topic Queries regarding Fast secure roaming in Wireless

Queries regarding Fast secure roaming

Manish Mathur — Mon, 05 Jul 2021 13:04:52 GMT

Hi Guys,

I have a few queries related to the FSR:

1. In AireOS version 8.2.x , if we allow FT with 802.1X , will the non-802.11r clients be able to connect ? The 8.2 config guide is confusing in this regard.

2. What version of IOS (Apple) support OKC/PKC ?

These questions arise from the fact that, the OKC is not working as expected for the HP clients that we have in our environment. Just to be clear, we have ONLY HP clients in the environment:

C:\Users\E607589>netsh wlan show drivers

Interface name: Wireless Network Connection

Driver : Intel(R) Dual Band Wireless-N 7265
Vendor : Intel Corporation
Provider : Intel
Date : 28-01-2016
Version : 18.33.0.2
INF file : C:\Windows\INF\oem65.inf
Files : 3 total
C:\Windows\system32\DRIVERS\Netwsn02.sys
C:\Windows\system32\DRIVERS\Netwfw02.dat
C:\Windows\system32\drivers\vwifibus.sys
Type : Native Wi-Fi Driver
Radio types supported : 802.11b 802.11g 802.11n 802.11a

As per our debugging, the clients are doing a full reauthetication durng roaming to a new AP in the same WLC.

Regards,

Manish

Hi Manish,

Rasika Nayanajith — Wed, 02 Nov 2016 19:16:07 GMT

Hi Manish,

Instead of 8.2, you may need to go with 8.3 which support adaptive 802.11r, effectively you can have single SSID that support both 802.11r and non-802.11r client connectivity. Refer below post on that feature

http://wirelessonthego.postach.io/post/cisco-wlc-8-3-adaptive-11r

HTH

Rasika

*** Pls rate all useful responses ***

Are you really sure 8.3 is

Johannes Luther — Fri, 16 Dec 2016 14:31:50 GMT

Are you really sure 8.3 is needed for that

I'm running 8.2 here and in the same SSID (FT enabled):

Client 1 uses key management "FT-802.1x" (Android Xperia Z5 compact)
Client 2 uses key management "802.1x" (Oooold Android Motorola Razr i - non FT capable)

So obviously a mix within the same SSID works without adaptive FT

Furthermore, the 8.2 config guide states:

From Release 8.0, you can create an 802.11r WLAN that is also an WPAv2 WLAN. In earlier releases, you had to create separate WLANs for 802.11r and for normal security. Non-802.11r clients can now join 802.11r-enabled WLANs as the 802.11r WLANs can accept non-802.11r associations. If clients do not support mixed mode or 802.11r join, they can join non-802.11r WLANS.

I couldn't find any information regarding adaptive 802.11r in the release notes. As written in your reference, a Cisco doc is here:
http://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-3/Optimizing_WiFi_Connectivity_and_Prioritizing_Business_Apps.pdf

The paper states:

Legacy devices that do not recognize the FT AKM’s beacons and probe responses will not be able to join the WLAN

As seen in my lab above this is not (always) the case.

I think adaptive FT it's pretty sexy, because it eventually interferes less with legacy clients. However, I didn't encounter problems with enabled FT for now.

So what's the real benefit? Furthermore, is adaptive FT compatible with other clients than iOS 10? Is an Adroid phone or Win10 Client clever enough to respond with FT, if the SSID is configured adaptive (so without FT AKM).

Edit: Saw this post as well

Johannes Luther — Fri, 16 Dec 2016 14:31:51 GMT

Edit: Saw this post as well

https://supportforums.cisco.com/discussion/12314591/8021r-and-fast-roaming

along with the statement:

Still few supplicants (Mac OSX, Netgear,ect) does not like mixed mode WLAN, so they may have trouble associate if you enable FT

So here's my personal summary:

Adaptive FT --> Standard WPA2 AKMs

Pro: Less disrupive for "picky" old/bad/etc. clients

Con: Some 11r capable client join SSID with non-11r AKM (might use classic OKC/PKC)

Is my "Con" statement right? Or am I totally wrong by assuming that not all 11r clients honor the adaptive FT capability information?

I think we just have to wait

Scott Fella — Fri, 16 Dec 2016 14:31:52 GMT

I think we just have to wait and see. If this is sent in the beacon and the device doesn't understand it, it can or may cause issue. Until people start implementing this and seeing if adaptive works 100%, I would still believe that some devices will still not connect. I should try it wil a gen 1 iPad and some old devices I have laying around.

-Scott

*** Please rate helpful posts ***

Just a follow up on that. I

Johannes Luther — Tue, 25 Jul 2017 06:34:16 GMT

Just a follow up on that. I haven't tested the statements from above yet.

But the assumtion, that some 11r capable client join SSID with non-11r when adaptive FT is used is correct, regarding this document:

http://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-3/Enterprise_Best_Practices_for_Apple_Devices_on_Cisco_Wireless_LAN.pdf

[...] the adaptive 11r feature will only be applied to iOS devices running iOS 10 or later. All other devices will be able to associate using standard WPA2.