iPad Pro 11-inch (4th generation) is the first Apple device to feature Wi-Fi 6E. With the significant amount of new 6 GHz spectrum, active scanning for 6 GHz SSIDs is not practical. Other methods are being used instead. Let’s see how iPad Pro actually does it.
If you are an Android user, I’ve also tested Google Pixel 6 and its 6 GHz discovery here.
As of writing, iPadOS 16.1 is the latest version and that’s the one I am using for all tests here.
The access points in this test are Catalyst Wireless CW9162I-ROW APs running IOS-XE 17.9.2.
iPad Pro ignores FILS Discovery frames on 6 GHz
I am using 6 GHz only SSID (which doesn’t broadcast on 2.4 GHz and 5 GHz) and 80 MHz wide channels.
Of course, there are Beacon frames sent by the APs every 100 ms or so, and there are FILS Discovery frames sent by my APs every 20 ms. These FILS frames are automatically enabled on Catalyst Wireless APs in DNA persona only when the only SSID enabled on the AP is a 6 GHz one (and there is no 2.4 GHz or 5 GHz SSID). At this point, we need FILS, because at that point FILS is the only method for 6 GHz capable clients to discover 6 GHz networks.
Think of FILS frames as of condensed beacons. They are nearly 4 times smaller than Beacons.
Unfortunately, the iPad completely ignores the FILS frames, and it has no in-band (6 GHz) method of discovering 6 GHz networks. That results in no visibility of the 6 GHz only SSIDs on the iPad, and we can’t connect.
Airport Utility doesn’t show the 6 GHz only SSID either.
iPad Pro only uses Reduced Neighbour Reports (RNR) for discovery
Let’s keep the 6 GHz only SSID Cisco 6 enabled, and also enable a 5 GHz only SSID called Cisco 5.
If we now do a packet capture on one of the active 5 GHz channels, we will see 5 GHz beacons. These beacons contain Reduced Neighbour Report Information Element, which announces to the client device “there is a 6 GHz AP on channel 5”.
RNR in 5 GHz beacons allows the iPad discover the 6 GHz SSID.
Airport Utility also reports both the 5 GHz only and 6 GHz only SSIDs.
By doing a packet capture on 6 GHz channel number 5, we verify that the AP only sends 6 GHz beacons every 100 ms or so. There are no signs of FILS, which is a good thing. By default, FILS is disabled. It only gets automatically enabled when 6 GHz is the only active band on the AP (with no 2.4 GHz and no 5 GHz SSIDs), because it is then the only method for a 6 GHz capable client to discover a 6 GHz AP.
Apparently, the iPad only leverages Reduced Neighbour Reports for 6 GHz SSID discovery.
Does RNR included in 2.4 GHz beacons allow the iPad to discover the 6 GHz only SSID?
Andrew McHale made me to lab this up. Thank you, Andrew 😉 The short answer is yes.
This time we only enable 2.4 GHz only SSID and 6 GHz only SSID and verify that we can see them on the air using WLAN Pi in Remote Sensor mode to WiFi Explorer Pro macOS app.
Practically instantly after enabling these, the iPad discovers the 6 GHz one using 2.4 GHz RNR.
Here is the RNR Information Element included in 2.4 GHz beacons.
The new iPad Pro with Wi-Fi 6E only relies on Reduced Neighbour Reports (RNR) when it comes to discovery of 6 GHz Wi-Fi 6E networks. It will only discover a 6 GHz SSID, if you also enable the same or different SSID name on 5 GHz (and/or 2.4 GHz if needed).
It ignores FILS sent by the AP on its primary 6 GHz channel.
It also ignores unsolicited probe responses sent by the AP on its primary 6 GHz channel if we enable them explicitly.
It doesn’t actively scan 6 GHz to discover new SSIDs.
I recommend you enable a 5 GHz (or 2.4 GHz) SSID, which will allow the iPad to use RNR Information Element included in the 5 GHz (or 2.4 GHz) beacons. It will help other clients like Google Pixel 6, which I’ve tested here, too.
I am very happy with how well the 6 GHz discovery using 2.4 GHz or 5 GHz beacons works. It definitely is production ready. The test with only one 6 GHz only SSID on the AP is more of a corner case. Most customers I work with, if not all, will also deploy 5 GHz alongside 6 GHz, so there is absolutely nothing to worry about.
Packet capture or it didn’t happen 😉
Download 2.4 GHz an 5 GHz RNR, 6 GHz FILS, and 6 GHz unsolicited probe response packet captures from here.
Download WLAN Pi Profiler report and packet capture of 5 GHz association request, and also 6 GHz association request. We can see client’s capabilities in these frames.