This is something that IEEE 802.11r/D5.0 is doing. R0KH-ID is set to the
identity of the NAS Client (e.g., NAS-Identifier if RADIUS is used as
the backend protocol) and this identifier is sent to the peer during
association (before EAP authentication). In addition, both the R0KH-ID
(NAS-Identifier) and R1KH-ID (authenticator MAC address) are mixed in
into the key derivation after the EAP authentication.
I would also add that IEEE 802.11r binds the R1KH-ID and the AP BSSID/MAC
address during the post-EAP handshake. IEEE 802.11r also advertises the set
of authenticators within which fast handoff is possible via the Mobility
Domain IE. Currently there is no equivalent AAA attribute to carry that,
but once there is (it has been discussed in RADEXT WG), it will also be
possible to verify this parameter within EAP Channel Bindings.
Ietf mailing list