[802.11r] Does not work with EAP

Adrian Moran adrian.moran at fon.com
Tue Nov 11 11:01:43 EST 2014


Hi,

I have been working on 802.11r (Fast Transitions) for two weeks and I would
like to share with you some doubts.

First of all I will describe the test scenario employed:

         Channel 1               Channel 11
         ---------               ---------
         |  AP1  |   -------->   |  AP2  |
         ---------               ---------
                           |
                        ----
                        |  |
                        |  |
                        ----
                       Device

The scenario consists on two AP (identical) and a mobile device (iPhone 5
with iOS 7). I try to connect the device to the AP1 and move it to the AP2
using FT. I was able to make it run with PSK authentication but not with
EAP.

The AP's configurations are the followings (for EAP case)

AP1
---
bss=wlan0
ctrl_interface=/var/run/hostapd-phy0
ap_isolate=1
disassoc_low_ack=1
preamble=1
auth_server_addr=OMITTED_PER_SECURITY
auth_server_port=OMITTED_PER_SECURITY
auth_server_shared_secret=OMITTED_PER_SECURITY
disable_pmksa_caching=1
okc=0
acct_server_addr=OMITTED_PER_SECURITY
acct_server_port=OMITTED_PER_SECURITY
acct_server_shared_secret=OMITTED_PER_SECURITY
nas_identifier=ap1.example.com
eapol_key_index_workaround=1
ieee8021x=1
wpa_key_mgmt=FT-EAP
ft_over_ds=0
mobility_domain=a1b2
r0_key_lifetime=10000
r1_key_holder=000102030405
reassociation_deadline=1000
r0kh=BB:BB:BB:BB:BB:BB ap2.example.com 000102030405060708090a0b0c0d0e0f
r1kh=BB:BB:BB:BB:BB:BB 00:01:02:03:04:06 000102030405060708090a0b0c0d0e0f
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=TestSSID
wmm_enabled=1
bssid=aa:aa:aa:aa:aa:aa
ignore_broadcast_ssid=0


AP2
---
bss=wlan0
ctrl_interface=/var/run/hostapd-phy0
ap_isolate=1
disassoc_low_ack=1
preamble=1
auth_server_addr=OMITTED_PER_SECURITY
auth_server_port=OMITTED_PER_SECURITY
auth_server_shared_secret=OMITTED_PER_SECURITY
disable_pmksa_caching=1
okc=0
acct_server_addr=OMITTED_PER_SECURITY
acct_server_port=OMITTED_PER_SECURITY
acct_server_shared_secret=OMITTED_PER_SECURITY
nas_identifier=ap2.example.com
eapol_key_index_workaround=1
ieee8021x=1
wpa_key_mgmt=FT-EAP
ft_over_ds=0
mobility_domain=a1b2
r0_key_lifetime=10000
r1_key_holder=000102030406
reassociation_deadline=1000
r0kh=AA:AA:AA:AA:AA:AA ap1.example.com 000102030405060708090a0b0c0d0e0f
r1kh=AA:AA:AA:AA:AA:AA 00:01:02:03:04:05 000102030405060708090a0b0c0d0e0f
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=TestSSID
wmm_enabled=1
bssid=bb:bb:bb:bb:bb:bb
ignore_broadcast_ssid=0


With these configurations I can see (in Wireshark) how the mobile device
sends authentication messages (with "RSN Information", "Mobility Domain"
and "Fast Transition" fileds) to the AP2 when it moves away from the AP1
but the mobile device never starts to send traffic through this AP2.

I throw some questions:
- ¿Which could be the problem with 11r and EAP (described
scenario/configuration)?

- ¿There is any dependency of 11r with 11i? That is to say, ¿must be
enabled some characteristic of 11i to make 11r run?

- I have also noticed that old devices are not able to connect to a network
working with 11r, ¿that is right? ¿Is there any solution to allow old
devices to connect to a SSID which supports 11r?


Thank you in advance for the support.

-- 
Adrián Morán Montes
*Research & Development Engineer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20141111/38fe3594/attachment-0001.htm>


More information about the HostAP mailing list