802.11r not available for an SSID

SOLVED
chrissw
Here to help

802.11r not available for an SSID

Hi all,

 

We have an SSID (broadcasted) using 802.1X enterprise authentication by user client cert against Cisco ISE/Windows AD.

 

APs are MR52 on version 27.6.

 

The option to enable 802.11r does not appear on the SSID settings page.

 

It does appear on, for example, and SSID with PSK auth.

 

Can anyone suggest why the 802.11r option is missing? Is there something I'm not understanding here? I thought 802.11r was supposed to be of benefit where such authentication is in use, in order to avoid a full de-auth and re-auth by clients when they roam. Currently we are experiencing delays with clients getting re-authenticated on this SSID. Sometimes users are saying that they have to disable and re-enable wireless on their machines in order to get them to reconnect, and sometimes even reboot.

1 ACCEPTED SOLUTION
chrissw
Here to help

We have an answer from Meraki support.

 

It is Cisco ISE causing the non-availability of 802.11r.

 

Apparently because RADIUS CoA is enabled by design when using Cisco ISE for authentication, this disables 802.11r. According to Meraki, "due to CoA...we need to do a full authentication on every roam in order to apply the policy."

 

Moreover there is no way to disable CoA.

 

So if you're using Cisco ISE for authentication, you can say goodbye to 802.11r. Which isn't a good look, given that these are two Cisco products. This is going to cause us significant difficulties.

View solution in original post

10 REPLIES 10
PGP
Here to help

What is the "Addressing and traffic options" you have set for that SSID as 802.11r will be removed as an option if they are set to either "NAT" or "Layer 3 roaming" ? 

Sorry I should have mentioned that we are using bridge mode. We never use NAT or L3.

TBHPTL
A model citizen

I use ISE and and 802.11r is available...  PMF aka 802.11w will disable 802.11r

 

Protected Management Frames (802.11w) can be used to prevent client spoofing, but when it is required Fast Roaming (802.11r) is not supported.

RupertDot11
Meraki Employee
Meraki Employee

802.11r is also not available while using NAT mode or Layer 3 roaming.

Inderdeep
Kind of a big deal
Kind of a big deal

@chrissw : This feature can be enabled from the Configure > Access control page under Network access > 802.11r. If this option does not appear, a firmware update may be required

 

Inderdeep_0-1621732985210.png

Check below 

https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/802.11k_and_802.11r_Overview

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

Thanks but I've read that bit of documentation, and I know where the 802.11r option should appear (see below).

 

Is a firmware update required from 27.6? Perhaps someone from Meraki can answer that.

 

What is more strange is that an SSID with PSK authentication does have 802.11r available as an option.

 

Also my own test network, which has 802.1X-enterprise authentication against an open source RADIUS server also has 802.11r available.

 

I cannot work out what it is about our use, in production, of authentication against Cisco ISE, which backs off to Windows AD, is preventing 802.11r from even being available.

LG
Getting noticed

From my experience, one of the things that disables 802.11r is 802.11w. Try to set as Enabled or Disabled to see if 802.11r appears.. 

chrissw
Here to help

We have an answer from Meraki support.

 

It is Cisco ISE causing the non-availability of 802.11r.

 

Apparently because RADIUS CoA is enabled by design when using Cisco ISE for authentication, this disables 802.11r. According to Meraki, "due to CoA...we need to do a full authentication on every roam in order to apply the policy."

 

Moreover there is no way to disable CoA.

 

So if you're using Cisco ISE for authentication, you can say goodbye to 802.11r. Which isn't a good look, given that these are two Cisco products. This is going to cause us significant difficulties.

KarstenI
Kind of a big deal
Kind of a big deal

But in this case you probably also have a splash-page configured. If you just use the ISE for .1X, you typically still have 802.11r available. With just AAA to the ISE there is no need to CoA.

What about if you use ISE for posture assessment using CWA or LWA for login?

 

We are finding out this issue in our environment. coming from WLC 2504 with 10 AP's that works perfectly well for posture (*and guest wireless roaming), these new CW9166I's dont do well with posture, ISE and roaming. clients continue to randomly get de-authenticated from the network while still staying connected to the SSID. This only happens on the myRADIUS, ISE authentication settings, guest wireless WPA2, PSK is fine.

 

If the user disconnects or disables wireless card, waits 10 seconds and reconnects the session is re-authenticated. OR If the user opens AnyConnect and selects in ISE posture (system scan) module "Block connection from untrusted servers" this also triggers a re-authentication without having to disconnect the wireless.

 

  • We have attempted to change the AAA timers, setting from 1 to 10 seconds time out with a few other advanced settings tweaks that mirror our flawless WLC settings.
  • We have attempted to set the bit rate from 12 all the way to 24 with auto tx power settings on both 2.4 and 5ghz, 6ghz is disabled currently, but some newer laptops use the AX wifi protocol.
  • We setup a single AP test network and no drops are found.
  • We have rebooted the AP and checked for air marshal's that might be containing the SSID.
  • Whats interesting is if i test the old WLC network, my laptop connects to the closest AP. But if i connect to the new meraki wireless, my PC connects to the an AP further away. The logs also seem to show my PC is roaming to the same AP? "roamed from AP SSC_AP-02 then had a successful connection to SSID COMPANY-CORP for a minute on AP SSC_AP-02, and then the client roamed to AP SSC_AP-02"

 

Since the guest wireless is in the meraki bridge mode, it drops the connection when roaming as 802.11r is not possible in bridge mode.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels