@remlei et.al.
TL;DR
Would anyone experiencing the broken VLAN assignment during FT like to give this patch a shot and see if it works for you? I'm having reasonable success in testing it thus far:
Place into package/network/services/hostapd/patches/std/ and recompile hostapd.
An example for monitoring your AP logs after this patch is: logread -f | grep -E "(FT:|Found matching PSK|ap_sta_wpa_get_keyid)"
Details for the curious...
🔍
When 802.11r is enabled and clients roam between access points, the PSK-to-VLAN mapping is lost during the roaming process.
During FT roaming, hostapd's handle_auth_ft_finish() and __check_assoc_ies() functions complete the authentication and reassociation process but do not re-evaluate the PSK-to-VLAN mapping. The client's VLAN assignment from the original AP is not preserved or re-established on the target AP, thus causing clients to fall back to the default VLAN configuration.
The fix I've proposed leverages the fact that the PMK remains constant for a client session, therefore allowing reliable identification of which PSK was originally used for authentication.
My patch implements automatic PSK-to-VLAN mapping re-evaluation during both FT authentication and reassociation phases by introducing a new function ft_reassign_psk_vlan() that matches the client's PMK against configured PSKs to restore proper VLAN assignment.