WIFI: Esp32/Esp8266 - Priorize AP by signal strength, fix WPA2/WPA3 transitioning issues, prevent reconnect if associated.#5188
Open
bkerler wants to merge 7 commits intoprusa3d:masterfrom
Open
Conversation
Tomcus
requested changes
Mar 23, 2026
Contributor
Tomcus
left a comment
Tomcus
left a comment
There was a problem hiding this comment.
Also you need to build the esp fw manually and move to resources. So the code is actually used. And or you can try to integrate it into our build system so it is done automatically.
Tomcus
reviewed
Mar 23, 2026
Contributor
Tomcus
left a comment
Tomcus
left a comment
There was a problem hiding this comment.
LGTM. I will merge it as soon as I have a little time.
Set sae_pwe_h2e = WPA3_SAE_PWE_BOTH so both Hunting-and-Pecking and Hash-to-Element derivation methods are attempted. The previous default (WPA3_SAE_PWE_UNSPECIFIED = 0) caused SAE authentication to fail with Wi-Fi 6 and other access points that require H2E in WPA3/WPA2 transition mode. Also disable CONFIG_ESP32_WIFI_NVS_ENABLED. With NVS enabled the WPA3 PMKSA cache survives reboots, and esp_wifi_restore() does not reliably clear those entries, leading to stale-PMK authentication failures on subsequent boots. WiFi credentials are always pushed from the host MCU so there is no need to persist them in the ESP's NVS. Fixes prusa3d#3864
The ESP8266 RTOS SDK WPA3 implementation (based on IDF v3.4 backports, without H2E support) does not reliably handle WPA3/WPA2 transition mode, causing authentication failures on routers with WPA3 enabled. Disabling CONFIG_ESP8266_WIFI_ENABLE_WPA3_SAE forces WPA2 PSK connections. Transition-mode routers must accept WPA2 PSK by definition, so connectivity is maintained. Fixes prusa3d#3864
bkerler
changed the title
bkerler
changed the title
Author
|
I've merged two other PRs into this one and tested them with two different network setups (one user also confirmed it to finally work on his mikrotik router). |
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR solves issue #5090 by enforcing to select AP by signal, thus preventing to choose AP with same SSID but weaker signal (which is the case for repeated signals).
This PR also solves #3864 :
ESP32: sae_pwe_h2e defaults to WPA3_SAE_PWE_UNSPECIFIED (0), which fails with routers that require the H2E (Hash-to-Element) PWE method especially for Wifi 6 Routers. IDF v5.0 introduced WPA3_SAE_PWE_BOTH = 3 to support both methods. Without it, SAE authentication fails in transition mode. Additionally, CONFIG_ESP32_WIFI_NVS_ENABLED=1 causes WPA3 PMKSA entries to persist in NVS across reboots, and esp_wifi_restore() called at startup may not clear these PMKSA entries, causing stale-PMK authentication failures on subsequent boots.
ESP8266: The ESP8266 RTOS SDK's WPA3 SAE implementation doesn't reliably handle WPA3/WPA2 transition mode (the SDK is based on IDF v3.4 with backported WPA3 patches, without H2E support). The fix is to disable WPA3 SAE for ESP8266 entirely (CONFIG_ESP8266_WIFI_ENABLE_WPA3_SAE=n), which forces WPA2 PSK connections. WPA3/WPA2 transition mode routers must accept WPA2 PSK by definition.
This PR solves #5193 and #5152 by preventing reconnection if a link is associated but idle (on isolated local wifi) due to no inbound traffic.
Tested and confirmed on mikrotik hAP ax S V7.22.1 and ubiquity AP7.