Roaming behavior

Kevin31
Here to help

Roaming behavior

Hi all,

 

I'm seeing what appears to be unexpected roaming behavior on iPhone 11 devices, between two MR36's installed in a residential site. 

 

When iPhone 11 devices connect to a different AP, the event log shows the following. In this case the iPhone moves from downstairs to upstairs: iPhone downstairs to upstairs.png

 

Whereas I was expecting the following roaming behavior, like this Android device roaming from upstairs to downstairs:

Android upstairs to downstairs.png

 

iPhone 11's do not hit the PMKSA cache, where all other devices on this network (including the Android client above) do. At first I suspected 802.11ax to be the bottleneck, but disabling it does not change anything.

 

Do I see correctly that iPhone 11 clients in this case are not roaming as intended? If so, what would you recommended to try to fix this?

 

Thanks a lot for your insights!

 

SSID settings

  • 802.1X with Meraki RADIUS
  • Bridge Mode
  • 802.11r: adaptive
  • 802.11w: enabled and allow unsupported clients

 

Radio settings

  • Basic indoor profile with no AP overridess
  • Dual band with band steering
  • Client balancing: On
  • Auto channel assignment / power
  • 802.11ax: On, on both bands
5 REPLIES 5
MerakiDave
Meraki Employee
Meraki Employee

Hi @Kevin31 your settings all look correct, I would suggest opening a case with Meraki Support and get a plan in place to try tweaking certain settings, in a certain order, to gather some additional data points.  I'd also suggest getting on the 27.5 firmware and confirm you get those same results with your roaming tests.  Also note there is not necessarily anything wrong, as the roaming behavior is completely dependent on the client, the OS, the driver version, etc.  Here's another related thread if it helps.  https://community.meraki.com/t5/Wireless-LAN/Wireless-roaming-for-client-to-AP-s-not-connecting-to-c... 

Thanks for your reply! I have opened a case with Meraki Support to see if they can get some more insights from the back-end. 

PhilipDAth
Kind of a big deal
Kind of a big deal

As I understand it, PMKSA is a per AP cache.  It can only be used if the AP has seen the client recently and the cache of the key is still valid.

 

You would need to make the iphone roam to a different AP and then roam back again to see this (I would expect).

 

 

My initial thoughts are that you don't have a problem ...

Thanks for your thoughts. I did some testing and double checked: the iPhone never hits the PMKSA cache. Actually it never did since installing the APs. 

For the Android devices I see in the logs frequent “OKC Match” and “PMKSA Cache Match”. For the iPhone not a single instance. Each time the iPhone roams between APs, it has to authenticate against the Meraki Radius server, which seems inefficient to me and not the expected behavior. 

Just to keep you updated - spoke with a support engineer who was very helpful. He could capture/witness the roaming issue from watching the logs and is going to try to replicate the issue using a testing set-up. 

 

Meanwhile I also did some testing of my own. Fully disabling 802.11w for affected SSID (instead of 'Enabled - allow unsupported clients') seems to have solved the roaming issues. This also solved an issue where the iPhone would be unable to associate with the network when connecting to the SSID for the first time. (eventually after reconnecting many, many times, it would successfully connect)

I'm interested to see if my findings are in line with the testing results from Meraki Support  Also, for security reasons I would like to be able to set 802.11w to 'Enabled - allow unsupported clients' again without it affecting roaming capabilities. Please note that per Apple's documentation: "802.11w's protected management frames (PMF) interoperate with iOS and iPadOS support for 802.11k, 802.11r, and 802.11v." (https://support.apple.com/en-us/HT202628).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels