Meraki 802.1x Roaming

SOLVED
ccraddock
Here to help

Meraki 802.1x Roaming

Dear Community,

 

I am new to Meraki wireless and so I had a few concerns regarding the roaming action with Meraki Wireless when an SSID uses 802.1x. We have not currently deployed our Meraki wireless network and are still running our legacy Aruba Wireless network. We are currently using EAP-TLS with a Microsoft NPS Radius server for one of our corporate SSID's. All of the wireless clients have user certificates that are presented to the server during authentication (Windows devices and Macbooks are present in the environment). Currently, machines are able to roam pretty seamlessly between AP's. The SSIDs will be operating in bridge mode with all AP's on the same subnet. We are using MR33 AP's on MR25.13 Firmware.

 

My questions are these:

 

1) Are there any issues I should be aware of as it pertains to roaming between Meraki AP's when connected to an SSID that requires 802.1x authentication? I was reading that 802.11r is supposed to help this but also saw that it could cause issues? I was also reading that PEAP "fast reconnect" is an option but we are not running PEAP.

 

2) If 802.11r is enabled, should I be using "Enabled" or "Adaptive" mode?

 

Please let me know what you think? I have not yet deployed the wireless but plan to do so in the next couple of weeks.

 

Thanks.

1 ACCEPTED SOLUTION


@ccraddock wrote:

@NolanHerring@PhilipDAth ,

 

Thank you both so much for your responses. these are extremely helpful. I will fire up a test SSID in the next couple of days to test and see if I can connect with the Windows 8 and Windows 10 devices using 802.11r. All of the AP's will be on the same exact VLAN/Subnet, there will be no Layer 3 roaming in our environment. Can I assume that when 802.1x is being used that the AP that is initially connected to will then broadcast or otherwise communicate with all other AP's in the VLAN about that connection? Making roaming faster? If so is this some built in "behind the scenes" feature? if this is the case then it makes sense as to why all the AP's need to be on the same subnet.

 

Thanks.


See this:

 

https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Pairwise_Master_Key_and_Opportuni...

 

For 802.11r, I'm honestly not sure if Meraki uses Over-the-DS or Over-the-Air but the gist is that yes, the first AP will share the PMKID to all the other ones in the same L2 domain.

Nolan Herring | nolanwifi.com
TwitterLinkedIn

View solution in original post

9 REPLIES 9
NolanHerring
Kind of a big deal

1. You may or may not run into any compatibility issues. Only one way to find out really 😃

Windows 10 is supposed to support 802.11r, so you could gain a benefit for this. Apple's OS X however does not support 802.11r, so this MIGHT be where you run into issues for that corporate SSID. Honestly I have tried it yet, so someone else might be able to comment on that one.

Adaptive mode is a special mode designed only for iOS 10 devices to utilize the 802.11r feature, and the other clients will still connect and not have any issues. So unless you have any iOS 10 devices using your EAP-TLS setup, then this won't really do anything for you.

Pretty sure the only 'fast roaming' that OSX supports is PMKID (think of this as fast-roam-back, meaning after he does a full auth to an AP, he can come back to it without having to do a full auth again, i think the limit is 8 access points for this per client). Would be nice if it supported OKC (all access points in the same L2 cache the client) but I'm preeeeetty sure they don't.
Nolan Herring | nolanwifi.com
TwitterLinkedIn

@NolanHerring ,

 

Thanks for the reply! We run a mix of Windows 8 and Windows 10 devices, we also have roughly 10 or 12 Mac users all running anywhere from Sierra, to High Sierra and possibly Mojave. My concern is that we are moving away from a controller based wireless model where the controller handles all the fast roaming features to Meraki, and Im not sure how the Meraki AP's coordinate with eachother regarding the authentication keys and such. I would think that Meraki would have thought of this already though. Like I said, I have not deployed the Meraki equipment yet but plan to do so in the next couple weeks. 


@ccraddock wrote:

@NolanHerring ,

 

Thanks for the reply! We run a mix of Windows 8 and Windows 10 devices, we also have roughly 10 or 12 Mac users all running anywhere from Sierra, to High Sierra and possibly Mojave. My concern is that we are moving away from a controller based wireless model where the controller handles all the fast roaming features to Meraki, and Im not sure how the Meraki AP's coordinate with eachother regarding the authentication keys and such. I would think that Meraki would have thought of this already though. Like I said, I have not deployed the Meraki equipment yet but plan to do so in the next couple weeks. 


Fire up a test SSID with 802.11r set to Enabled and see if the Windows 8 can or can't connect, same with Windows 10.  I don't have any Windows 8 machines to test with myself.

Nolan Herring | nolanwifi.com
TwitterLinkedIn

@NolanHerring@PhilipDAth ,

 

Thank you both so much for your responses. these are extremely helpful. I will fire up a test SSID in the next couple of days to test and see if I can connect with the Windows 8 and Windows 10 devices using 802.11r. All of the AP's will be on the same exact VLAN/Subnet, there will be no Layer 3 roaming in our environment. Can I assume that when 802.1x is being used that the AP that is initially connected to will then broadcast or otherwise communicate with all other AP's in the VLAN about that connection? Making roaming faster? If so is this some built in "behind the scenes" feature? if this is the case then it makes sense as to why all the AP's need to be on the same subnet.

 

Thanks.


@ccraddock wrote:

@NolanHerring@PhilipDAth ,

 

Thank you both so much for your responses. these are extremely helpful. I will fire up a test SSID in the next couple of days to test and see if I can connect with the Windows 8 and Windows 10 devices using 802.11r. All of the AP's will be on the same exact VLAN/Subnet, there will be no Layer 3 roaming in our environment. Can I assume that when 802.1x is being used that the AP that is initially connected to will then broadcast or otherwise communicate with all other AP's in the VLAN about that connection? Making roaming faster? If so is this some built in "behind the scenes" feature? if this is the case then it makes sense as to why all the AP's need to be on the same subnet.

 

Thanks.


See this:

 

https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Pairwise_Master_Key_and_Opportuni...

 

For 802.11r, I'm honestly not sure if Meraki uses Over-the-DS or Over-the-Air but the gist is that yes, the first AP will share the PMKID to all the other ones in the same L2 domain.

Nolan Herring | nolanwifi.com
TwitterLinkedIn

It appears PMK caching and OKC was the answer I was looking for. I am glad to know the Meraki AP's do this by default. As far as 802.11r is concerned, ill probably attempt it in adaptive mode to start as we will have a separte SSID using WPA2-PSK that allows folks to connect their mobile devices to. 

 

Thanks again everyone for your efforts to assist me.

Keep in mind 802.11r is only useful for 802.1X deployments. Don't use it with PSK setups. Good luck !
Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal
Kind of a big deal

802.1x is an authentication framework, and EAP-TLS is a specific method.  If you are using EAP-TLS then you are using 802.1x.

 

You can continue to use EAP-TLS with an NPS server with Meraki if you like.

 

PEAP is another specific authentication method of 802.1x.  The roaming will be identical weather you use EAP-TLS or PEAP.

 

802.11r improves roaming by helping the client find other APs that it can roam to.  802.11r got a bad rep because of many security issues.  The security issues are less severe when using it with 802.1x.

 

I woiuld tend to use 802.11r in "Enabled" mode if you have modern devices connecting.  If you have a device than can not support 802.11r then they will not be able to connect to the network.

"Adaptive" mode only uses it with clients than can support it - but often not all clients that can support it.  So you end up with lots of 802.11r capable clients not using 802.11r.


@PhilipDAth wrote:

802.11r improves roaming by helping the client find other APs that it can roam to.  802.11r got a bad rep because of many security issues.  The security issues are less severe when using it with 802.1x.

 

 

"Adaptive" mode only uses it with clients than can support it - but often not all clients that can support it.  So you end up with lots of 802.11r capable clients not using 802.11r.


 

Phil I think your thinking of 802.11k? And for reference to the original poster, all that KRACK stuff has been patched if you were curious:

 

https://documentation.meraki.com/zGeneral_Administration/Support/802.11r_Vulnerability_(CVE%3A_2017-...

 

 

802.11r (kind of like OKC but even faster) will have a client do a full EAP authentication, and then cache the PMK on all the other access points (much more complicated that this but for simplicity sake lets not go into super details). Important note here since there is no WLC with Meraki, is that Meraki requires those AP's to be on the same L2 domain (same subnet basically). End-goal being that when the client does roam from AP to AP, he doesn't have to do a full EAP authentication all over again (which takes forever in the wireless world), and the process is now just 4 frames, with the 4 way handshake being 'baked' into the authentication and reassociation frames.

 

1. Authentication Request
2. Authentication Response
3. Re-association Request
4. Re-association Response

 

For reference, OKC (which Meraki supports/is enabled by default), would look as such:

 

1. Authentication Request
2. Authentication Response
3. Re-association Request
4. Re-association Response
5. EAPoL Key Message 1
6. EAPoL Key Message 2
7. EAPoL Key Message 3
8. EAPoL Key Message 4


On the Cisco WLC side, they have a 'mixed mode' for 802.11r so that clients that do support it, will use it, and clients that don't will not. This is great because the single SSID can serve both types of clients (presumably without issue).

I've honestly never bothered with 802.11r on the Meraki side yet but this thread is making me want to test it more now lol.

 

Phil correct me if I am wrong but the only documentation that I can find for 'Adaptive Mode' is that it is strictly for iOS 10 devices to benefit from 802.11r and that's basically it. Not sure if another device type that does support it would use it or not. Would have to ask support because their documentation seems lacking on this insight.

 

 

Nolan Herring | nolanwifi.com
TwitterLinkedIn
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels