Controllerless Networks

Having an issue where my Honeywell Lyric Thermostat, Model TH6320wf2003, successfully goes through setting up and joining to the wifi24 ssid that is set for 2.4ghz, but after setup when you try to control the thermostat from the app it never synchronizes.  I've got a deebot rumba knock off that works just fine on my 2.4 ghz/5ghz ssid shazzzam, but having issue with this device.

After setup is complete on the phone and checking the thermostat to change it, I never can because it states syncing with thermostat, but never syncs and gives wifi error. if you click the error the app states status is unavailable, "The thermostat appears to be connected to the network."

Looking at the dashboard for the clients, it looks like it never gets an ip address, i've tried setting ssid to Virtual Controller managed and Network assigned and it always results in the same result.

-- 0.0.0.0 00:d0:2d:f2:e7:a2 NOFP wifi24 80:8d:b7:c8:e7:8e 1 GN wifi24 --
0
0
Has anyone help me with this?

Thanks

Dan

Pairing procedure - https://youtu.be/9bQwBZ-pEvE

-----------------------MY CONFIG----------------------
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.09.19 15:00:03 =~=~=~=~=~=~=~=~=~=~=~=
sho run
version 8.6.0.0-8.6.0
virtual-controller-country US
virtual-controller-key REMOVED
name Aruba315
virtual-controller-ip 10.250.250.4
terminal-access
telnet-server
clock timezone Central-Time -06 00
clock summer-time CDT recurring second sunday march 02:00 first sunday november 02:00
rf-band all
split-5ghz-mode enabled

allow-new-aps

allowed-ap removed:c8:e7:8e

arm
wide-bands 5ghz
80mhz-support
g-channels 1
min-tx-power 12
max-tx-power 24
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
client-aware
scanning
client-match

rf dot11g-radio-profile
interference-immunity 1

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

extended-ssid

hash-mgmt-password
hash-mgmt-user REMOVED password hash REMOVED

wlan access-rule default_wired_port_profile
index 0
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 1
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule shazzzam
index 2
rule any any match any any any permit

wlan access-rule wifi24
index 3
rule any any match any any any permit

wlan ssid-profile shazzzam
enable
index 0
type employee
essid shazzzam
wpa-passphrase REMOVED
opmode wpa2-psk-aes
max-authentication-failures 0
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
enforce-dhcp
multicast-rate-optimization
dynamic-multicast-optimization
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile wifi24
enable
index 1
type employee
essid wifi24
wpa-passphrase REMOVED
opmode wpa2-psk-aes
max-authentication-failures 0
vlan guest
rf-band 2.4
allowed-5ghz-radio second-dot11a-radio-only
captive-portal disable
dtim-period 1
broadcast-filter arp
enforce-dhcp
multicast-rate-optimization
dynamic-multicast-optimization
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
strict-svp
tspec
high-efficiency-disable

auth-survivability cache-time-out 24

wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https

blacklist-time 3600
auth-failure-blacklist-time 3600

ids
wireless-containment none

wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x

enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180

pppoe-uplink-profile
pppoe-passwd REMOVED

airgroup
enable
multi-swarm
enable-guest-multicast

airgroupservice airplay
enable
description AirPlay

airgroupservice airprint
enable
description AirPrint

airgroupservice itunes
enable

airgroupservice sharing
enable

airgroupservice googlecast
enable

airgroupservice AmazonTV
enable

airgroupservice "DLNA Media"
enable

airgroupservice Sonos
enable
id urn:schemas-upnp-org:service:GroupRenderingControl:1
id urn:schemas-sonos-com:service:Queue:1
id urn:schemas-upnp-org:service:AVTransport:1
id urn:schemas-upnp-org:service:RenderingControl:1
id urn:schemas-tencent-com:service:QPlay:1
id urn:schemas-upnp-org:service:GroupManagement:1
id urn:schemas-upnp-org:service:ZoneGroupTopology:1
id urn:schemas-upnp-org:service:DeviceProperties:1
id urn:schemas-upnp-org:service:MusicServices:1
id urn:schemas-upnp-org:service:AlarmClock:1
id urn:schemas-upnp-org:device:ZonePlayer:1
id urn:schemas-upnp-org:service:SystemProperties:1
id urn:schemas-upnp-org:service:ContentDirectory:1
id urn:schemas-upnp-org:service:ConnectionManager:1
id urn:smartspeaker-audio:service:SpeakerGroup:1
id urn:schemas-upnp-org:service:AudioIn:1
id urn:schemas-upnp-org:device:EmbeddedNetDevice:1
id urn:schemas-upnp-org:service:EmbeddedNetDeviceControl:1
id urn:schemas-upnp-org:service:HTControl:1

airgroupservice Denon
enable
id urn:schemas-denon-com:service:ACT:1
id urn:schemas-denon-com:service:GroupControl:1
id urn:schemas-denon-com:service:ZoneControl:2
id urn:schemas-denon-com:device:AiosServices:1
id urn:schemas-denon-com:device:AiosDevice:1
id urn:schemas-denon-com:device:ACT-Denon:1
id urn:schemas-denon-com:service:ErrorHandler:1

airgroupservice DIAL
enable

airgroupservice Spotify
enable
id _spotify-connect._tcp

airgroupservice Netflix
enable
id urn:mdx-netflix-com:service:target:3

airgroupservice companion-link
enable
id _companion-link._tcp
id _homekit._tcp
id urn:schemas-upnp-org:device:mdxdevice:1
id urn:schemas-upnp-org:device:InternetGatewayDevice:1

airgroupservice remotemgmt
enable

airgroupservice "DLNA Print"
enable

airgroupservice allowall
enable

cluster-security
allow-low-assurance-devices

Leave it on network assigned, for now.

Did you go through the troubleshooting steps here?  https://www.honeywellhome.com/us/en/support/why-is-my-thermostat-wifi-not-working/

So I had looked at the trouble shooting guide. 

 https://www.honeywellhome.com/us/en/support/why-is-my-thermostat-wifi-not-working/#networkpairing

And I thought the encryption I had set was correct, but as a hail mary I tried:

"WPA-Personal (Both TKIP & AES Encryption)" and it worked!

Before I had it set to "WPA2-Personal" which I guess is different from "WPA2 AES PSK • WPA2 MIXED PSK." As shown in step 15 of the troubleshooting guide. I also made the pass 8 characters with only letters and numbers.

15. Make sure your router isn't using any advanced security settings such as after-market firewalls, or connected to any network device, such as a switch or gateway which may have its own security.

Make sure Wi-Fi network is using one of the following security protocols. Other security protocols are not recommended. • OPEN • WEP PSK • WPA TKIP PSK • WPA2 AES PSK • WPA2 MIXED PSK.

Hope this helps anyone else that has an iap and honeywell thermostat.  Sad they don't have another firmware to update the security of it. =/