Wi-Fi: Add possibility to control roaming between APs

mattiaswal · mattiaswal · commit a580e3e98308 · 2026-01-13T23:44:30.000+01:00
Useful if you have multiple APs on one SSID.
diff --git a/doc/wifi.md b/doc/wifi.md
@@ -379,6 +379,67 @@ radio settings, and `show interface` to see all active AP interfaces.
 > AP and Station modes cannot be mixed on the same radio. All virtual interfaces
 > on a radio must be the same mode (all APs or all Stations).
 
+## Fast Roaming Between Access Points
+
+Fast roaming enables seamless client handoff between access points through
+802.11k/r/v standards. These features can be enabled individually based on
+your requirements.
+
+### 802.11r - Fast BSS Transition
+
+Enable 802.11r for fast handoff (<50ms) between APs with the same SSID:
+
+```
+admin@example:/config/interface/wifi0/> set wifi access-point roaming enable-80211r true
+admin@example:/config/interface/wifi0/> set wifi access-point roaming mobility-domain 4f57
+```
+
+**Requirements:**
+- All APs in roaming group must have **identical** SSID
+- All APs must have **identical** passphrase (same keystore secret)
+- All APs must use the **same mobility-domain** identifier
+
+The mobility-domain defaults to `4f57` if not specified.
+
+### 802.11k - Radio Resource Management
+
+Enable 802.11k for client neighbor discovery and better roaming decisions:
+
+```
+admin@example:/config/interface/wifi0/> set wifi access-point roaming enable-80211k true
+```
+
+Enables neighbor reports and beacon reports, allowing clients to discover
+nearby APs before roaming.
+
+### 802.11v - BSS Transition Management
+
+Enable 802.11v for network-assisted roaming:
+
+```
+admin@example:/config/interface/wifi0/> set wifi access-point roaming enable-80211v true
+```
+
+Allows APs to suggest better APs to clients, improving roaming decisions.
+
+### Recommended Configuration
+
+For optimal roaming experience, enable all three features:
+
+```
+admin@example:/config/interface/wifi0/> set wifi access-point roaming enable-80211k true
+admin@example:/config/interface/wifi0/> set wifi access-point roaming enable-80211r true
+admin@example:/config/interface/wifi0/> set wifi access-point roaming enable-80211v true
+admin@example:/config/interface/wifi0/> set wifi access-point roaming mobility-domain 4f57
+```
+
+Repeat for all APs that should participate in the roaming group.
+
+> [!NOTE]
+> Not all client devices support all roaming features. Modern devices typically
+> support 802.11k/r/v, but older devices may only support basic roaming without
+> fast transition.
+
 ### AP as Bridge Port
 
 WiFi AP interfaces can be added to bridges to integrate wireless devices
diff --git a/src/confd/src/hardware.c b/src/confd/src/hardware.c
@@ -313,7 +313,9 @@ static int wifi_find_radio_aps(struct lyd_node *cifs, const char *radio_name,
 static int wifi_gen_bss_section(FILE *hostapd, struct lyd_node *cifs, const char *ifname, struct lyd_node *config)
 {
 	const char *ssid, *hidden, *security_mode, *secret_name, *secret;
-	struct lyd_node *cif, *wifi, *ap, *security, *secret_node;
+	const char *mobility_domain = NULL;
+	struct lyd_node *cif, *wifi, *ap, *security, *secret_node, *roaming;
+	bool enable_80211k, enable_80211r, enable_80211v;
 	char bssid[18];
 
 	/* Find the interface node for this BSS */
@@ -367,28 +369,46 @@ static int wifi_gen_bss_section(FILE *hostapd, struct lyd_node *cifs, const char
 		}
 	}
 
+	/* Check 802.11k/r/v configuration */
+	roaming = lydx_get_child(ap, "roaming");
+	enable_80211k = roaming && lydx_get_bool(roaming, "enable-80211k");
+	enable_80211r = roaming && lydx_get_bool(roaming, "enable-80211r");
+	enable_80211v = roaming && lydx_get_bool(roaming, "enable-80211v");
+
+	if (enable_80211r)
+		mobility_domain = lydx_get_cattr(roaming, "mobility-domain");
+
 	if (!strcmp(security_mode, "open")) {
 		fprintf(hostapd, "# Open network\n");
 		fprintf(hostapd, "auth_algs=1\n");
 	} else if (!strcmp(security_mode, "wpa2-personal")) {
 		fprintf(hostapd, "# WPA2-Personal\n");
 		fprintf(hostapd, "wpa=2\n");
-		fprintf(hostapd, "wpa_key_mgmt=WPA-PSK\n");
+		if (enable_80211r)
+			fprintf(hostapd, "wpa_key_mgmt=FT-PSK WPA-PSK\n");
+		else
+			fprintf(hostapd, "wpa_key_mgmt=WPA-PSK\n");
 		fprintf(hostapd, "wpa_pairwise=CCMP\n");
 		if (secret)
 			fprintf(hostapd, "wpa_passphrase=%s\n", secret);
 	} else if (!strcmp(security_mode, "wpa3-personal")) {
 		fprintf(hostapd, "# WPA3-Personal\n");
 		fprintf(hostapd, "wpa=2\n");
-		fprintf(hostapd, "wpa_key_mgmt=SAE\n");
+		if (enable_80211r)
+			fprintf(hostapd, "wpa_key_mgmt=FT-SAE SAE\n");
+		else
+			fprintf(hostapd, "wpa_key_mgmt=SAE\n");
 		fprintf(hostapd, "rsn_pairwise=CCMP\n");
 		if (secret)
 			fprintf(hostapd, "sae_password=%s\n", secret);
 		fprintf(hostapd, "ieee80211w=2\n");
 	} else if (!strcmp(security_mode, "wpa2-wpa3-personal")) {
 		fprintf(hostapd, "# WPA2/WPA3 Mixed\n");
 		fprintf(hostapd, "wpa=2\n");
-		fprintf(hostapd, "wpa_key_mgmt=WPA-PSK SAE\n");
+		if (enable_80211r)
+			fprintf(hostapd, "wpa_key_mgmt=FT-PSK FT-SAE WPA-PSK SAE\n");
+		else
+			fprintf(hostapd, "wpa_key_mgmt=WPA-PSK SAE\n");
 		fprintf(hostapd, "rsn_pairwise=CCMP\n");
 		if (secret) {
 			fprintf(hostapd, "wpa_passphrase=%s\n", secret);
@@ -397,6 +417,28 @@ static int wifi_gen_bss_section(FILE *hostapd, struct lyd_node *cifs, const char
 		fprintf(hostapd, "ieee80211w=1\n");
 	}
 
+	/* 802.11r: Fast BSS Transition */
+	if (enable_80211r) {
+		fprintf(hostapd, "# Fast BSS Transition (802.11r)\n");
+		fprintf(hostapd, "mobility_domain=%s\n", mobility_domain);
+		fprintf(hostapd, "ft_over_ds=1\n");
+		fprintf(hostapd, "ft_psk_generate_local=1\n");
+		fprintf(hostapd, "nas_identifier=%s.%s\n", ifname, mobility_domain);
+	}
+
+	/* 802.11k: Radio Resource Management */
+	if (enable_80211k) {
+		fprintf(hostapd, "# Radio Resource Management (802.11k)\n");
+		fprintf(hostapd, "rrm_neighbor_report=1\n");
+		fprintf(hostapd, "rrm_beacon_report=1\n");
+	}
+
+	/* 802.11v: BSS Transition Management */
+	if (enable_80211v) {
+		fprintf(hostapd, "# BSS Transition Management (802.11v)\n");
+		fprintf(hostapd, "bss_transition=1\n");
+	}
+
 	return 0;
 }
 
@@ -405,11 +447,13 @@ static int wifi_gen_aps_on_radio(const char *radio_name, struct lyd_node *cifs,
 				  struct lyd_node *radio_node, struct lyd_node *config)
 {
 	const char *ssid, *hidden, *security_mode, *secret_name, *secret;
+	const char *mobility_domain = NULL;
 	struct lyd_node *primary_cif, *cif;
 	struct lyd_node *primary_wifi, *primary_ap;
-	struct lyd_node *security, *secret_node;
+	struct lyd_node *security, *secret_node, *roaming;
 	const char *country, *channel, *band;
 	const char *primary_ifname;
+	bool enable_80211k, enable_80211r, enable_80211v;
 	char hostapd_conf[256];
 	char **ap_list = NULL;
 	FILE *hostapd = NULL;
@@ -472,6 +516,15 @@ static int wifi_gen_aps_on_radio(const char *radio_name, struct lyd_node *cifs,
 		}
 	}
 
+	/* Check 802.11k/r/v configuration */
+	roaming = lydx_get_child(primary_ap, "roaming");
+	enable_80211k = roaming && lydx_get_bool(roaming, "enable-80211k");
+	enable_80211r = roaming && lydx_get_bool(roaming, "enable-80211r");
+	enable_80211v = roaming && lydx_get_bool(roaming, "enable-80211v");
+
+	if (enable_80211r)
+		mobility_domain = lydx_get_cattr(roaming, "mobility-domain");
+
 	snprintf(hostapd_conf, sizeof(hostapd_conf), HOSTAPD_CONF_NEXT, radio_name);
 
 	hostapd = fopen(hostapd_conf, "w");
@@ -572,26 +625,60 @@ static int wifi_gen_aps_on_radio(const char *radio_name, struct lyd_node *cifs,
 	} else if (!strcmp(security_mode, "wpa2-personal")) {
 		fprintf(hostapd, "# WPA2-Personal\n");
 		fprintf(hostapd, "wpa=2\n");
-		fprintf(hostapd, "wpa_key_mgmt=WPA-PSK\n");
+		if (enable_80211r)
+			fprintf(hostapd, "wpa_key_mgmt=FT-PSK WPA-PSK\n");
+		else
+			fprintf(hostapd, "wpa_key_mgmt=WPA-PSK\n");
 		fprintf(hostapd, "wpa_pairwise=CCMP\n");
 		fprintf(hostapd, "wpa_passphrase=%s\n", secret);
 	} else if (!strcmp(security_mode, "wpa3-personal")) {
 		fprintf(hostapd, "# WPA3-Personal\n");
 		fprintf(hostapd, "wpa=2\n");
-		fprintf(hostapd, "wpa_key_mgmt=SAE\n");
+		if (enable_80211r)
+			fprintf(hostapd, "wpa_key_mgmt=FT-SAE SAE\n");
+		else
+			fprintf(hostapd, "wpa_key_mgmt=SAE\n");
 		fprintf(hostapd, "rsn_pairwise=CCMP\n");
 		fprintf(hostapd, "sae_password=%s\n", secret);
 		fprintf(hostapd, "ieee80211w=2\n");
 	} else if (!strcmp(security_mode, "wpa2-wpa3-personal")) {
 		fprintf(hostapd, "# WPA2/WPA3 Mixed Mode\n");
 		fprintf(hostapd, "wpa=2\n");
-		fprintf(hostapd, "wpa_key_mgmt=WPA-PSK SAE\n");
+		if (enable_80211r)
+			fprintf(hostapd, "wpa_key_mgmt=FT-PSK FT-SAE WPA-PSK SAE\n");
+		else
+			fprintf(hostapd, "wpa_key_mgmt=WPA-PSK SAE\n");
 		fprintf(hostapd, "rsn_pairwise=CCMP\n");
 		fprintf(hostapd, "wpa_passphrase=%s\n", secret);
 		fprintf(hostapd, "sae_password=%s\n", secret);
 		fprintf(hostapd, "ieee80211w=1\n");
 	}
 
+	/* 802.11r: Fast BSS Transition */
+	if (enable_80211r) {
+		fprintf(hostapd, "\n# Fast BSS Transition (802.11r)\n");
+		fprintf(hostapd, "mobility_domain=%s\n", mobility_domain);
+		fprintf(hostapd, "ft_over_ds=1\n");
+		fprintf(hostapd, "ft_psk_generate_local=1\n");
+		fprintf(hostapd, "nas_identifier=%s.%s\n", primary_ifname, mobility_domain);
+	}
+
+	/* 802.11k: Radio Resource Management */
+	if (enable_80211k) {
+		fprintf(hostapd, "\n# Radio Resource Management (802.11k)\n");
+		fprintf(hostapd, "rrm_neighbor_report=1\n");
+		fprintf(hostapd, "rrm_beacon_report=1\n");
+	}
+
+	/* 802.11v: BSS Transition Management */
+	if (enable_80211v) {
+		fprintf(hostapd, "\n# BSS Transition Management (802.11v)\n");
+		fprintf(hostapd, "bss_transition=1\n");
+	}
+
+	if (enable_80211k || enable_80211r || enable_80211v)
+		fprintf(hostapd, "\n");
+
 	/* Add BSS sections for secondary APs (multi-SSID) */
 	for (i = 1; i < ap_count; i++) {
 		DEBUG("Adding BSS section for secondary AP %s", ap_list[i]);
diff --git a/src/confd/yang/confd/infix-if-wifi.yang b/src/confd/yang/confd/infix-if-wifi.yang
@@ -370,6 +370,59 @@ submodule infix-if-wifi {
               }
             }
 
+            container roaming {
+              description
+                "Fast roaming and seamless handoff configuration.
+
+                 802.11k: Radio Resource Management (neighbor discovery)
+                 802.11r: Fast BSS Transition (fast handoff)
+                 802.11v: BSS Transition Management (network-assisted roaming)";
+
+              leaf enable-80211k {
+                type boolean;
+                description
+                  "Enable 802.11k Radio Resource Management.
+
+                   Allows clients to discover neighboring APs for better
+                   roaming decisions. Enables:
+                   - Neighbor reports
+                   - Beacon reports";
+              }
+
+              leaf enable-80211r {
+                type boolean;
+                description
+                  "Enable 802.11r Fast BSS Transition.
+
+                   Reduces handoff latency from ~1s to <50ms through
+                   pre-authentication. Required for seamless roaming.";
+              }
+
+              leaf enable-80211v {
+                type boolean;
+                description
+                  "Enable 802.11v BSS Transition Management.
+
+                   Allows APs to suggest better APs to clients, improving
+                   network-assisted roaming decisions.";
+              }
+
+              leaf mobility-domain {
+                when "../enable-80211r = 'true'";
+                type string {
+                  pattern '[0-9a-fA-F]{4}';
+                }
+                default "4f57";
+                description
+                  "802.11r Mobility Domain identifier (4 hex digits).
+
+                   All APs that clients should roam between MUST use the
+                   same mobility domain ID.
+
+                   Only applicable when 802.11r is enabled.";
+              }
+            }
+
             /* Operational state */
 
             container stations {
