cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3796
Views
100
Helpful
10
Replies
Participant

802.11r- Can same WLAN be used for 802.11r capable and non capable clients?

Hello Experts, 

Can we use the same WLAN for 802.11r capable and non 802.11r capable clients?

Are all CCX v4 client capable of supporting 802.11r?

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html

Below is the excerpt from the document,

"From Release 8.0 , you can create an 802.11r WLAN that is also an WPAv2 WLAN. In earlier releases, you had to create separate WLANs for 802.11r and for normal security. Non-802.11r clients can now join 802.11r-enabled WLANs as the 802.11r WLANs can accept non-802.11r associations. If clients do not support mixed mode or 802.11r join, they can join non-802.11r WLANS. When you configure FT PSK and later define PSK, clients that can join only PSK can now join the WLAN in mixed mode."

 

From the statement highlighted in red, it appears yes. But the immediate next line contradicts the same. 

Please help me comprehend the same. 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: 802.11r- Can same WLAN be used for 802.11r capable and non capable clients?

Hi guys,

 

Please allow me to provide a bit of context. You basically have 3 sorts of clients (in regards to 11r):

1. Those that support 802.11r. They can associate to a WLAN where 11r is enabled and mandatory, and benefit from 11r fast roaming. iOS devices are in this case.

2. Those that do not support 802.11r (not compliant), but are not against it (they are compatible). Recent macOS are of this type for example. They do not support 802.11r (they cannot associate with 802.11r mode, and could not associate to a WLAN where 802.11r would be the only method). However, they do not 'mind' 802.11r. If you have a WLAN where both 802.11r and WPA2 are supported, they will join using WPA2.

3. Those that are allergic to 802.11r. They do not support 802.11r, and refuse to associate to any WLAN where 802.11r is mentioned, even if other methods are also allowed on this WLAN. These clients are usually older, and poorly programmed. The developers thought "er... let's see: Open, WEP, WPA, WPA2. Anything else, stop in panic mode". So, when 802.11r is seen, they reach the line that says "OMG, unknown security method, don't know what it means and what I should do, oh, life is sooo hard, panic!" and they fail to associate (their poorly developed driver does not have the option to say 'okay, you don't get 11r, BUT look, there is this other one there that you understand, WPA2').

 

Okay, that's the client side. Now on the WLC side:

Before 8.0, you could configure a WLAN for 802.11r OR WPA2. So you had pretty much to create one WLAN for your 802.11r clients, and one for the others.

In code 8.0, we introduced the hybrid mode, where your WLAN can be configured for both 802.11r and WPA2. Both are announced in the beacons and probe responses. Most 'normal' clients work well, the 802.11r-compatible (cat 1) using 802.11r, and the others (cat 2) using WPA2. But then, every now and then some client show up that are of category 3, and admins may spend time troubleshooting why that client can't associate (before figuring out that chipset blah with driver version x makes that this is an allergic client... and then there is no real solution, this poorly programmed client will not associate to that WLAN).

So... many admins live very well with the hybrid mode, but quite some networks chose to not implement the hybrid mode, and use only WPA2, in fear that these 'cat 3' clients show up.

We stayed there for a while, and were a bit sad, because you have in your networks devices (like iOS) that are highly mobile, and for which the vendor did the serious job of implementing high mobility features... and they pay the price of not benefiting from fast roaming because other, lazier, vendors, did not care to program their chipset (or cheapset) properly, or even to publish a driver fix to be at least category 2.

Then, as we started working with Apple, we thought "hey, this is something we may be able to help with".

So we jointly implemented Adaptive 11r. In this mode, 802.11r is not announced (it is hidden, so the cat 3 clients do not panic). However, as we recognize iOS clients (for Fastlane for example), we use this recognition to still activate 802.11r for the supporting iOS clients when they are recognized and join the cell. This does not solve the problem for all the 802.11r clients on the planet, but at least help for the iOS clients, which are usually a consequent chunk of your mobile populations.

Please do not believe that "Adaptive 11r breaks 802.11r for non-iOS clients", this is the same as saying "building houses breaks the market for camping tents". The purpose is not the same. Adaptive was built for networks where 802.11r is NOT enabled in the first place.

 

So:

a. If all your clients are 802.11r, enabled 802.11r and all is good.

b. If some of your clients are 802.11r, some others are not, enable hybrid 802.11r (both 802.11r and WPA2 announced), and you should be fine most of the time. You do not need Adaptive 11r (and Adaptive 11r is not a feature needed in your network).

c. If you are in a public space (no control over which client will show up) AND you are concerned about this handful of clients that may show up and be of category 3, you may have decided to troubleshoot them when they show up (you are in case (b)), or you may have decided to cut off 802.11r on do only WPA2, so you don't have to troubleshoot for every random cat 3 client that may show up. In this case, enable Adaptive 802.11r. At least, your supporting iOS clients will benefit from 802.11r, so you are in better shape than you were before, even if there are still some other clients that could benefit from 802.11r, but that will not, because you decided that announcing 802.11r was too worrisome.

 

RE CCXv4 and FT, they are not the same thing. CCX are a set of Cisco extensions that were developed to speed up the adoption of features that were useful for Wi-FI networks. Among them, one is called Cisco Central Key Management (CCKM). It was developed in 2004-2005 and later years. It performs functions equivalent to 802.11r (which was partly built on CCKM principles). Then the IEEE published 802.11r in 2008. It was integrated in a Wi-Fi Alliance just a few years back (Voice enterprise). So you will have some clients that will be CCXv4 (with CCKM of course) and that will also implement 802.11r, but all combinations are possible (CCXv4 and no 802.11r, no CCXv4/CCKM but 802.11r, or neither) as the two methods are independent.

 

Hope this helps

 

Jerome 

10 REPLIES
VIP Advocate

Re: 802.11r- Can same WLAN be used for 802.11r capable and non capable clients?

Helo @Muhammed Adnan

 

 I desagree with you on the contradiction. I understood that from version 8.0 and newer, you can have mix of WLAN and Client with or without 802.11r support  enable with no problem.

 And "Are all CCX v4 client capable of supporting 802.11r?" 

  CCX4 was launched by Cisco in 2005 and 802.11r was released by IEEE in 2008 but only recently it was adopted. So must be devices  CCX4 and not 802.11r supported.

 

-If I helped you somehow, please, rate it as useful.-

 

 

 

 

 

VIP Mentor

Re: 802.11r- Can same WLAN be used for 802.11r capable and non capable clients?

This is truly supported with Adaptive 11r from 8.3.x onward. Refer below post

http://wirelessonthego.postach.io/post/cisco-wlc-8-3-adaptive-11r

 

HTH

Rasika

*** Pls rate all useful responses ***

 

Participant

Re: 802.11r- Can same WLAN be used for 802.11r capable and non capable clients?

Hi Rasika,

 

 

The link you shared for Adaptive 802.11 r. Appears adaptive 802.11r is for facilitation of fast roaming for IOS devices. How about non IOS devices which are 802.11r capable? Will an adaptive 802.11r enabled ssid provides the advantages of fast roaming to both IOS devices and 802.11r capable non IOS devices?

 

How safe would it be to have adaptive 802.11r enabled on an SSID that will have all three client types as:

a) IOS devices ( iOS 10 or higher )

b) 802.11r capable non IOS devices.

c) non 802.11r capable devcies.

c) 

VIP Mentor

Re: 802.11r- Can same WLAN be used for 802.11r capable and non capable clients?

Hi Muhammed,

 

Good point.

 

Yes Adaptive 11r is for fast roaming for Apple Devices even if SSID is not configured for 802.11r. When you enable this feature on a WLAN not configured for 802.11r, only apple devices  shown below ( as per 8.5 mobility design guide) that support 11r can get benefit on fast roaming. All other 11r capable clients has to do 802.1X without any FT.

 

1. Apple devices supporting the Optimized WiFI Connectivity solution are
iPhone 6s and later
iPhone 6s Plus and later
iPad Air 2 and later
iPad mini 4 and later
iPad Pro and later
iPhoneSE

 

From connectivity point of view all non 11r clients and 11r non-IOS clients devices will be able to join. However as you have not specifically enabled 11r on the SSID, non IOS 11r clients are not able to get benefit from it.

 

HTH

Rasika

*** Pls rate all useful responses ***

 

 

 

 

Cisco Employee

Re: 802.11r- Can same WLAN be used for 802.11r capable and non capable clients?

Hi guys,

 

Please allow me to provide a bit of context. You basically have 3 sorts of clients (in regards to 11r):

1. Those that support 802.11r. They can associate to a WLAN where 11r is enabled and mandatory, and benefit from 11r fast roaming. iOS devices are in this case.

2. Those that do not support 802.11r (not compliant), but are not against it (they are compatible). Recent macOS are of this type for example. They do not support 802.11r (they cannot associate with 802.11r mode, and could not associate to a WLAN where 802.11r would be the only method). However, they do not 'mind' 802.11r. If you have a WLAN where both 802.11r and WPA2 are supported, they will join using WPA2.

3. Those that are allergic to 802.11r. They do not support 802.11r, and refuse to associate to any WLAN where 802.11r is mentioned, even if other methods are also allowed on this WLAN. These clients are usually older, and poorly programmed. The developers thought "er... let's see: Open, WEP, WPA, WPA2. Anything else, stop in panic mode". So, when 802.11r is seen, they reach the line that says "OMG, unknown security method, don't know what it means and what I should do, oh, life is sooo hard, panic!" and they fail to associate (their poorly developed driver does not have the option to say 'okay, you don't get 11r, BUT look, there is this other one there that you understand, WPA2').

 

Okay, that's the client side. Now on the WLC side:

Before 8.0, you could configure a WLAN for 802.11r OR WPA2. So you had pretty much to create one WLAN for your 802.11r clients, and one for the others.

In code 8.0, we introduced the hybrid mode, where your WLAN can be configured for both 802.11r and WPA2. Both are announced in the beacons and probe responses. Most 'normal' clients work well, the 802.11r-compatible (cat 1) using 802.11r, and the others (cat 2) using WPA2. But then, every now and then some client show up that are of category 3, and admins may spend time troubleshooting why that client can't associate (before figuring out that chipset blah with driver version x makes that this is an allergic client... and then there is no real solution, this poorly programmed client will not associate to that WLAN).

So... many admins live very well with the hybrid mode, but quite some networks chose to not implement the hybrid mode, and use only WPA2, in fear that these 'cat 3' clients show up.

We stayed there for a while, and were a bit sad, because you have in your networks devices (like iOS) that are highly mobile, and for which the vendor did the serious job of implementing high mobility features... and they pay the price of not benefiting from fast roaming because other, lazier, vendors, did not care to program their chipset (or cheapset) properly, or even to publish a driver fix to be at least category 2.

Then, as we started working with Apple, we thought "hey, this is something we may be able to help with".

So we jointly implemented Adaptive 11r. In this mode, 802.11r is not announced (it is hidden, so the cat 3 clients do not panic). However, as we recognize iOS clients (for Fastlane for example), we use this recognition to still activate 802.11r for the supporting iOS clients when they are recognized and join the cell. This does not solve the problem for all the 802.11r clients on the planet, but at least help for the iOS clients, which are usually a consequent chunk of your mobile populations.

Please do not believe that "Adaptive 11r breaks 802.11r for non-iOS clients", this is the same as saying "building houses breaks the market for camping tents". The purpose is not the same. Adaptive was built for networks where 802.11r is NOT enabled in the first place.

 

So:

a. If all your clients are 802.11r, enabled 802.11r and all is good.

b. If some of your clients are 802.11r, some others are not, enable hybrid 802.11r (both 802.11r and WPA2 announced), and you should be fine most of the time. You do not need Adaptive 11r (and Adaptive 11r is not a feature needed in your network).

c. If you are in a public space (no control over which client will show up) AND you are concerned about this handful of clients that may show up and be of category 3, you may have decided to troubleshoot them when they show up (you are in case (b)), or you may have decided to cut off 802.11r on do only WPA2, so you don't have to troubleshoot for every random cat 3 client that may show up. In this case, enable Adaptive 802.11r. At least, your supporting iOS clients will benefit from 802.11r, so you are in better shape than you were before, even if there are still some other clients that could benefit from 802.11r, but that will not, because you decided that announcing 802.11r was too worrisome.

 

RE CCXv4 and FT, they are not the same thing. CCX are a set of Cisco extensions that were developed to speed up the adoption of features that were useful for Wi-FI networks. Among them, one is called Cisco Central Key Management (CCKM). It was developed in 2004-2005 and later years. It performs functions equivalent to 802.11r (which was partly built on CCKM principles). Then the IEEE published 802.11r in 2008. It was integrated in a Wi-Fi Alliance just a few years back (Voice enterprise). So you will have some clients that will be CCXv4 (with CCKM of course) and that will also implement 802.11r, but all combinations are possible (CCXv4 and no 802.11r, no CCXv4/CCKM but 802.11r, or neither) as the two methods are independent.

 

Hope this helps

 

Jerome 

VIP Mentor

Re: 802.11r- Can same WLAN be used for 802.11r capable and non capable clients?

Hi Jerome,

 

Thank you very much for providing a detailed response with clarifying all aspect of 802.11r. I am sure Muhammed will be very happy to see it and will mark it as "answer for his query"

 

There is no way we can "endorse" responses as VIP Endorsement feature is no more with CSC new Lithium platform. So I had to use "response is helpful" which I know it is injustice for a response like what you have given.

 

Regards

Rasika

Cisco Employee

Re: 802.11r- Can same WLAN be used for 802.11r capable and non capable clients?

Ah, thank you, Rasika, for tirelessly providing support to the community, and reaching out when there is a topic where I might be of help...

Participant

Re: 802.11r- Can same WLAN be used for 802.11r capable and non capable clients?

From Hybrid 802.11r I believe you mean 802.11r enabled on a WPA2 SSID. Please correct me if I am wrong. Could not find term “Hybrid 802.11r” in documentations.

Also can’t we enable 802.11r and Adaptive 802.11r simultaneously on the same WLAN to let both 802.11r capable and IOS 10(and later) devices to avail the benefits of fast roaming :)

In all latest codes(8.3 and later), the Adaptive 802.11r appears to be enabled by default and could not find a way to enable both 802.11r and Adaptive 802.11r simultaneously.

 

fast roaming.png

Cisco Employee

Re: 802.11r- Can same WLAN be used for 802.11r capable and non capable clients?

Hi Muhammed,

 

Yes, "hybrid 802.11r" means FT (802.11r) enabled on a WPA2 WLAN, and key management set to both PSK and FT PSK (if you use PSK) or both 802.1X and FT 802.1X (if you use 802.1X). This way, both 802.11r and standard WPA2 schemes are supported and announced by the AP.

Hybrid mode is called "mixed mode" these days in the WLC guides (e.g. https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-2/config-guide/b_cg82/b_cg82_chapter_01010010.html).

 

RE Adaptive and 802.11r on the same WLAN, you cannot do that... :-)

The reason is that the goal of Adaptive 802.11r is to support 802.11r for iOS devices in WLANs where you cannot announce 802.11r openly (because 802.11r-incompatible stations may fail to associate). But if you turned 802.11r on for such a WLAN, then suddenly you would announce 802.11r openly, and this would defeat the purpose of Adaptive. On one side, your iOS devices would associate directly using 802.11r (they don't need any special treatment as 802.11r is visible and they support it), rendering Adaptive 11r not useful, but on the other side 802.11r-incompatible stations may fail to associate.

So 802.11r (openly supported and announced) and Adaptive 802.11r (802.11r not announced but activated for iOS dynamically) are opposite modes, they answer opposite requirements and should not be both on the same WLAN...

hth

Jerome

Participant

Re: 802.11r- Can same WLAN be used for 802.11r capable and non capable clients?

Thanks alot Jerome for the wonderful explanation :) Your posts explained it in the most easily comprehensible manner. 

 

CreatePlease to create content
Ask the Expert- Firepower configuration & troubleshooting