This is something that IEEE 802.11r/D5.0 is doing. R0KH-ID is set to the identity of the NAS Client (e.g., NAS-Identifier if RADIUS is used as the backend protocol) and this identifier is sent to the peer during association (before EAP authentication). In addition, both the R0KH-ID (NAS-Identifier) and R1KH-ID (authenticator MAC address) are mixed in into the key derivation after the EAP authentication.
I would also add that IEEE 802.11r binds the R1KH-ID and the AP BSSID/MAC address during the post-EAP handshake. IEEE 802.11r also advertises the set of authenticators within which fast handoff is possible via the Mobility Domain IE. Currently there is no equivalent AAA attribute to carry that, but once there is (it has been discussed in RADEXT WG), it will also be possible to verify this parameter within EAP Channel Bindings.
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf