Hi everyone,

I am trying to use 802.11w PMF feature for a 802.1x SSID. When I configure it to "Required", supported clients can connect with AKM: 11w-802.1x and unsupported clients cannot connect at all. This scenario works as expected. But when I do it "optional", even if my clients are capable, they do not use 802.11w. When I debug client, it even says "Marking Mobile as 11w Capable" but it prefers not to use it. When I check client details, AKM is 802.1x only, not 11w.

Relevant part of the output of "debug 11w-pmf events" is:

*apfMsConnTask_7: Oct 07 08:59:06.496: [PA] 74:9e:af:1d:6b:ba RSN Capabilities: 140
*apfMsConnTask_7: Oct 07 08:59:06.496: [PA] 74:9e:af:1d:6b:ba Marking Mobile as 11w Capable
*apfMsConnTask_7: Oct 07 08:59:06.496: [PA] 74:9e:af:1d:6b:ba creating SA query timer
*apfMsConnTask_7: Oct 07 08:59:06.496: [PA] 74:9e:af:1d:6b:ba apfValidateDot11wGroupMgmtCipher:2275, 11w Group Mgmt Cipher Suite 6 validation succeeded for STA
*apfMsConnTask_7: Oct 07 08:59:06.702: [PA] 74:9e:af:1d:6b:ba Found RM action category code
*apfMsConnTask_7: Oct 07 08:59:06.709: [PA] RSNIE in Assoc. Req.: (42)

I am adding client debug and SSID config as attachment. WLC: 8540 w/8.5.135.0 AP:3800 Client: several (debug with iPhone8 iOS 13.1.2)

Do I misunderstand or misconfigure something?

Thank you for your support.