration (0-65535; Default: 0) | Load measurement duration in tenths of seconds |
| wan-status (down | reserved | test | up; Default: reserved) | WAN connection status |
| wan-symmetric (yes | no; Default: no) | Whether WAN upload/download speeds are the same |
| wan-uplink (kbps; Default: 0) | WAN uplink speed in kbps (0 = unknown) |
| wan-uplink-load (0-255; Default: 0) | WAN uplink load (0=unknown, 255=100%) |
General Properties
Section titled “General Properties”| Property | Description |
|---|---|
| comment (string) | Short description of the profile |
| name (string) | Name of the Interworking profile |
Configuration Examples
Section titled “Configuration Examples”Basic Hotspot 2.0 Configuration
Section titled “Basic Hotspot 2.0 Configuration”Create a basic Interworking Profile for a public chargeable Hotspot 2.0 network:
/interface wifi interworkingadd name="public-hotspot" \ network-type=public-chargeable \ internet=yes \ venue=business-unspecified \ venue-names="MyHotspot:eng" \ ipv4-availability=public \ ipv6-availability=available \ hotspot20=yes \ wan-status=up \ wan-downlink=50000 \ wan-uplink=10000Enterprise Network with RADIUS
Section titled “Enterprise Network with RADIUS”Configure an Interworking Profile for enterprise authentication with RADIUS:
/interface wifi interworkingadd name="enterprise" \ network-type=private \ internet=yes \ venue=business-corporate-office \ venue-names="Headquarters:eng" \ authentication-types=online-enrollment:"" \ asra=yes \ realms=corp.example.com:eap-tls,corp.example.com:eap-aka \ ipv4-availability=public \ domain-names=corp.example.comComplete Hotspot 2.0 with Operator Information
Section titled “Complete Hotspot 2.0 with Operator Information”Complete configuration with operator details and roaming information:
/interface wifi interworkingadd name="operator-hotspot" \ network-type=public-chargeable \ internet=yes \ hessid=00:11:22:33:44:55 \ venue=mercantile-shopping-mall \ venue-names="CityMall:eng,MallCiudad:es" \ operator-names="BestWiFi:eng,MejorWiFi:es" \ domain-names=bestwifi.example.com \ realms=bestwifi.example.com:eap-tls \ roaming-ois=03E48D8C,03A1B2C3 \ ipv4-availability=public \ ipv6-availability=available \ hotspot20=yes \ hotspot20-dgaf=yes \ wan-status=up \ wan-downlink=100000 \ wan-uplink=20000 \ wan-symmetric=noAssigning Profile to WiFi Interface
Section titled “Assigning Profile to WiFi Interface”Apply the Interworking Profile to a Wi-Fi interface:
/interface wifiset wifi1 \ configuration.country=Latvia \ configuration.mode=ap \ configuration.ssid=MyNetwork \ interworking=public-hotspot \ security=my-security-profile \ disabled=noRadSec Configuration with Orion Wi-Fi
Section titled “RadSec Configuration with Orion Wi-Fi”For managed Wi-Fi services like Orion Wi-Fi using RADIUS over TLS (RadSec):
- Import RadSec certificates:
/certificate import file-name=bw.radsec.cacert.pem passphrase=""/certificate import file-name=cert.pem passphrase=""/certificate import file-name=key.pem passphrase=""- Configure RadSec client:
/radius add address=216.239.32.91 certificate=cert.pem_0 protocol=radsec radsec-timeout=1s500ms service=wireless- Configure interworking profile:
/interface wifi interworkingadd disabled=no \ domain-names=orion.area120.com \ hotspot20=yes \ hotspot20-dgaf=yes \ internet=yes \ ipv4-availability=public \ ipv6-availability=not-available \ name=interworking \ network-type=public-chargeable \ operator-names=Orion:eng \ realms=orion.area120.com:eap-tls \ roaming-ois=f4f5e8f5f4,baa2D00100,baa2d00000 \ venue=business-unspecified \ venue-names=Orion:eng \ wan-downlink=50 \ wan-status=up \ wan-uplink=50- Apply to interface:
/interface wifi set [ find default-name=wifi1 ] \ configuration.country=Latvia \ configuration.mode=ap \ configuration.ssid=Orion \ disabled=no \ interworking=interworking \ security=orion_password_profileRealms Raw Configuration
Section titled “Realms Raw Configuration”For advanced NAI Realm encoding, use realms-raw with hex-encoded values. Each entry contains:
- NAI Realm Encoding (1 byte)
- NAI Realm Length (1 byte)
- NAI Realm (variable)
- EAP Method Count (1 byte)
- EAP Method Tuples (variable)
Example: 00045465737401020d00 decodes to:
- Encoding: 0 (RFC 4282)
- Length: 4
- Realm: “Test”
- EAP Method Count: 1
- EAP Method: TLS, no parameters
This is equivalent to realms=Test:eap-tls.
Troubleshooting
Section titled “Troubleshooting”Check RADIUS Status
Section titled “Check RADIUS Status”Monitor RADIUS communication for authentication issues:
/radius monitor 0Enable debug logging for detailed RADIUS messages:
/system loggingadd topics=radius,debug,packetView logs:
/log printMonitor WiFi Registrations
Section titled “Monitor WiFi Registrations”Check active client connections:
/interface wifi registration-table printCommon Issues
Section titled “Common Issues”- Clients not seeing Hotspot 2.0 network: Ensure
hotspot20=yesand WiFi interface is in AP mode with security profile - RADIUS authentication failing: Verify RADIUS server reachable, correct secret, and service=wireless enabled
- Network type not matching: Clients may filter based on network-type - ensure correct
network-typesetting - No internet connectivity shown: Set
internet=yesand verifyipv4-availability/ipv6-availabilitysettings - WAN speed not showing on clients: Set
wan-downlinkandwan-uplinkto actual speeds in kbps
Related Topics
Section titled “Related Topics”- Wireless Index - Complete wireless documentation
- Wi-Fi Basic Setup - Wi-Fi interface configuration
- Security Profiles - WPA2/WPA3 and 802.1X configuration
- CAPsMAN - Centralized wireless management
- HotSpot - Captive portal configuration