Showing results for 
Search instead for 
Did you mean: 
VIP Engager

Fast Transition

Trying to gain a better understanding of the following scenario:

I have 3 APs configured/deployed, each one are within 55ish feet of each other, and fast roaming is enabled.  When a user connects and walks from one end of the room to the other they drop roughly 3 pings due to reassociation/authentication to each AP.  In our environment we use eap-fast to utilize eap-chaining for both comp cert auth and user CAC auth.  Users have no issue authenticating and being authorized to the appropriate wlan based on how I have ISE configured.  In the WLC I have fast transition for the wlan enabled and the association timeout is set to 20.  Testing computers have intel dual band wireless AC 8265 that supports 802.11r.  

WLC 5520


Versions: 8.8.125


Please advise.  Thanks in advance.

VIP Advisor

Are you doubting the dropped pings, after hearing that 802.11r should give <10ms roaming times? ;-)


Every time I see a Cisco customer who has roaming issues and 802.11r is enabled, we struggle, even with TAC support to figure this out. I have never seen this work. It's a dream.

I find that PSK works best for voice networks and this often resolves the issue. I don't know if this is a Cisco Wireless or a client issue.


@Arne Bier 


Are you doubting the dropped pings, after hearing that 802.11r should give <10ms roaming times? ;-)

Yes :)


Thanks for the valuable info.  I have a tac ticket open as well so if I get anything there I will update accordingly.  


I have similar experiences as Arne, we only use 802.11r with Cisco's 8821 phones on a dedicated SSID. Other than that we stay away from it for the majority of our customers, with as exception adaptive ft on some BYOD networks. Do you need 802.11r for non-VoWLAN applications in the first place? (Maybe to battle key-caching mismatches between the infrastructure and end-points, e.g. Apple iPhones now that I think about it...)

Last but not least, have you tried doing the same test without 802.11r?

Please rate useful posts... :-)


@Freerk Terpstra  I am impressed that you got it working with those 8821 handsets. After months of TAC we gave up and used PSK instead. We were told we had issues with “AP placement” or “AP density” and even “too high power levels”.   Yet, with PSK it worked just fine. Go figure. 
I think it helps to have all the APs be the same model. We had a mixture on the same floor. 


Just ran through the same test without 802.11r enabled. The result is almost identical. One test had 3 pings dropped, and the other was 4. Both due to re-association and dot1x re-auth. The unfortunate thing is dot1x is required. I am continuing to work with TAC on the issue.

Did you try any other methods besides 802.11r?


I have had some luck with CCKM and you should look into opportunistic key caching.


Testing this now. I see pmk cache entries on the WLC for my test host/user. I am still dropping ~3 pings. NAM logs show no 'associating' logs, but every time they show 'Authenticating' and 'Acquiring IP address'. Based on my understanding shouldnt the dot1x reauth only be triggered once the PMK-Cache lifetime expires?
Content for Community-Ad