<div dir="ltr">Hi Jouni,<div><div>in first place thank you for your time. I already have a valid working setup, so I share with you where the problem was.</div><div><br></div><div>The issue was not a configuration problem but a connection one. The interface in which I was trying to run 802.11r was not bridged with the ethernet interface so the APs were not able to exchange the keys (the APs must be reachable at MAC level). I don't know whether is possible to make 11r work with a not bridged interface (¿?).</div><div><br></div><div>Regarding to the old devices that didn't connect to an AP which supports FT is also solved. The solution is based on apply both WPA-EAP as FT-EAP in the "wpa_key_mgmt" configuration parameter. If only FT-EAP is configured, only devices with 11r support will be able to connect to the AP.<br></div><div><br></div><div>Thank you again for your response Jouni,</div><div><br></div><div>Adrián M.</div><div><br></div><div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Nov 23, 2014 at 8:43 PM, Jouni Malinen <span dir="ltr"><<a href="mailto:j@w1.fi" target="_blank">j@w1.fi</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">On Tue, Nov 11, 2014 at 05:01:43PM +0100, Adrian Moran wrote:<br>
> The scenario consists on two AP (identical) and a mobile device (iPhone 5<br>
> with iOS 7). I try to connect the device to the AP1 and move it to the AP2<br>
> using FT. I was able to make it run with PSK authentication but not with<br>
> EAP.<br>
<br>
</span>I haven't really tested the iOS implementation of FT much, so don't<br>
really know what to expect here. Have you been able to test this FT-EAP<br>
setup with any other device (e.g., a Linux laptop with wpa_supplicant)?<br>
<span class=""><br>
> With these configurations I can see (in Wireshark) how the mobile device<br>
> sends authentication messages (with "RSN Information", "Mobility Domain"<br>
> and "Fast Transition" fileds) to the AP2 when it moves away from the AP1<br>
> but the mobile device never starts to send traffic through this AP2.<br>
<br>
</span>Does authentication with AP2 complete? Would you be able to share<br>
hostapd debug log and/or wireless capture files showing the exchange?<br>
<span class=""><br>
> I throw some questions:<br>
> - ¿Which could be the problem with 11r and EAP (described<br>
> scenario/configuration)?<br>
<br>
</span>I'm not aware of any known issues in this area.<br>
<span class=""><br>
> - ¿There is any dependency of 11r with 11i? That is to say, ¿must be<br>
> enabled some characteristic of 11i to make 11r run?<br>
<br>
</span>I'm not sure I understand what you are asking here. IEEE Std<br>
802.11i-2004 defined RSN and IEEE Std 802.11r-2008 extended this by<br>
adding FT. Both amendments are now part of the IEEE Std 802.11-2012 and<br>
FT does use RSN, so in that way, yes, RSN is very much enabled when FT<br>
is used.<br>
<span class=""><br>
> - I have also noticed that old devices are not able to connect to a network<br>
> working with 11r, ¿that is right? ¿Is there any solution to allow old<br>
> devices to connect to a SSID which supports 11r?<br>
<br>
</span>Could you please provide more details on how the network was configured<br>
and which old devices you have seen issues with? There have been number<br>
of known cases where a deployed device has had issues when an AP is<br>
enabling new parameters, e.g., when multiple AKMs are advertised in the<br>
RSN element (e.g., with wpa_key_mgmt=WPA-EAP FT-EAP in case of hostapd).<br>
<span class=""><font color="#888888"><br>
--<br>
Jouni Malinen PGP id EFC895FA<br>
</font></span><div class=""><div class="h5">_______________________________________________<br>
HostAP mailing list<br>
<a href="mailto:HostAP@lists.shmoo.com">HostAP@lists.shmoo.com</a><br>
<a href="http://lists.shmoo.com/mailman/listinfo/hostap" target="_blank">http://lists.shmoo.com/mailman/listinfo/hostap</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><font color="#999999">Adrián Morán Montes<br><i>Research & Development Engineer<br>Fon Labs Workgroup, Getxo - Spain.</i></font><br></div></div>
</div></div></div></div>