[802.11r] Does not work with EAP

[Adrian Moran]

Hi Jouni,
in first place thank you for your time. I already have a valid working
setup, so I share with you where the problem was.

The issue was not a configuration problem but a connection one. The
interface in which I was trying to run 802.11r was not bridged with the
ethernet interface so the APs were not able to exchange the keys (the APs
must be reachable at MAC level). I don't know whether is possible to make
11r work with a not bridged interface (??).

Regarding to the old devices that didn't connect to an AP which supports FT
is also solved. The solution is based on apply both WPA-EAP as FT-EAP in
the "wpa_key_mgmt" configuration parameter. If only FT-EAP is configured,
only devices with 11r support will be able to connect to the AP.

Thank you again for your response Jouni,

Adri?n M.


On Sun, Nov 23, 2014 at 8:43 PM, Jouni Malinen <j at w1.fi> wrote:

> On Tue, Nov 11, 2014 at 05:01:43PM +0100, Adrian Moran wrote:
> > The scenario consists on two AP (identical) and a mobile device (iPhone 5
> > with iOS 7). I try to connect the device to the AP1 and move it to the
> AP2
> > using FT. I was able to make it run with PSK authentication but not with
> > EAP.
>
> I haven't really tested the iOS implementation of FT much, so don't
> really know what to expect here. Have you been able to test this FT-EAP
> setup with any other device (e.g., a Linux laptop with wpa_supplicant)?
>
> > With these configurations I can see (in Wireshark) how the mobile device
> > sends authentication messages (with "RSN Information", "Mobility Domain"
> > and "Fast Transition" fileds) to the AP2 when it moves away from the AP1
> > but the mobile device never starts to send traffic through this AP2.
>
> Does authentication with AP2 complete? Would you be able to share
> hostapd debug log and/or wireless capture files showing the exchange?
>
> > I throw some questions:
> > - ?Which could be the problem with 11r and EAP (described
> > scenario/configuration)?
>
> I'm not aware of any known issues in this area.
>
> > - ?There is any dependency of 11r with 11i? That is to say, ?must be
> > enabled some characteristic of 11i to make 11r run?
>
> I'm not sure I understand what you are asking here. IEEE Std
> 802.11i-2004 defined RSN and IEEE Std 802.11r-2008 extended this by
> adding FT. Both amendments are now part of the IEEE Std 802.11-2012 and
> FT does use RSN, so in that way, yes, RSN is very much enabled when FT
> is used.
>
> > - I have also noticed that old devices are not able to connect to a
> network
> > working with 11r, ?that is right? ?Is there any solution to allow old
> > devices to connect to a SSID which supports 11r?
>
> Could you please provide more details on how the network was configured
> and which old devices you have seen issues with? There have been number
> of known cases where a deployed device has had issues when an AP is
> enabling new parameters, e.g., when multiple AKMs are advertised in the
> RSN element (e.g., with wpa_key_mgmt=WPA-EAP FT-EAP in case of hostapd).
>
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>



-- 
Adri?n Mor?n Montes

*Research & Development EngineerFon Labs Workgroup, Getxo - Spain.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20141124/2b29009f/attachment.htm>