[802.11r] Does not work with EAP

Jouni Malinen j at w1.fi
Sun Nov 23 14:43:41 EST 2014 

On Tue, Nov 11, 2014 at 05:01:43PM +0100, Adrian Moran wrote:
> The scenario consists on two AP (identical) and a mobile device (iPhone 5
> with iOS 7). I try to connect the device to the AP1 and move it to the AP2
> using FT. I was able to make it run with PSK authentication but not with
> EAP.

I haven't really tested the iOS implementation of FT much, so don't
really know what to expect here. Have you been able to test this FT-EAP
setup with any other device (e.g., a Linux laptop with wpa_supplicant)?

> With these configurations I can see (in Wireshark) how the mobile device
> sends authentication messages (with "RSN Information", "Mobility Domain"
> and "Fast Transition" fileds) to the AP2 when it moves away from the AP1
> but the mobile device never starts to send traffic through this AP2.

Does authentication with AP2 complete? Would you be able to share
hostapd debug log and/or wireless capture files showing the exchange?

> I throw some questions:
> - ¿Which could be the problem with 11r and EAP (described
> scenario/configuration)?

I'm not aware of any known issues in this area.

> - ¿There is any dependency of 11r with 11i? That is to say, ¿must be
> enabled some characteristic of 11i to make 11r run?

I'm not sure I understand what you are asking here. IEEE Std
802.11i-2004 defined RSN and IEEE Std 802.11r-2008 extended this by
adding FT. Both amendments are now part of the IEEE Std 802.11-2012 and
FT does use RSN, so in that way, yes, RSN is very much enabled when FT
is used.

> - I have also noticed that old devices are not able to connect to a network
> working with 11r, ¿that is right? ¿Is there any solution to allow old
> devices to connect to a SSID which supports 11r?

Could you please provide more details on how the network was configured
and which old devices you have seen issues with? There have been number
of known cases where a deployed device has had issues when an AP is
enabling new parameters, e.g., when multiple AKMs are advertised in the
RSN element (e.g., with wpa_key_mgmt=WPA-EAP FT-EAP in case of hostapd).

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list