What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Cyntil8ing

Occasional Visitor
I recently bought a USB WiFi/BT dongle for a W11 rig as a quick and cheap backup connection. After messing around with it for a couple of days, I found a weird bug wherein it would prefer to connect to my primary router and not any of my APs that have better signal strength.

After some tinkering with different settings, I found out that it would only switch to the better signal AP if I switched my primary router to WPA2 authentication. It's decidedly prioritizing WPA3 to connect to over better signal strength with WPA2 APs.

My questions are, is there a way to prioritize better signal strength over authentication protocol? What determines connection prioritization? I'd really prefer to keep WPA3 when possible within the network.

Relevant Details:
8851BU based USB dongle
W11
RT-AX55 router
RT-AC68U APs

If I mis-posted this in the wrong topic, apologies. Advice on the right place would be appreciated.
Also, if there are other relevant details I missed, just ask.
 
Last edited:
Giving some preference to WPA3 doesn't sound like a bad idea to me. If the client were allowing that preference to make it choose a really bad signal, that wouldn't be great; but you have not offered any evidence about how bad the choice is. What actual signal strength are you seeing from the different APs where the laptop is located? (You need to measure that with a client-side tool like a wifi scanner app; don't trust what the APs think.) What connection speed do you get from each one?

Tools you have available to bend it to your will include adjusting the Tx power of the various APs, or setting up a WPA3-capable SSID for the laptop to connect to. I'm just wondering if you really have a problem to solve.
 
I'd really prefer to keep WPA3 when possible within the network.

This doesn't make much sense because mixed WPA2/WPA3 network is not more secure than WPA2 only. Your APs don't support WPA3 anyway.
 
Giving some preference to WPA3 doesn't sound like a bad idea to me. If the client were allowing that preference to make it choose a really bad signal, that wouldn't be great; but you have not offered any evidence about how bad the choice is. What actual signal strength are you seeing from the different APs where the laptop is located? (You need to measure that with a client-side tool like a wifi scanner app; don't trust what the APs think.) What connection speed do you get from each one?

Tools you have available to bend it to your will include adjusting the Tx power of the various APs, or setting up a WPA3-capable SSID for the laptop to connect to. I'm just wondering if you really have a problem to solve.

Yeah, WPA3 is preferable but, it's a significantly weaker signal that would have sporadic speeds (~10 mbps average with crazy spikes in both latency, ping, and speed) vs closer WPA2 AP (~290 mbps stable). On a side note, the dongle is used for a desktop during the rare cases that my fiber connect goes down and I switch to my mobile data plan.

SNB Signal Strength.png


Here are the readings of the primary router and the APs. The highlighted ones (blue) below are the ones that I use. The 1st one with the "AX PHY Type" is the primary router, the ones below it are the APs.
There's no Tx power adjustment on the stock AsusWRT as far as I know on the AX55. Not that it matters because the second the WPA3 is activated on the primary router, it's like the dongle is tethered to the primary router so long as the signal is detectable no matter how weak it is or how strong the APs signals are. The only time everything works-as-intended is when I drop the WPA3 to WPA2.

As for having a problem, I guess I'm just trying to solve for WPA3 as an option because it's more secure and hopefully learn how W11 determines WiFi prioritization. It could also be by design by the Realtek drivers.
 
This doesn't make much sense because mixed WPA2/WPA3 network is not more secure than WPA2 only. Your APs don't support WPA3 anyway.

I did not know this. I was thinking that my use case WPA3 is a "best effort" solution. Meaning, WPA3 when possible but WPA2 for compatibility's sake.
If I understand you properly, do you mean that WPA3 is a moot point because I have WPA2 on and that even when my newer devices capable of WPA3, it's not more secure in my use case? I was thinking they both could coexist and whatever device connected to WPA3 was more secure.
I am, admittedly, ignorant of this.
 
WPA3 is more secure, but when you have WPA3 only. When you have WPA2 option enabled what’s the problem exploiting the potential WPA2 vulnerabilities?
 
I think your real problem is that all of those wifi signals are awful, with the exception of the last one at -52dBm. Anything worse than about -65dBm is not going to provide a high-quality wifi experience, and I bet your wifi dongle is ranking them all as about equivalent signal-wise. Don't know why it's not choosing the -52 signal, but it looks like you need another AP located closer to where you use this laptop.

As @Tech9 says, mixed WPA2/WPA3 doesn't buy much security-wise. Doesn't help to have a super-duper lock on the front door if the back door is unlocked.
 
WPA3 is more secure, but when you have WPA3 only. When you have WPA2 option enabled what’s the problem exploiting the potential WPA2 vulnerabilities?
Ok, I think I understand what you're saying. The added vulnerability simply exists simply by having WPA2 on as an option.
Well, that extra bit of information narrows my solutions then. Keep WPA2/WPA3 configuration and just switch to WPA2 when the dongle is needed during outages or keep it on WPA2 full time.
Thanks for the information.
 
Just use WPA2-Personal. It works well and makes the network more compatible without PMF requirements. The vulnerabilities are theoretical and only in close proximity to your Wi-Fi. The cat lady next door is highly unlikely to hack your network and 30m away your 5GHz signal is too weak anyway. If you have no-name IoT devices they are much greater threat and none of them supports anything better than Wi-Fi 4.
 
I think your real problem is that all of those wifi signals are awful, with the exception of the last one at -52dBm. Anything worse than about -65dBm is not going to provide a high-quality wifi experience, and I bet your wifi dongle is ranking them all as about equivalent signal-wise. Don't know why it's not choosing the -52 signal, but it looks like you need another AP located closer to where you use this laptop.

As @Tech9 says, mixed WPA2/WPA3 doesn't buy much security-wise. Doesn't help to have a super-duper lock on the front door if the back door is unlocked.

Yep. The dongle was locked to that weak AX -78dBm signal when WPA3 on the primary router was activated regardless of signal strength.
Ideally, it should switch to the -52dBm AP but it doesn't until I disable WPA3 on the primary router. When the primary router is switched to strictly WPA2, the dongle then switches to the best signal as expected. I'm guessing it's a bug of some sort involving the dongle.

At any rate, @Tech9 's bit of information kinda informs me of my options at this point seeing as a pure WPA3 solution isn't a viable option for me at this point. I'm also hardwired a vast majority of the time. The dongle is a just-in-case bit of gear for those rare occasions that my fiber goes down and I need to switch to mobile data.

Thank you as well for helping me out with this issue.
 
pure WPA3 solution isn't a viable option for me at this point

Most likely you'll never reach this point. You have to get rid of all clients below AX and make sure the new ones support WPA3 only.
 
Most likely you'll never reach this point. You have to get rid of all clients below AX and make sure the new ones support WPA3 only.
Not sure about the "below AX" part. AFAICT everything Apple has made since about 2018 can do WPA3. I have a primary SSID which is WPA3-only, and I'm successfully running all my Apple gear on that, including old iPads (ac generation) and watches (WiFi 4 only). I have to run a separate WPA2 SSID for assorted IoT-grade gear, but I'd just as soon keep that stuff on a less-trusted network anyway. (This is with UniFi APs; not sure if it's possible to replicate this configuration on Asus APs.)
 
Unfortunately, many devices with no Wi-Fi 6 support have no WPA3 support.
 
WPA3 is more secure, but when you have WPA3 only. When you have WPA2 option enabled what’s the problem exploiting the potential WPA2 vulnerabilities?

One of the things with WPA2/3 mixed mode is the prospect of a downgrade attack to WPA2 -- and one there, KRACK can become a problem.

One approach is to run two SSID's - one with WPA3, and the other with WPA2 - WPA3 requires PMF, where in WPA2/3 mixed, PMF is optional...
 
I seem to recall that on some of the Realtek drivers there used to be a quirk that meant they would only use the security type they were initially set up with.
W11 Control Panel > Network and Sharing Centre : Connections [connection name] : Wireless Properties : Security
And you can change the security type in there, and it may cause the adapter to connect to a different subset of nodes!
 
I seem to recall that on some of the Realtek drivers there used to be a quirk that meant they would only use the security type they were initially set up with.
W11 Control Panel > Network and Sharing Centre : Connections [connection name] : Wireless Properties : Security
And you can change the security type in there, and it may cause the adapter to connect to a different subset of nodes!

I found the setting you mentioned. Unfortunately, it reverts back to WPA3 automatically on re-connection no matter what choice is made on the pull-down menu.
Good idea though.
 
One of the things with WPA2/3 mixed mode is the prospect of a downgrade attack to WPA2 -- and one there, KRACK can become a problem.

One approach is to run two SSID's - one with WPA3, and the other with WPA2 - WPA3 requires PMF, where in WPA2/3 mixed, PMF is optional...

I'll keep this in mind for future reference. ATM, my APs (AC68u) are only capable of WPA2. Thanks.
 
As sfx200 said. Can set up guest SSID on AX55 with WPA2 or WPA2/3. Have your PC connect only to the guest SSID. Leave the rest on WPA3. Can make guest SSID hidden. Doesn't really make anything more secure though.
 
Similar threads
Thread starter Title Forum Replies Date
Gar WiFi 7 and Win 11 info Other LAN and WAN 1

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top