topic Re: CoA and Fast Roaming in Wireless

CoA and Fast Roaming

Raphael_L — Tue, 22 Nov 2022 19:23:49 GMT

Hi ,

I was reading the documentation about CoA ( https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIUS_(CoA)_on_MR_Access_Points#Enable_Cisco_ISE )

Roaming with CoA

There are a number of advantages to CoA and it enables many new use cases. SSIDs that require fast roaming should not use CoA. Fast roaming mechanisms like PMKsa, OKC, and 802.11r will be disabled on the SSID that is configured for CoA. Clients are forced to complete EAP on every association which ensures that the RADIUS server will send the CoA to the correct Access Point.

Let's say I have an SSID with WPA2-Enterprise and a Radius server configured. I also have 802.11r enabled AND CoA configured. Does that mean that 802.11r won't work at all since Clients are forced to complete EAP on every association

Will it cause conflict ?

Re: CoA and Fast Roaming

aleabrahao — Tue, 22 Nov 2022 19:49:06 GMT

I understood that when you enable CoA the 802.11r will be disabled.

Re: CoA and Fast Roaming

Philip D'Ath — Tue, 22 Nov 2022 19:57:10 GMT

I don't know the answer.

I can tell you 802.11r has fallen out of favour. I used to use it all the time 5 years ago. I don't use it at all now.

There was a bunch of non-fixable security issues with the protocol.

https://documentation.meraki.com/General_Administration/Support/802.11r_Vulnerability_(CVE%3A_2017-13082)_FAQ

Re: CoA and Fast Roaming

joey.debra — Tue, 22 Nov 2022 21:08:20 GMT

I would retract that statement 😉
802.11r is only out of favor in WPA2-Personal SSID's.
For 802.1X WPA2-Enterprise it is standard to use 802.11r.

I find this behavior @Raphletourn describes disturbing. In regular Cisco AP's you have flexconnect and there these kinds of details are shared between all AP's in the same flex group(AireOS)/same site tag(IOS-XE) to have 802.11r work perfectly with CoA. I would only ask if Meraki would do the same for AP's inside the same dashboard network...

So basically as it stands now: the moment you put that CoA button to enabled your SSID will not use 802.11r...

Re: CoA and Fast Roaming

Karsten Iwen — Wed, 23 Nov 2022 09:02:09 GMT

Perhaps we should all add a wish that FT should be implemented together with CoA.

Re: CoA and Fast Roaming

Raphael_L — Wed, 25 Oct 2023 16:54:20 GMT

After a year , they re-added the warning :

I will be testing if that's true...

Re: CoA and Fast Roaming

Raphael_L — Wed, 25 Oct 2023 17:34:02 GMT

EDIT :~~Pretty sure it now disables 802.11r...~~

According to : https://mac-wifi.com/how-to-verify-whether-802-11k-and-11r-are-enabled-via-a-capture/

If the section Mobility Domain is present , the SSID is supporting 802.11r. Which it goes against the warning... will re-open my case.

Re: CoA and Fast Roaming

ppurroy — Mon, 07 Jul 2025 15:43:24 GMT

With MR32.1.x and ISE 3.3.0.430-Patch 5 there is support for CoA + 802.11r fast roaming simultaneously.

Re: CoA and Fast Roaming

Raphael_L — Mon, 07 Jul 2025 15:50:51 GMT

Do you need to have ISE 3.3.0.430-Patch 5 or is it just prefered ?

Re: CoA and Fast Roaming

Karsten Iwen — Mon, 07 Jul 2025 17:10:43 GMT

Can you elaborate on how it is handled internally? Is there an AP to AP communication for the PMK-R1, or distributed through the cloud ...

Re: CoA and Fast Roaming

lcaldaro — Tue, 12 Aug 2025 14:04:26 GMT

You need to have ISE3.3 Patch5 or later release. If you look at the Release Notes, the corresponding bug ID addressing the issue is CSCwk30242, which is available starting from Patch5:

https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/release_notes/b_ise_33_RN.html

The fix is also available for ISE 3.4 starting from Patch2:

https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/release_notes/cisco-identity-services-engine-release-notes-34.html