802.11r not available for an SSID

SOLVED
chrissw
Here to help

802.11r not available for an SSID

Hi all,

 

We have an SSID (broadcasted) using 802.1X enterprise authentication by user client cert against Cisco ISE/Windows AD.

 

APs are MR52 on version 27.6.

 

The option to enable 802.11r does not appear on the SSID settings page.

 

It does appear on, for example, and SSID with PSK auth.

 

Can anyone suggest why the 802.11r option is missing? Is there something I'm not understanding here? I thought 802.11r was supposed to be of benefit where such authentication is in use, in order to avoid a full de-auth and re-auth by clients when they roam. Currently we are experiencing delays with clients getting re-authenticated on this SSID. Sometimes users are saying that they have to disable and re-enable wireless on their machines in order to get them to reconnect, and sometimes even reboot.

1 ACCEPTED SOLUTION
chrissw
Here to help

We have an answer from Meraki support.

 

It is Cisco ISE causing the non-availability of 802.11r.

 

Apparently because RADIUS CoA is enabled by design when using Cisco ISE for authentication, this disables 802.11r. According to Meraki, "due to CoA...we need to do a full authentication on every roam in order to apply the policy."

 

Moreover there is no way to disable CoA.

 

So if you're using Cisco ISE for authentication, you can say goodbye to 802.11r. Which isn't a good look, given that these are two Cisco products. This is going to cause us significant difficulties.

View solution in original post

8 REPLIES 8
PGP
Here to help

What is the "Addressing and traffic options" you have set for that SSID as 802.11r will be removed as an option if they are set to either "NAT" or "Layer 3 roaming" ? 

Sorry I should have mentioned that we are using bridge mode. We never use NAT or L3.

RupertDot11
Meraki Employee

802.11r is also not available while using NAT mode or Layer 3 roaming.

Inderdeep
Kind of a big deal

@chrissw : This feature can be enabled from the Configure > Access control page under Network access > 802.11r. If this option does not appear, a firmware update may be required

 

Inderdeep_0-1621732985210.png

Check below 

https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/802.11k_and_802.11r_Overview

 

Regards
Inderdeep Singh
www.thenetworkdna.com ( Awarded by Cisco IT Blogs award 2020)

Thanks but I've read that bit of documentation, and I know where the 802.11r option should appear (see below).

 

Is a firmware update required from 27.6? Perhaps someone from Meraki can answer that.

 

What is more strange is that an SSID with PSK authentication does have 802.11r available as an option.

 

Also my own test network, which has 802.1X-enterprise authentication against an open source RADIUS server also has 802.11r available.

 

I cannot work out what it is about our use, in production, of authentication against Cisco ISE, which backs off to Windows AD, is preventing 802.11r from even being available.

LG
Getting noticed

From my experience, one of the things that disables 802.11r is 802.11w. Try to set as Enabled or Disabled to see if 802.11r appears.. 

chrissw
Here to help

We have an answer from Meraki support.

 

It is Cisco ISE causing the non-availability of 802.11r.

 

Apparently because RADIUS CoA is enabled by design when using Cisco ISE for authentication, this disables 802.11r. According to Meraki, "due to CoA...we need to do a full authentication on every roam in order to apply the policy."

 

Moreover there is no way to disable CoA.

 

So if you're using Cisco ISE for authentication, you can say goodbye to 802.11r. Which isn't a good look, given that these are two Cisco products. This is going to cause us significant difficulties.

KarstenI
Kind of a big deal

But in this case you probably also have a splash-page configured. If you just use the ISE for .1X, you typically still have 802.11r available. With just AAA to the ISE there is no need to CoA.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.