In my experience this is exactly what happens in 'standard wireless networks' (no optmizations in place), since the keying material is not cached or distributed amongst the APs - therefore each time a client associates to a new AP, the keying material must be generated from scratch (full 802.1X authentication).

There are wireless standards that can assist with this (CCKM etc. - this one only helps to optimize the case where a client roams BACK to an AP where the keying material has been created previously - it does not help in cases of roaming to a new AP)

I believe that 802.11r (Fast Roaming) will share this keying material across other APs in the same L2 domain. @cghaderpour check your SSID and enable 802.11r (Fast Roaming) and also ensure that you are running an up to date AP firmware.  Clients must support 802.11r to benefit from this.

Hello Arne,

Thanks for explaining this and recommendation.

I checked on 802.11r to see if I can make that work but due to COA being enabled on my SSID for change of authentication I won't be able to have 802.11r active at the same time.

I disabled client balancing and enabled Band steering in RF profile. this actually helped reducing the number of authentication significantly.

I wish there was a way to have this fully resolved and keep the clients connect during the roaming without re-authentication.  

CoA is supported with .11r for quite some time. Is there any specific reason that you run outdated firmware? I can only think of legacy APs like MR32 or older.

But do you have any workflow configured that needs CoA, like Posturing or changed AuthZ after Profiling? Against common belief, you don't need CoA to send a VLAN or a Group-Policy.

Is it?

In my Meraki environment we are running up to date firmware but 802.1R and CoA cannot be enabled at the same time. 

Oh, damn, thinking again of it, I mixed up my mind with Catalyst ... 

You are right, Meraki disables FastRoaming to make sure the RADIUS server can also send up to date AuthZ with every roam and always knows which AP should receive the CoA. IMO, a not optimal design decision, as the initial AP could always forward it. But for real life, most of the time 802.11r is what is typically needed.

Yes, I agree. In my environment I'm now facing the challenge: Do you want CoA or 802.1R, which kind off forces me to create a separate SSID for voice clients that roam a lot. So, the Catalyst series AP's actually do support both? Interesting, after speaking to Meraki support and reading about this, I thought that both CoA and 802.1R could not work together. 

In Catalyst environments, it is easy as the same device (the controller) typically controls both FT and CoA.

Perhaps I was indeed thinking about the right platform, but I don't remember exactly. Even with CoA enabled on my Meraki SSID, 802.11r (small "r") keeps activated. I'll do some testing later to find out if the documentation and warnings are wrong or if CoA is just not working when 802.11r is enabled.

I did some tests with both 802.11r *and* CoA enabled. Conclusion: It doesn't work, but it is entirely different from what the documentation and the Dashboard state.

If both are enabled, 802.11r will still be used and will work as expected. However, CoA only works when the client is connected to the AP, where the initial connection was made. When the client is connected to a different AP, the AP answers with CoA-NAK, "Session-Context-Not-Found".

EDIT: I found out that this behavior is only valid for existing networks, that had specific settings before. For new networks, the behavior should align with the documentation (I didn't test that).

I send you PM 

MHM

What for and why?  It's more helpful to share your advice in a public forum, because it helps others. I'd be keen to know what advice you want to offer.