Using OWE Transition and Client Steering to put guests on 6 GHz

David Albrecht · ‎09-30-2023

Hello,

We're running a network full of C9136 APs on 9800s running 17.9.3 with a open and unsecured guest network on 5GHz.

I want to use OWE transition and client steering to get 6E-capable clients onto a OWE/6GHz WLAN.

I've setup the OWE transition according to this doc and I am seeing clients seamlessly connect to the open Guest network, and then get put onto the OWE network. However, none of the clients are getting steered onto the 6GHz radios, even though the clients are 6E-capable.

If I create a separate 6E WLAN and broadcast it, the clients can connect to it just fine. So, it's gotta be something with the client steering and OWE transition.

Any tips on things to check?

Leo Laohoo · ‎09-30-2023

What country is the AP installed in?

David Albrecht · ‎09-30-2023

This is in the USA.

marce1000 · ‎10-01-2023

- Have a checkup of the 9800(s) controller configuration with the CLI command show tech wireless ; feed the output into :
https://cway.cisco.com/wireless-config-analyzer/

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

ammahend · ‎10-01-2023

share output below and use this document for verifying config

show wireless client steering
show wlan wlan-id

-hope this helps-

David Albrecht · ‎10-02-2023

Here is the output of "show wireless client steering":

Client Steering Configuration Information
  Macro to micro transition threshold                  : -55 dBm
  Micro to Macro transition threshold                  : -65 dBm
  Micro-Macro transition minimum client count          : 3
  Micro-Macro transition client balancing window       : 3
  Probe suppression mode                               : Disabled
  Probe suppression transition aggressiveness          : 3
  Probe suppression hysteresis                         : -6 dB
  6Ghz transition minimum client count                 : 0
  6Ghz transition minimum window size                  : 0
  6Ghz transition maximum channel util difference      : 20%
  6Ghz transition minimum 2.4Ghz RSSI threshold        : -60 dBm
  6Ghz transition minimum 5Ghz RSSI threshold          : -70 dBm

WLAN Configuration Information

WLAN Profile Name                     11k Neighbor Report       11v BSS Transition        
-----------------------------------------------------------------------------------------
1    Public Wi-Fi                     Disabled                  Enabled                   
5    Public Wi-Fi (6G)                Disabled                  Enabled

Here is the output of `show wlan wlan-id` for WLAN ID 5. This is the WLAN which clients get put onto via OWE transition from WLAN ID 1:

WLAN Profile Name     : Public Wi-Fi (6G)
================================================
Identifier                                     : 5
Description                                    : 
Network Name (SSID)                            : Free_WiFi (6G)
Status                                         : Disabled
Broadcast SSID                                 : Disabled
Advertise-Apname                               : Disabled
Universal AP Admin                             : Disabled
Max Associated Clients per WLAN                : 0
Max Associated Clients per AP per WLAN         : 0
Max Associated Clients per AP Radio per WLAN   : 200
OKC                                            : Enabled
Number of Active Clients                       : 0
CHD per WLAN                                   : Enabled
WMM                                            : Allowed
WiFi Direct Policy                             : Disabled
Channel Scan Defer Priority:
  Priority (default)                           : 5
  Priority (default)                           : 6
Scan Defer Time (msecs)                        : 100
Media Stream Multicast-direct                  : Disabled
CCX - AironetIe Support                        : Disabled
Peer-to-Peer Blocking Action                   : Disabled
Configured Radio Bands
      5ghz                                     : Enabled
      Slot                                     : Enabled on all slots
      6ghz                                     : Enabled
Operational State of Radio Bands
      5ghz                                     : UP
      Slot                                     : Enabled on all slots
      6ghz                                     : UP
DTIM period for 802.11a radio                  : 1
DTIM period for 802.11b radio                  : 1
Local EAP Authentication                       : Disabled
Mac Filter Authorization list name             : Disabled
Mac Filter Override Authorization list name    : Disabled
Accounting list name                           : 
802.1x authentication list name                : Disabled
802.1x authorization list name                 : Disabled
Security
    802.11 Authentication                      : Open System
    Static WEP Keys                            : Disabled
    Wi-Fi Protected Access (WPA/WPA2/WPA3)     : Enabled
        WPA (SSN IE)                           : Disabled
        WPA2 (RSN IE)                          : Disabled
        WPA3 (WPA3 IE)                         : Enabled
            AES Cipher                         : Enabled
            CCMP256 Cipher                     : Disabled
            GCMP128 Cipher                     : Disabled
            GCMP256 Cipher                     : Disabled
        Auth Key Management
            802.1x                             : Disabled
            PSK                                : Disabled
            CCKM                               : Disabled
            FT dot1x                           : Disabled
            FT PSK                             : Disabled
            FT SAE                             : Disabled
            Dot1x-SHA256                       : Disabled
            PSK-SHA256                         : Disabled
            SAE                                : Disabled
            OWE                                : Enabled
            SUITEB-1X                          : Disabled
            SUITEB192-1X                       : Disabled
    SAE PWE Method                             : Hash to Element, Hunting and Pecking(H2E-HNP)
    Transition Disable                         : Disabled
    CCKM TSF Tolerance (msecs)                 : 1000
    OWE Transition Mode                        : Enabled
    OWE Transition Mode WLAN ID                : 1
    OSEN                                       : Disabled
    FT Support                                 : Disabled
        FT Reassociation Timeout (secs)        : 20
        FT Over-The-DS mode                    : Disabled
    PMF Support                                : Required
        PMF Association Comeback Timeout (secs): 1
        PMF SA Query Time (msecs)              : 200
    Web Based Authentication                   : Disabled
    Conditional Web Redirect                   : Disabled
    Splash-Page Web Redirect                   : Disabled
    Webauth On-mac-filter Failure              : Disabled
    Webauth Authentication List Name           : Disabled
    Webauth Authorization List Name            : Disabled
    Webauth Parameter Map                      : Disabled
Band Select                                    : Disabled
Load Balancing                                 : Disabled
Multicast Buffer                               : Disabled
Multicast Buffers (frames)                     : 0
IP Source Guard                                : Disabled
Assisted-Roaming
    Neighbor List                              : Disabled
    Prediction List                            : Disabled
    Dual Band Support                          : Disabled
IEEE 802.11v parameters
    Directed Multicast Service                 : Enabled
    BSS Max Idle                               : Enabled
        Protected Mode                         : Disabled
    Traffic Filtering Service                  : Disabled
    BSS Transition                             : Enabled
        Disassociation Imminent                : Disabled
            Optimised Roaming Timer (TBTTS)    : 40
            Timer (TBTTS)                      : 200
        Dual Neighbor List                     : Disabled
    WNM Sleep Mode                             : Disabled
802.11ac MU-MIMO                               : Enabled
802.11ax parameters
    802.11ax Operation Status                  : Enabled
    OFDMA Downlink                             : Enabled
    OFDMA Uplink                               : Enabled
    MU-MIMO Downlink                           : Enabled
    MU-MIMO Uplink                             : Enabled
    BSS Target Wake Up Time                    : Enabled
    BSS Target Wake Up Time Broadcast Support  : Enabled
802.11 protocols in 2.4ghz band
    Protocol                                   : dot11bg
Advanced Scheduling Requests Handling          : Disabled
mDNS Gateway Status                            : Gateway
WIFI Alliance Agile Multiband                  : Disabled
Device Analytics
    Advertise Support                          : Enabled
    Advertise Support for PC analytics         : Enabled
    Share Data with Client                     : Disabled
Client Scan Report (11k Beacon Radio Measurement)
    Request on Association                     : Disabled
    Request on Roam                            : Disabled
WiFi to Cellular Steering                      : Disabled
Advanced Scheduling Requests Handling          : Disabled
6Ghz Client Steering                           : Enabled
Locally Administered Address Configuration
    Deny LAA clients                           : Disabled
Latency Measurements Announcements             : Disabled

Note the OWE transition is working fine - but clients never move to the 6GHz frequency band.

Rich R · ‎10-01-2023

We tested a single 9136 on loan from Cisco for 2 months at the end of last year, before we had to give it back at the beginning of this year.

Our observation (similar to yours) was that clients usually preferred the 5GHz over the 6GHz band. We fed this back to the BU via our account team but the BU seemed unable/unwilling to explain it or assist at all and never engaged in trying to understand or troubleshoot it before we needed to return the AP to Cisco.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

JPavonM · ‎10-02-2023

@David Albrecht why do you want Guests on 6-GHz band? I do prefer to use that band for corporate users so they can get the best performance with low-to-none congestion.

David Albrecht · ‎10-02-2023

This is in a large bowl/arena style environment with several hundred 9136s all within earshot of each other, and we are seeing 90+% channel utilization across most 5GHz channels during events. We consistently have over 10,000 guests on the network and there's simply not enough airtime for all of them on 5GHz.

eglinsky2012 · ‎10-02-2023

IMO - Don’t wait for Cisco and the vendors to fix this. It could be a while. Plus there are so few clients that are even 6GHz capable now, it probably won’t make a significant difference in this situation.

I wonder if any optimizations to 5 GHz can be made in the meantime. Are the 5 GHz radios in single 8x8 or dual 4x4 mode? What channel width?

Out of curiosity, how many APs vs seats are there? Are they internal omni or external antennas? If external, then what antenna model(s)?

Leo Laohoo · ‎10-02-2023

@David Albrecht wrote:
we are seeing 90+% channel utilization across most 5GHz channels during events.

Are you using 20-, 40-, 80-, 160 Mhz channel bond?

Create an SSID for 6 Ghz only.

Scott Fella · ‎10-02-2023

My two cents is keep the 6GHz separate from 2.4GHz and 5GHz. Client steering is still dependent on the client, just like how it is for the 5GHz client steering. Everyone has a different environment and different requirements, but if you separate the 6GHz and create a new SSID, it's a different band. I still see wireless environments that have separate guest for 2.4GHz and 5GHz, so why not add a 6GHZ.

-Scott
*** Please rate helpful posts ***

Rich R · ‎10-02-2023

That's fine for me at home and in small controlled environments but for public WiFi where corporate and brand are involved it's not an option - there can only be 1 SSID and the band must be transparent to the end user.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Scott Fella · ‎10-02-2023

It's different for me. We always had that "requirement", but with 6GHz, things have changed for us and that is why I say that, "it's different for everyone". Cisco has also mentioned to not use transition if you can. Now if you enabled transition and client load balancing isn't working they way folks expect it to work, at least its implemented and maybe on day, devices will choose 6GHz vs the others. I do get where you are coming from.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎10-02-2023

I just tested this out following the same guide and also trying to tweak some settings. On am iPhone 15 and Samsung S21, these devices only transition to "OWE_Transition" SSID but only on the 5GHz. It doesn't matter how close the device is to the AP. If I broadcast the SSID "OWE_Transition" and connect to that, well then I'm on 6GHz. So in your case, it would make sense to create a Free_WiFi_6GHz also, that way devices that support 6GHz will see that SSID and most likely will connect to that. Your Free_WiFi SSID will still be available to non 6GHz clients.

Why not get your Cisco team involved to help out? I do this all the time when I run into odd things.

Listen also to what the others have mentioned... try to optimize what you also have. You can't depend on features to just work.

-Scott
*** Please rate helpful posts ***