FT authentication fails on FT-SAE

Mon Sep 27 13:59:37 PDT 2021

Hi,

DHCP does not matter here, as it is provided independently from the way 
wifi authentication works.

With FT, there is for each connected station the AP called "R0" - the 
AP, that the station completed its first FT-SAE handshake with (for the 
current session). The current connected AP is called "R1". After 
connecting first, the current AP is both R0 and R1.

So when connecting to a new AP reusing its existing FT session, that new 
AP also behaves as an R1 AP and contacts the R0 AP. Which of your APs 
becomes R0 or R1 depends on which is the first the STA connects to - so 
both need to be able to act as R0 and R1 and learn of each other in both 
R0 and R1 role.

R0 <-> R1 communication takes place using the MAC addresses configured 
with r0kh/r1kh config setting using a hostapd-specific protocol. With 
ft_psk_generate_local=1, (only) this communication is skipped with 
FT-PSK and the R1 just does the required computations itself to make up 
the results.

In order for the STA to save an RTT of being effectively disconnected 
when roaming, it can complete its handshake with the new R1 by sending 
the packets to its current R1, which the forwards it to the new R1 
(normally over wire). This is called over-DS and is independed from 
R0<->R1 communication. If over-DS is not used (either because the STA 
does not want to or the AP has ft_over_ds=0), this STA <-> new AP 
handshake is done over WiFi (as would any non-FT handshake). This packet 
forwarding does not depend on r0kh/r1kh configuration, as the target MAC 
adress is provided by the STA.

Regards,
M. Braun

Am 26.09.2021 22:41, schrieb Michael Yartys:
> Hi
> 
> I suspected that would be the case.
> 
> So the APs need to communicate for FT-SAE to work, but how does that
> communication take place? In my setup one R7800 acts as the "main"
> router and provides IP addresses through DHCP while the other one is
> connected to it via Ethernet and is simply a dumb AP. Do the APs
> communicate via Ethernet or via WiFi?
> 
> Michael
> 
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> 
> On Sunday, September 26th, 2021 at 22:32, michael-dev
> <michael-dev at fami-braun.de> wrote:
> 
>> Hi,
>> 
>> this is not possible by the way the EAP authentication backing FT-SAE
>> 
>> works.
>> 
>> Regards,
>> 
>> M. Braun
>> 
>> Am 23.09.2021 11:08, schrieb S330錢小偉qianxiaowei:
>> 
>> > Dear Braun,
>> >
>> > Do we have plans to support functions similar to ft_psk_generate_local
>> >
>> > on FT-SAE?
>> >
>> > As we know, before ft_psk_generate_local is not supported, we also
>> >
>> > need to manually configure r0kh and r1kh.
>> >
>> > This is not very friendly for home users who have APs from different
>> >
>> > manufacturers.
>> >
>> > Thanks to the emergence of ft_psk_generate_local, which makes FT-PSK
>> >
>> > very simple Well!
>> >
>> > If FT-SAE can also support such a function, it would be great!!!
>> >
>> > Thanks.
>> >
>> > Best Regards!
>> >
>> > > On Sep 23, 2021, at 4:13 PM, michael-dev michael-dev at fami-braun.de
>> > >
>> > > wrote:
>> > >
>> > > Hi,
>> > >
>> > > you're missing most of the required settings in section IEEE 802.11r
>> > >
>> > > configuration of
>> > >
>> > > https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf .
>> > >
>> > > You don't need r0kh/r1kh only if only using FT-PSK with
>> > >
>> > > ft_psk_generate_local, because otherwise both hostapd instances need
>> > >
>> > > to communicate to faciliate roaming (exchange keys etc.) - which
>> > >
>> > > they cannot unless r0kh/r1kh is configured.
>> > >
>> > > Regards,
>> > >
>> > > M. Braun
>> > >
>> > > Am 13.08.2021 09:34, schrieb Michael Yartys:
>> > >
>> > > > --- LAPTOP 1 ---
>> > > >
>> > > > interface=wlp18s0
>> > > >
>> > > > driver=nl80211
>> > > >
>> > > > ssid=test1
>> > > >
>> > > > hw_mode=g
>> > > >
>> > > > channel=1
>> > > >
>> > > > auth_algs=3
>> > > >
>> > > > wmm_enabled=1
>> > > >
>> > > > nas_identifier=first_example
>> > > >
>> > > > wpa=2
>> > > >
>> > > > wpa_passphrase=testingstuff123
>> > > >
>> > > > wpa_key_mgmt=SAE FT-SAE
>> > > >
>> > > > wpa_pairwise=CCMP
>> > > >
>> > > > ieee80211w=2
>> > > >
>> > > > sae_pwe=2
>> > > >
>> > > > mobility_domain=a1b2
>> > > >
>> > > > ft_over_ds=0
>> > > >
>> > > > ft_psk_generate_local=0
>> > > >
>> > > > --- LAPTOP 2 ---
>> > > >
>> > > > interface=wlp18s0
>> > > >
>> > > > driver=nl80211
>> > > >
>> > > > ssid=test1
>> > > >
>> > > > hw_mode=g
>> > > >
>> > > > channel=6
>> > > >
>> > > > auth_algs=3
>> > > >
>> > > > wmm_enabled=1
>> > > >
>> > > > nas_identifier=second_example
>> > > >
>> > > > wpa=2
>> > > >
>> > > > wpa_passphrase=testingstuff123
>> > > >
>> > > > wpa_key_mgmt=SAE FT-SAE
>> > > >
>> > > > wpa_pairwise=CCMP
>> > > >
>> > > > ieee80211w=2
>> > > >
>> > > > sae_pwe=2
>> > > >
>> > > > mobility_domain=a1b2
>> > > >
>> > > > ft_over_ds=0
>> > > >
>> > > > ft_psk_generate_local=0
>> > >
>> > > Hostap mailing list
>> > >
>> > > Hostap at lists.infradead.org
>> > >
>> > > http://lists.infradead.org/mailman/listinfo/hostap
>> >
>> > This message including any attachment is intended only for the use of
>> >
>> > the addressee(s) and may contain privileged and confidential
>> >
>> > information. If you are not the intended recipient, you are hereby
>> >
>> > notified that any dissemination of this message is strictly
>> >
>> > prohibited. Disclosure, copying, distribution, or use of the contents
>> >
>> > of this e-mail by persons other than the intended recipient may
>> >
>> > violate applicable laws. Abuse or dissemination by the intended
>> >
>> > recipient is also forbidden. Please kindly return the e-mail and
>> >
>> > delete it if you have received this message in error. Thank you.
>> >
>> > 本郵件內容涉及商業或私人秘密，非收件人請勿散佈或使用，收件人亦應遵守保密義務不得散佈或濫用本郵件，否則可能違反相關法令。如因傳遞錯誤，請立即刪除並回覆通知寄件人。感謝您。