12-11-2013 04:06 AM - edited 07-04-2021 01:24 AM
Hello all,
I've seen that in 7.4 and later Release on the WLC5508 you can configure 802.11r and 11k support using Fast Transaction so that iOS7 won't experience connection loss during Roaming...my question is on the same WLAN can I configure 802.1X and FT-802.1X Authentication so that I'll be able to have on the same SSID non802.11r and 802.11r capable client? Or this setup will create association problem ?
BR
OG
Solved! Go to Solution.
12-11-2013 04:43 AM
Maybe this can help explain it also:
http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_0111.html#d155467e2632a1635
Legacy clients cannot associate with a WLAN that has 802.11r enabled if the driver of the supplicant that is responsible for parsing the Robust Security Network Information Exchange (RSN IE) is old and not aware of the additional AKM suites in the IE. Due to this limitation, clients cannot send association requests to WLANs. These clients, however, can still associate with non-802.11r WLANs. Clients that are 802.11r capable can associate as 802.11i clients on WLANs that have both 802.11i and 802.11r Authentication Key Management Suites enabled. The workaround is to enable or upgrade the driver of the legacy clients to work with the new 802.11r AKMs, after which the legacy clients can successfully associate with 802.11r enabled WLANs. Another workaround is to have two SSIDs with the same name but with different security settings (FT and non-FT).
Sent from Cisco Technical Support iPhone App
12-11-2013 04:10 AM
Once you enable 802.11r, clients that don't support it will not connect. I have two SSID's with different names, one has 802.21r enabled and the other doesn't. Both use 802.1x.
Sent from Cisco Technical Support iPhone App
12-11-2013 04:22 AM
Hello Scott,
thanks for the useful info...but this means that before connecting the device to the WLAN you have to know if it's 802.11r capable or not, only then you can authenticate and associate to the specific WLAN defined ...
It will be easier to have a single WLAN that permit 802.11r capable and non802.11r client to associate to the same SSID, I've seen that WLC 7.4 permit a configuration on a SSID for both 802.1x and FT-802.1x authentication method...
OG
12-11-2013 04:27 AM
It's either on or not. I too would wish I can have one ssid with it enabled and non 802.11t devices still connect, but it doesn't work that way. When you try to enable 802.11r, the WLC will prompt you with a warning.
Sent from Cisco Technical Support iPhone App
12-11-2013 04:43 AM
Maybe this can help explain it also:
http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_0111.html#d155467e2632a1635
Legacy clients cannot associate with a WLAN that has 802.11r enabled if the driver of the supplicant that is responsible for parsing the Robust Security Network Information Exchange (RSN IE) is old and not aware of the additional AKM suites in the IE. Due to this limitation, clients cannot send association requests to WLANs. These clients, however, can still associate with non-802.11r WLANs. Clients that are 802.11r capable can associate as 802.11i clients on WLANs that have both 802.11i and 802.11r Authentication Key Management Suites enabled. The workaround is to enable or upgrade the driver of the legacy clients to work with the new 802.11r AKMs, after which the legacy clients can successfully associate with 802.11r enabled WLANs. Another workaround is to have two SSIDs with the same name but with different security settings (FT and non-FT).
Sent from Cisco Technical Support iPhone App
12-11-2013 04:53 AM
Thanks a lot for the detailed info...so basically you have two WLANs one FT and other non-FT BUT with same SSID ...
12-11-2013 05:09 AM
Yes you can do it that way, or have different ssid names. Again, you can always test it out. Configure a new ssid with 802.11r enabled and see what devices connect and what devices fail to connect.
Sent from Cisco Technical Support iPhone App
12-11-2013 09:07 AM
Scott,
Thank you for this reply. I was about to dig in to this incopatibility myself and you hit the nail! So in time.
Vlad.
12-11-2013 04:45 AM
not good this one ...
I've noticed that configuring FT-802.1X on an SSID WLC warns about the chance that client non802.11r capable won't been able to associate...
12-11-2013 04:51 AM
Yup... I have an older iPad 1st gen that I test with and it doesn't join. Only my iPhone and iPad that supports 802.11r.
Sent from Cisco Technical Support iPhone App
12-11-2013 09:47 AM
I'll test it in the next weeks and let you know
OG
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide