Dynamic VLAN and 802.11w - iPhones cant connect

Hey,

I just enabled 802.11w management frame protection for my WPA2-Enterprise with dyn. VLAN assignment wifi on my TL-841N v10 running OpenWrt 18.06.1 r7258-5eb055306f.
After I enabled it iPhones and iPads were not able to connect, they just say "Unable to join network" (tested on iPhone 6 and 7, IOS 12.1).
My SYSLOG output:

Nov 17 18:51:26 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx IEEE 802.11: authenticated
Nov 17 18:51:26 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx IEEE 802.11: No WPA/RSN IE in association request
Nov 17 18:51:29 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx IEEE 802.11: authenticated
Nov 17 18:51:29 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx IEEE 802.11: No WPA/RSN IE in association request
Nov 17 18:51:34 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx IEEE 802.11: authenticated
Nov 17 18:51:34 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx IEEE 802.11: No WPA/RSN IE in association request
Nov 17 18:51:42 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx IEEE 802.11: authenticated
Nov 17 18:51:42 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx IEEE 802.11: No WPA/RSN IE in association request
Nov 17 18:51:51 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx IEEE 802.11: authenticated
Nov 17 18:51:51 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx IEEE 802.11: No WPA/RSN IE in association request

802.11w on PSK works without any problems, the EAP with dynamic VLAN without 802.11w too:

Nov 17 23:45:29 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx IEEE 802.11: authenticated
Nov 17 23:45:29 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx IEEE 802.11: associated (aid 1)
Nov 17 23:45:29 AP1 hostapd: wlan0-0: CTRL-EVENT-EAP-STARTED d8:bb:2c:xx:xx:xx
Nov 17 23:45:29 AP1 hostapd: wlan0-0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Nov 17 23:45:29 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx RADIUS: VLAN ID 2341
Nov 17 23:45:29 AP1 hostapd: wlan0-0: CTRL-EVENT-EAP-SUCCESS2 d8:bb:2c:xx:xx:xx
Nov 17 23:45:29 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx WPA: pairwise key handshake completed (RSN)
Nov 17 23:45:29 AP1 hostapd: wlan0-0: AP-STA-CONNECTED d8:bb:2c:xx:xx:xx
Nov 17 23:45:29 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx RADIUS: starting accounting session 2A8FC7635DA1D614
Nov 17 23:45:29 AP1 hostapd: wlan0-0: STA d8:bb:2c:xx:xx:xx IEEE 802.1X: authenticated - EAP type: 25 (PEAP)

wireless-config:

config wifi-iface
        option device 'radio0'
        option dynamic_vlan '1'
        option encryption 'wpa2+ccmp'
        option ifname 'wlan0-0'
        option key 'xxxx'
        option mode 'ap'
        option auth_server 'x.x.x.x'
        option ssid 'wifi'
        option vlan_bridge 'br-vlan'
        option vlan_naming '1'
        option rsn_preauth '1' #tested disabled also!
        option network 'vlan2342'

I build my OpenWrt with Hostapd, but wpad shows the same!

set it to optional instead require, so devices that don't support it can fallback to unprotected management frames

That is known problem for iOS device,set it to optional.

802.11w is already set to optional, see config above...
Devices like my OnePlus 5 are NOT supporting that, but can connect without a problem..

@BinaryBear
I encountered a similar problem and it seems that if you are using at10k firmware, dynamic VLAN is not supported.

Take a look at this

Hi, I am new here. But I have some problems too, with my TP-Link Archer 2600 and PMF together with my iPhones and an Android Tablet (Lenovo Tab4).
With my Fritzbox 6490 and an industrial WLAN 11ac AP from Siemens,
the iPhone is able to connect with activated PMF!
At the Siemens AP I set PMF to "required" and use WPA2 EAP.
At the Fritzbox, I can only activate the PMF support. No idea, if it is set to "required" or "optional".
On my OpenWRT, I removed the wpad mini and tried wpad and hostapd.
I just switched on to required, or optional. The two other parameters ignored/default...

So now the question: Do I have to setup anything else, or how can I figure out the problem
of OpenWRT?
Is there anybody working on that issue? Because on other systems it seems to work fine.
(On OpenWRT I cannot connect with PMF! Doesnt matter if WPA2-PSK, or WPA2 EAP, or PMF=optional!)

Many thanks for any helpful comments!

please someone clarify why there can be any security benefit with "optional".
i imagine a doorlock were one can (optionally) use a key to unlock....

It allows the connecting clients (STAs) to use it (enforce it for their connection to the AP), protecting them from deauth attacks. Additionally it is necessary for supporting WPA2/ WPA3 mixed mode, which will unfortunately be with us for many years to come.

Hello again. After a lot of resets and reboots,
I got my iPhone connected with WPA2-PSK
and required PMF,
as it is configured on the Fritzbox 6490.
But not with WPA2-EAP, as it works with
the Siemens AP.
The Apple Supprt pleased me to check the used
certificates.
They could be unusable. But they work fine
without PMF.
By the way I have the actual stable 18.06.2 running.
Any ideas or guidlines for me?

any reference on this?
i.e. how is the enforcement of an optional property achieved?

You can't be sure what the other boxes with proprietary firmware are really doing. Use a third machine to monitor the packets.

So I got it by deleting the SHA256 cipher suite in the hostapd.sh.
When 802.11w is enabled...
It seems to be not supported from apple!?
It was the only difference in the Beacons..

And now?
How can I request this parameter as configurable?

Who knows it?

I meant this parameter:
wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256

where the last part will be added automatically,
when PMF is activated.