CoA and Fast Roaming

RaphaelL
Kind of a big deal
Kind of a big deal

CoA and Fast Roaming

Hi ,

 

I was reading the documentation about CoA  ( https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIU... ) 

 

Roaming with CoA

There are a number of advantages to CoA and it enables many new use cases. SSIDs that require fast roaming should not use CoA. Fast roaming mechanisms like PMKsa, OKC, and 802.11r will be disabled on the SSID that is configured for CoA. Clients are forced to complete EAP on every association which ensures that the RADIUS server will send the CoA to the correct Access Point.

 

Let's say I have an SSID with WPA2-Enterprise and a Radius server configured. I also have 802.11r enabled AND CoA configured. Does that mean that 802.11r won't work at all since Clients are forced to complete EAP on every association

 

Will it cause conflict ?

6 REPLIES 6
alemabrahao
Kind of a big deal
Kind of a big deal

I understood that when you enable CoA the 802.11r will be disabled.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know the answer.

 

I can tell you 802.11r has fallen out of favour.  I used to use it all the time 5 years ago.  I don't use it at all now.

 

There was a bunch of non-fixable security issues with the protocol.

https://documentation.meraki.com/General_Administration/Support/802.11r_Vulnerability_(CVE%3A_2017-1... 

 

 

GIdenJoe
Kind of a big deal
Kind of a big deal

I would retract that statement 😉
802.11r is only out of favor in WPA2-Personal SSID's.
For 802.1X WPA2-Enterprise it is standard to use 802.11r.

I find this behavior @RaphaelL describes disturbing.  In regular Cisco AP's you have flexconnect and there these kinds of details are shared between all AP's in the same flex group(AireOS)/same site tag(IOS-XE) to have 802.11r work perfectly with CoA.  I would only ask if Meraki would do the same for AP's inside the same dashboard network...

 

So basically as it stands now: the moment you put that CoA button to enabled your SSID will not use 802.11r...

KarstenI
Kind of a big deal
Kind of a big deal

Perhaps we should all add a wish that FT should be implemented together with CoA.

RaphaelL
Kind of a big deal
Kind of a big deal

After a year , they re-added the warning : 

 

RaphaelL_0-1698252841344.png

 

I will be testing if that's true... 

RaphaelL
Kind of a big deal
Kind of a big deal

EDIT :Pretty sure it now disables 802.11r... 

 

According to : https://mac-wifi.com/how-to-verify-whether-802-11k-and-11r-are-enabled-via-a-capture/

 

If the section Mobility Domain is present , the SSID is supporting 802.11r. Which it goes against the warning... will re-open my case.

 

RaphaelL_0-1698255233430.png

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels