NetworkManager does not support Fast BSS Transition (FT, IEEE 802.11r-2008) enabled networks (KeyMgmt wpa-ft-psk or wpa-ft-eap) (#4) · Issues · NetworkManager / NetworkManager

NetworkManager does not support Fast BSS Transition (FT, IEEE 802.11r-2008) enabled networks (KeyMgmt wpa-ft-psk or wpa-ft-eap)

Connecting to a Enterprise network that has Fast Transition (FT) fails when using NetworkManager.
This was tested on a PEAP & MSCHAPv2 NW.

The NetworkManager log gives "Activation: failed for connection 'ssid'" and wpa_supplicant log gives "FT: Invalid key management type (1)".
1 is in this case WPA_KEY_MGMT_IEEE8021X, however the active network needs WPA_KEY_MGMT_FT_IEEE8021X for wpa_supplicant to connect.

Adding wpa-ft-eap to the key_mgmt_conf passed to wpa_supplicant fixes this issue and I am able to connect successfully (see patch).

--- a/src/supplicant/nm-supplicant-config.c
+++ b/src/supplicant/nm-supplicant-config.c
@@ -773,19 +773,21 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
                switch (fils) {
                case NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL:
                        key_mgmt_conf = priv->support_pmf
-                               ? "wpa-eap wpa-eap-sha256 fils-sha256 fils-sha384"
-                               : "wpa-eap fils-sha256 fils-sha384";
+                               ? "wpa-ft-eap wpa-eap wpa-eap-sha256 fils-sha256 fils-sha384"
+                               : "wpa-ft-eap wpa-eap fils-sha256 fils-sha384";
                        break;
                case NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED:
                        key_mgmt_conf = "fils-sha256 fils-sha384";
                        break;
                default:
                        if (priv->support_pmf)
-                               key_mgmt_conf = "wpa-eap wpa-eap-sha256";
+                               key_mgmt_conf = "wpa-ft-eap wpa-eap wpa-eap-sha256";
                        break;
                }
        }

A proper fix would be nice (that also adds wpa-ft-psk support), possibly with a new setting, though I don't know if that adds any value (why should the user need to specify of even care if FT is present in the nw).

I also tested with the iwd backend, but that also failed to connect, however I did not do any further troubleshooting on what might be the cause for that (if FT is even supported by iwd, if NetworkManager has the same issue with that backend, or if I had something miss-configured).

Connecting to a Enterprise network that has Fast Transition (FT) fails when using NetworkManager.   
_This was tested on a `PEAP & MSCHAPv2` NW._

The NetworkManager log gives _"Activation: failed for connection 'ssid'"_ and wpa_supplicant log gives _"FT: Invalid key management type (1)"_.   
`1` is in this case `WPA_KEY_MGMT_IEEE8021X`, however the active network needs `WPA_KEY_MGMT_FT_IEEE8021X` for wpa_supplicant to connect.

Adding `wpa-ft-eap` to the `key_mgmt_conf` passed to _wpa_supplicant_ fixes this issue and I am able to connect successfully (see patch).

```
--- a/src/supplicant/nm-supplicant-config.c
+++ b/src/supplicant/nm-supplicant-config.c
@@ -773,19 +773,21 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
                switch (fils) {
                case NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL:
                        key_mgmt_conf = priv->support_pmf
-                               ? "wpa-eap wpa-eap-sha256 fils-sha256 fils-sha384"
-                               : "wpa-eap fils-sha256 fils-sha384";
+                               ? "wpa-ft-eap wpa-eap wpa-eap-sha256 fils-sha256 fils-sha384"
+                               : "wpa-ft-eap wpa-eap fils-sha256 fils-sha384";
                        break;
                case NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED:
                        key_mgmt_conf = "fils-sha256 fils-sha384";
                        break;
                default:
                        if (priv->support_pmf)
-                               key_mgmt_conf = "wpa-eap wpa-eap-sha256";
+                               key_mgmt_conf = "wpa-ft-eap wpa-eap wpa-eap-sha256";
                        break;
                }
        }
```
A proper fix would be nice (that also adds `wpa-ft-psk` support), possibly with a new setting, though I don't know if that adds any value (why should the user need to specify of even care if FT is present in the nw).

I also tested with the `iwd` backend, but that also failed to connect, however I did not do any further troubleshooting on what might be the cause for that (if FT is even supported by `iwd`, if NetworkManager has the same issue with that backend, or if I had something miss-configured).

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.