Fast Roaming (802.11r/k/v)

Fast Roaming (802.11r/k/v)

Fast Roaming enables seamless client transitions between access points without authentication re-negotiation, critical for voice, video, and real-time applications.

Overview

RouterOS supports three fast roaming protocols:

Protocol	Name	Purpose
802.11r	Fast BSS Transition	Pre-authentication for fast handoff
802.11k	Radio Resource Measurement	Neighbor reports for informed roaming
802.11v	BSS Transition Management	AP-initiated roaming suggestions

How Roaming Works

Without fast roaming:

1. Client detects signal degradation
2. Client scans for alternative APs
3. Client authenticates with new AP (full 4-way handshake)
4. Client reassociates and obtains IP
5. Result: Noticeable delay, dropped calls, video stalls

With 802.11r:

1. Client performs initial handshake with Mobility Domain
2. APs share security keys via CAPsMAN
3. Client gets “pre-authenticated” for neighboring APs
4. Roaming happens in milliseconds without full re-authentication

Requirements

Critical: Single Controller

All APs must be managed by the same RouterOS instance running CAPsMAN.

For 802.11r to work:

• The mobility domain must be shared between APs
• Key exchange happens between APs via CAPsMAN
• Different controllers cannot share key material

What works:

• Multiple APs managed by single CAPsMAN (all on same RouterOS)
• All APs on same Controller using WifiWave2

What doesn’t work:

• APs on different RouterOS instances
• Mixed CAPsMAN controllers
• Autonomous APs not managed centrally

Security Requirements

• WPA2 only (recommended): WPA3 causes roaming issues on many client devices
• Same authentication: All APs must use identical security profile
• PMF recommended: Protected Management Frames for stability

Package Support

Feature	wifi package (v7.13+)	wireless package (legacy)
802.11r	Yes	Yes (limited)
802.11k	Yes	No
802.11v	Yes	No
CAPsMAN integration	Yes	Yes

The wifi package (WifiWave2) is recommended for RouterOS 7.13+ and supports the full 802.11r/k/v stack.

Configuration

Enable 802.11r (wifi package)

/interface wifi security
add authentication-types=wpa2-psk \
    encryption=ccmp \
    ft=yes \
    ft-over-ds=yes \
    ft-mobility-domain=0x1234 \
    name=fast-roam \
    passphrase=MyPassword

Key properties:

Property	Description	Default
ft	Enable 802.11r Fast BSS Transition	no
ft-over-ds	Enable over-the-DS (recommended)	no
ft-mobility-domain	16-bit identifier (hex)—must match across all APs	0xADC4
ft-nas-identifier	PMK-R0 key holder ID	Interface MAC
ft-r0-key-lifetime	Lifetime of PMK-R0 key	7 days
ft-preserve-vlanid	Preserve client VLAN after roaming	yes

Enable 802.11k/v Steering

/interface wifi configuration
add name=my-config \
    ssid=MyNetwork \
    steering.neighbor-group=my-neighbors \
    steering.rrm=yes \
    steering.wnm=yes \
    steering.transition-threshold=-80 \
    steering.transition-threshold-time=10s \
    steering.transition-request-period=30s \
    steering.transition-request-count=3 \
    steering.transition-time=unlimited

802.11k (RRM) properties:

Property	Description	Default
rrm	Enable 802.11k neighbour reports	yes

802.11v (Steering) properties:

Property	Description	Default
wnm	Enable 802.11v BSS transition requests	yes
neighbor-group	Define static neighbor group	(dynamic)
transition-threshold	RSSI threshold (dBm) for marking candidate	-80
transition-threshold-time	Time below threshold before marking candidate	10s
transition-request-period	Interval between transition requests	30s
transition-request-count	Number of requests to send	3
transition-time	Time before forcing disconnect	unlimited

Full CAPsMAN Configuration

# CAPsMAN Controller
/interface wifi capsman
set enabled=yes interfaces=LANBridge

# Security with 802.11r
/interface wifi security
add authentication-types=wpa2-psk \
    encryption=ccmp \
    ft=yes \
    ft-over-ds=yes \
    ft-mobility-domain=0x1 \
    name=fast-roam \
    passphrase=MyPass123

# Channel configurations
/interface wifi channel
add frequency=2412,2437,2462 name=2G-channels width=20mhz
add frequency=5180,5260,5500 name=5G-channels width=20/40/80mhz skip-dfs-channels=all

# Configuration with 802.11k/v enabled
/interface wifi configuration
add channel=2G-channels country=US datapath.bridge=LANBridge \
    manager=capsman name=2G-config security=fast-roam ssid=MyNetwork-2G \
    steering.rrm=yes steering.wnm=yes
add channel=5G-channels country=US datapath.bridge=LANBridge \
    manager=capsman name=5G-config security=fast-roam ssid=MyNetwork-5G \
    steering.rrm=yes steering.wnm=yes

# Provisioning rules
/interface wifi provisioning
add action=create-enabled master-configuration=2G-config \
    supported-bands=2ghz-n,2ghz-ac,2ghz-ax
add action=create-enabled master-configuration=5G-config \
    supported-bands=5ghz-n,5ghz-ac,5ghz-ax

Legacy wireless package (RouterOS 6.x)

The legacy wireless package has limited 802.11r support:

/interface wireless security-profiles
set default ft=yes ft-mode=ds \
    ft-mobility-domain=1234

Limitations:

• Only 802.11r (no 802.11k/v)
• Only WPA2-PSK or WPA2-EAP
• No support for WPA3

Client Compatibility

Working Well

Device Type	802.11r	802.11k	802.11v
Google Pixel (4A, 6A, 7A)	Good	Good	Good
Linux laptops (ThinkPad)	Excellent	Good	Good
Windows laptops (Intel WiFi)	Good	Good	Varies
iOS devices	Good	Good	Varies

Known Issues

WPA3 Roaming Problems:

Many Android devices have poor roaming support with WPA3:

• Many Android devices (Xiaomi, Samsung, Huawei) don’t roam well with WPA3
• Android 13 particularly problematic
• Some iOS versions require manual reconnection
• Linux generally works fine

Recommendation: Use WPA2-only for reliable roaming:

/interface wifi security
set authentication-types=wpa2-psk
# Remove wpa3-psk

Client Behavior

“fastroaming stuff has very random implementation on clients side”

Client manufacturers implement roaming differently:

• Some devices ignore 802.11v requests entirely
• Roaming thresholds vary by device
• Some devices roam proactively, others wait until signal is very weak

Troubleshooting

Clients Not Roaming

1. Verify 802.11r enabled in security profile
2. Ensure all APs use same mobility domain
3. Check client device supports 802.11r
4. Try WPA2-only if having WPA3 issues
5. Verify overlapping coverage exists
6. Check logs for roaming events

Remove Aggressive Signal Rules

Do not kick off clients with weak signal, remove such wifiwave2 access-list rule if you have one

# Remove any aggressive signal-based rejection
/interface wifi access-list remove [find action=reject]

# Only reject very weak signals (below -90 dBm)
/interface wifi access-list add action=accept signal-range=-90..0

# Or allow all - let client decide
/interface wifi access-list add action=accept signal-range=-120..0

Check Logs

Successful roaming:

<mac>@AP1 roamed to <mac>@AP2, signal strength -66

Without fast roaming:

<mac>@AP1 disconnected, connection lost, signal strength -92
<mac>@AP2 connected, signal strength -75

Enable Debug Logging

/system logging add topics=wifi,debug

Monitor Registration

/interface wifi registration-table print
/interface wifi steering status

RouterOS Version Compatibility

RouterOS	Package	802.11r	802.11k	802.11v
6.x	wireless	Yes (limited)	No	No
7.0-7.12	wifi	Yes	Yes (solicited)	Yes (solicited)
7.13+	wifi	Yes	Yes	Yes
7.21beta2+	wifi	Yes	Yes	Yes (unsolicited)

Best Practices

1. Use single CAPsMAN: Manage all APs from one RouterOS instance
2. WPA2 for roaming: Disable WPA3 until client support improves
3. Same security profile: Ensure identical settings across all APs
4. Remove weak-signal kick: Don’t kick clients with weak signal
5. Overlap coverage: Ensure APs have overlapping coverage areas
6. Enable all three protocols: Use 802.11r/k/v together for best results

Related Documentation

• WiFi Guide - General WiFi configuration
• Security Profiles - Security configuration
• CAPsMAN - Centralized AP management
• WiFi Index - All WiFi documentation