Solucionado: Enable Fast Transition in a Cisco 8540 WLC

Aleck_Sei · ‎06-05-2023

Hi everybody,

What is the difference between selecting 'Enable' and 'Adaptive' when enabling Fast Transition on a Cisco 8540 controller with 802.1x authentication protocol?

Thank you very much

Flavio Miranda · ‎06-05-2023

Hi

"...If you need the SSID to support both FT and non-FT clients then you need to set Fast Transition mode of Enabled and tick both an FT and non-FT AKM (e.g. PSK and FT-PSK). This will allow non-FT devices to connect without FT and FT compatible devices to use FT..."

"...If an SSID has only non-FT authentication modes then Fast Transition mode can be set to Adaptive. The result is that all non-iOS devices (inc MacOS) will connect and roam without FT. But iOS devices can “Adapt” (upscale) their ‘Authentication and Key Management’ suite (AKM) to connect with FT even though the SSID does not support it..."

https://mac-wifi.com/ciscos-802-11r-ft-settings-adaptive-mode-explained/

Important information:

"Adaptive dot11r is supported by Apple iPad, Apple iPhone, and Samsung S10 devices. However; some software update creates a MIC mismatch error in these devices. But these errors are transient and clients will successfully be able to associate to the SSID in subsequent results. "

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_device_ecosystem.html#d81597e675a1635

My experience with 802.11r was never positive to be honest. If I have the option, I dont use it.

Ver la solución en mensaje original publicado

Flavio Miranda · ‎06-05-2023

Hi

"...If you need the SSID to support both FT and non-FT clients then you need to set Fast Transition mode of Enabled and tick both an FT and non-FT AKM (e.g. PSK and FT-PSK). This will allow non-FT devices to connect without FT and FT compatible devices to use FT..."

"...If an SSID has only non-FT authentication modes then Fast Transition mode can be set to Adaptive. The result is that all non-iOS devices (inc MacOS) will connect and roam without FT. But iOS devices can “Adapt” (upscale) their ‘Authentication and Key Management’ suite (AKM) to connect with FT even though the SSID does not support it..."

https://mac-wifi.com/ciscos-802-11r-ft-settings-adaptive-mode-explained/

Important information:

"Adaptive dot11r is supported by Apple iPad, Apple iPhone, and Samsung S10 devices. However; some software update creates a MIC mismatch error in these devices. But these errors are transient and clients will successfully be able to associate to the SSID in subsequent results. "

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_device_ecosystem.html#d81597e675a1635

My experience with 802.11r was never positive to be honest. If I have the option, I dont use it.

Edson A. Hernandez · ‎06-05-2023

When 'Enable' is selected, the controller allows all clients to use Fast Transition, even if they don't support it. This can potentially result in lower security because non-Fast Transition capable clients may be vulnerable to attacks during the rekeying process. However, this option ensures consistent and predictable behavior for all clients, regardless of their capabilities.

Adaptive: The 'Adaptive' option enables Fast Transition only for clients that support it. The controller will dynamically determine which clients are Fast Transition capable and allow them to use Fast Transition. Clients that do not support Fast Transition will fall back to regular reauthentication processes. This option provides better security because only Fast Transition capable clients benefit from the enhanced performance of Fast Transition. However, it requires client devices to support Fast Transition to take advantage of its benefits.

Daniel Ordóñez Flores · ‎06-05-2023

Hi @Aleck_Sei

When you select "enable" clients must support 802.11r capabilities. When you select "adaptative" the WLAN will allow clients that support 802.11r and legacy clients who doesn't. Now, AFAK advasible to use FT only with 802.1x security WLAN. The main idea is reduce the time of reauthentication between two o more APs. If you're using PSK you don't need it, the average roaming time in this security method is only 50ms.

unless all your clients support FT there may be connectivity issues with certain type of clients. You have to verify all your clients devices support 802.11r before enabling this on your SSID.

Unless all your clients support FT there may be connectivity issues with certain type of clients. You have to verify all your clients devices support 802.11r before enabling this on your SSID. @Flaf is right, is know that apple and samsung devices support it. But many wireess NIC does too.

If you want to deep in 80211r you can check this link:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**