Hi, I was successful after creating the bridge interface and enabling bridge in hostapd (+ the ft_over_ds=1) setting. Many thanks for help. I am including successful config for the guys trying this in the future: ------------------------------------------------------------------------------- #MAC Addresses used #wlan0 ether 30:b5:c2:15:73:1c txqueuelen 1000 (Ethernet) #wlan1 ether 30:b5:c2:15:da:b2 txqueuelen 1000 (Ethernet) #wlan2 ether 30:b5:c2:18:b3:34 txqueuelen 1000 (Ethernet) #----------------------------------------------------------------------------- AP-A interface=wlan0 logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=2 ctrl_interface=/var/run/hostapd eapol_key_index_workaround=0 eap_server=1 eap_user_file=hostapd.eap_user ca_cert=CA.crt server_cert=CA.crt private_key=CA.key ieee8021x=1 wpa=2 #wpa_passphrase=password123 #changes for 802.11r: #only FT-clients: wpa_key_mgmt=FT-EAP #push R1 key to other APs: pmk_r1_push=1 #list of keyholders, AES-128 keys: r0kh=30:b5:c2:15:73:1c ap1.example.com 1FC4BBA69DB8EB396A24249B406BA2A5 r0kh=30:b5:c2:18:a6:56 ap2.example.com 1FC4BBA69DB8EB396A24249B406BA2A5 r1kh=30:b5:c2:18:a6:56 30:b5:c2:18:a6:56 1FC4BBA69DB8EB396A24249B406BA2A5 r1kh=30:b5:c2:15:73:1c 30:b5:c2:15:73:1c 1FC4BBA69DB8EB396A24249B406BA2A5 #NAS ID: nas_identifier=ap1.example.com #mobility domain: mobility_domain=a1b2 #interface to send/receive packets r0_key_lifetime=10000 ft_over_ds=1 r1_key_holder=30b5c218a656 ft_psk_generate_local=0 bridge=br0 #reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535) reassociation_deadline=1000 wpa_pairwise=CCMP wpa_group_rekey=3600 rsn_pairwise=CCMP rsn_preauth=0 ctrl_interface_group=0 macaddr_acl=0 ssid=802.11R_AP country_code=IE ieee80211n=1 ieee80211d=1 hw_mode=g channel=7 ------------------------------------------------- AP-B interface=wlan0 logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=2 ctrl_interface=/var/run/hostapd eapol_key_index_workaround=0 eap_server=1 eap_user_file=hostapd.eap_user ca_cert=peap-alpha/CA.crt server_cert=CA.crt private_key=CA.key ieee8021x=1 wpa=2 #wpa_passphrase=password123 #changes for 802.11r: #only FT-clients: wpa_key_mgmt=FT-EAP #push R1 key to other APs: pmk_r1_push=1 #list of keyholders, AES-128 keys: r0kh=30:b5:c2:15:73:1c ap1.example.com 1FC4BBA69DB8EB396A24249B406BA2A5 r0kh=30:b5:c2:18:a6:56 ap2.example.com 1FC4BBA69DB8EB396A24249B406BA2A5 r1kh=30:b5:c2:18:a6:56 30:b5:c2:18:a6:56 1FC4BBA69DB8EB396A24249B406BA2A5 r1kh=30:b5:c2:15:73:1c 30:b5:c2:15:73:1c 1FC4BBA69DB8EB396A24249B406BA2A5 #NAS ID: nas_identifier=ap2.example.com #mobility domain: mobility_domain=a1b2 #interface to send/receive packets r0_key_lifetime=10000 ft_over_ds=1 r1_key_holder=30b5c215731c ft_psk_generate_local=0 bridge=br0 #reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535) reassociation_deadline=1000 wpa_pairwise=CCMP wpa_group_rekey=3600 rsn_pairwise=CCMP rsn_preauth=0 ctrl_interface_group=0 macaddr_acl=0 ssid=802.11R_AP country_code=IE ieee80211n=1 ieee80211d=1 hw_mode=g channel=7 Pozdrawiam, Wojciech Żyszczyński 2017-03-18 2:12 GMT+00:00 Wojciech Żyszczyński <zyszczynski@xxxxxxxxx>: > Hi, > > Thanks for helping me out. > > As I can imagine that bridge between wlan0 interface and eth0 > interface could help for the ft_over_ds=1 setting (keys exchanged over > ethernet), > I have trouble seeing why hostapd requires a bridge for the > ft_over_ds=0, I just hoped that that key exchange could happen over > the air, between wlan0 of AP-1 and wlan0 of AP-2. > > I will try creating wlan0--eth0 bridges on both APs and use > ft_over_ds=1 setting. > > Best Regards, > Wojciech Żyszczyński > > > 2017-03-17 13:51 GMT+00:00 Wojciech Dubowik <wojciech.dubowik@xxxxxxxxxxx>: >> Hello, >> >> I don't see bridge setting. I guess you need to setup bridge over Ethernet >> and wlan >> >> to get frames to other AP. Just pass bridge=<your br> to your configs. >> >> >> Wojtek >> >> >> >> On 15/03/17 16:14, Wojciech Żyszczyński wrote: >>> >>> Hi, >>> >>> I am trying to configure Fast Transition between 2 AccessPoints. >>> I was able to get working config for FT-PSK with local key generation >>> (ft_psk_generate_local=1) >>> >>> However, for FT-EAP its not an option. So I set following configuration: >>> >>> >>> AP-1 >>> >>> #MAC Addresses used >>> #wlan0 ether 30:b5:c2:15:73:1c txqueuelen 1000 (Ethernet) >>> #wlan1 ether 30:b5:c2:15:da:b2 txqueuelen 1000 (Ethernet) >>> #wlan2 ether 30:b5:c2:18:b3:34 txqueuelen 1000 (Ethernet) >>> >>> #----------------------------------------------------------------------------- >>> interface=wlan0 >>> logger_syslog=-1 >>> logger_syslog_level=2 >>> logger_stdout=-1 >>> logger_stdout_level=2 >>> ctrl_interface=/var/run/hostapd >>> >>> eapol_key_index_workaround=0 >>> eap_server=1 >>> eap_user_file=/opt/eap/peap-alpha/hostapd.eap_user >>> ca_cert=/opt/eap/peap-alpha/CA.crt >>> server_cert=/opt/eap/peap-alpha/CA.crt >>> private_key=/opt/eap/peap-alpha/CA.key >>> ieee8021x=1 >>> wpa=2 >>> #changes for 802.11r: >>> #only FT-clients: >>> wpa_key_mgmt=FT-EAP >>> #push R1 key to other APs: >>> pmk_r1_push=1 >>> >>> #list of keyholders, AES-128 keys: openet1, openet2: >>> r0kh=30:b5:c2:15:da:b2 ap2.example.com 1FC4BBA69DB8EB396A24249B406BA2A5 >>> r0kh=30:b5:c2:15:73:1c ap1.example.com 1FC4BBA69DB8EB396A24249B406BA2A5 >>> r1kh=30:b5:c2:15:73:1c 30:b5:c2:15:da:b2 1FC4BBA69DB8EB396A24249B406BA2A5 >>> r1kh=30:b5:c2:15:da:b2 30:b5:c2:15:73:1c 1FC4BBA69DB8EB396A24249B406BA2A5 >>> #NAS ID: >>> nas_identifier=ap1.example.com >>> #mobility domain: >>> mobility_domain=a1b2 >>> #interface to send/receive packets >>> r0_key_lifetime=10000 >>> ft_over_ds=0 >>> r1_key_holder=30b5c215731c >>> ft_psk_generate_local=1 >>> >>> #reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535) >>> reassociation_deadline=1000 >>> wpa_pairwise=CCMP >>> wpa_group_rekey=3600 >>> rsn_pairwise=CCMP >>> rsn_preauth=0 >>> ctrl_interface_group=0 >>> macaddr_acl=0 >>> >>> ssid=802.11R_AP >>> country_code=IE >>> ieee80211n=1 >>> ieee80211d=1 >>> hw_mode=g >>> channel=7 >>> >>> >>> AP-2 >>> >>> #MAC Addresses used >>> #wlan0 ether 30:b5:c2:15:73:1c txqueuelen 1000 (Ethernet) >>> #wlan1 ether 30:b5:c2:15:da:b2 txqueuelen 1000 (Ethernet) >>> #wlan2 ether 30:b5:c2:18:b3:34 txqueuelen 1000 (Ethernet) >>> >>> #----------------------------------------------------------------------------- >>> interface=wlan0 >>> logger_syslog=-1 >>> logger_syslog_level=2 >>> logger_stdout=-1 >>> logger_stdout_level=2 >>> ctrl_interface=/var/run/hostapd >>> >>> eapol_key_index_workaround=0 >>> eap_server=1 >>> eap_user_file=/opt/eap/peap-alpha/hostapd.eap_user >>> ca_cert=/opt/eap/peap-alpha/CA.crt >>> server_cert=/opt/eap/peap-alpha/CA.crt >>> private_key=/opt/peap-alpha/CA.key >>> ieee8021x=1 >>> wpa=2 >>> #changes for 802.11r: >>> #only FT-clients: >>> wpa_key_mgmt=FT-EAP >>> #push R1 key to other APs: >>> pmk_r1_push=1 >>> >>> #list of keyholders, AES-128 keys: openet1, openet2: >>> r0kh=30:b5:c2:15:da:b2 ap2.example.com 1FC4BBA69DB8EB396A24249B406BA2A5 >>> r0kh=30:b5:c2:15:73:1c ap1.example.com 1FC4BBA69DB8EB396A24249B406BA2A5 >>> r1kh=30:b5:c2:15:73:1c 30:b5:c2:15:da:b2 1FC4BBA69DB8EB396A24249B406BA2A5 >>> r1kh=30:b5:c2:15:da:b2 30:b5:c2:15:73:1c 1FC4BBA69DB8EB396A24249B406BA2A5 >>> >>> #NAS ID: >>> nas_identifier=ap2.example.com >>> #mobility domain: >>> mobility_domain=a1b2 >>> #interface to send/receive packets >>> r0_key_lifetime=10000 >>> ft_over_ds=0 >>> r1_key_holder=30b5c215dab2 >>> ft_psk_generate_local=1 >>> >>> #reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535) >>> reassociation_deadline=1000 >>> wpa_pairwise=CCMP >>> wpa_group_rekey=3600 >>> rsn_pairwise=CCMP >>> rsn_preauth=0 >>> ctrl_interface_group=0 >>> macaddr_acl=0 >>> >>> ssid=802.11R_AP >>> country_code=IE >>> ieee80211n=1 >>> ieee80211d=1 >>> hw_mode=g >>> channel=7 >>> >>> Unfortunately when trying to execute fast transition, I have following >>> issue (AP2 hostapd log): >>> >>> FT: STA R0KH-ID - hexdump(len=15): 61 70 31 2e 65 78 61 6d 70 6c 65 2e 63 >>> 6f 6d >>> FT: Requested PMKR0Name - hexdump(len=16): 47 ad 87 45 3b ed d3 6d 36 >>> 0b 12 6c 40 78 10 e3 >>> FT: Derived requested PMKR1Name - hexdump(len=16): 8f ee a9 44 89 6f >>> ec 3e 8b 60 5f 9d fc 6e b7 8b >>> FT: Send PMK-R1 pull request to remote R0KH address 30:b5:c2:15:73:1c >>> FT: RRB send to 30:b5:c2:15:73:1c >>> FT: Callback postponed until response is available res=-1 >>> FT: Received authentication frame: STA=60:a3:7d:8c:6d:38 >>> BSSID=30:b5:c2:18:a6:56 transaction=1 >>> FT: Received authentication frame IEs - hexdump(len=167): 30 26 01 00 >>> 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 03 0c 00 01 00 47 ad 87 >>> 45 3b ed d3 6d 36 0b 12 6c 40 78 10 e3 36 03 a1 b2 00 37 63 00 00 00 >>> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >>> 00 19 9b 8c db 66 d8 9b 63 24 e6 d8 cd 9c c9 e6 4b cd a5 36 95 4b 50 >>> 2d 43 6a 1d 50 e8 bc 5e e2 f4 03 0f 61 70 31 2e 65 78 61 6d 70 6c 65 >>> 2e 63 6f 6d 7f 08 04 00 00 00 00 00 00 40 dd 09 00 10 18 02 01 00 10 >>> 00 00 >>> >>> So I see there is a pull request send to AP-1. This request shall be >>> made over air, as ft_over_ds=0. Unfortunately I cant even see such a >>> request in wireshark... and there is no reply either... >>> The phone connects to AP-2 with full authentication, so FT failed. >>> >>> Any advice? Does exchange of keys works over air or I need to setup it >>> over DS? >>> If setting it up over DS, do I need to have some special vlan >>> configuration? Both APs are connected by Ethernet and a single switch. >>> >>> Best Regards >>> Wojciech Zyszczynski >>> >>> _______________________________________________ >>> Hostap mailing list >>> Hostap@xxxxxxxxxxxxxxxxxxx >>> http://lists.infradead.org/mailman/listinfo/hostap >> >> _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
