The inside skinny on 802.11r and 802.11k

RumorConsumer
Head in the Cloud

The inside skinny on 802.11r and 802.11k

Ok do these actually help? I am a pretty basic user with a big property and about 20 gateways with a lot of roaming and about 50 iOS devices and 40 macs. Does this stuff actually help? I only see a place to turn on 802.11r in the dashboard, but not K.

 

Referencing https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/802.11k_and_802.11r_Overview

 

It says only use 802.11r if I am using enterprise authentication methods? I use WPA2. Is that me or somebody more complex? 


Would you turn either of these on? I use standard Bridge mode networks. No concentrator. Just a single MX and a bunch of switches and APs.

 

Whoa just found - https://meraki.cisco.com/blog/2018/08/protecting-your-networks-from-the-latest-wpa1-wpa2-psk-vulnera...

 

But I dont care. Everybody on my site is on the same network anyways and I care much more about them having seamless VOIP and iOS roaming experiences than I do about somebody getting our wifi password through this hack. We are WAY out in the country and there is just nobody around. Seems like a good idea to turn it on.

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
7 REPLIES 7
Adam2104
Building a reputation

802.11r has security issues when using WPA2 PSK (pre-shared-keys). If you're using that mode, don't turn on 802.11r. Its primary benefit is speeding up the transition from access point to access point when using WPA2 Enterprise authentication. Proper network design and AP transmit power tuning is where you should focus your efforts if you're using WPA2 PSK.

Ok but literally i run a camp in the middle of nowhere with zero chance that a foreign entity would proximally hack my network, zero. With tons of iOS devices with the meraki stuff on full auto power levels. Why not use it?

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.

I don't see the downside.  Give it a try. 

GIdenJoe
Kind of a big deal
Kind of a big deal

I would limit the power output of your AP's to about 14 dBm.

 

About 802.11r it does not really provide much of an edge when using WPA2-PSK.
Usually a full roam using PSK and the 4 way handshake takes around 50 to 80msec.
The 802.11r part will take it down further but at the expense of the security issue and the potential for devices not supporting 802.11r and just refusing to join the SSID.

However on a WPA2-Enterprise SSID a full authentication can take up more than a second depending on network situation and proximity of the radius server.  There 802.11r can be a true blessing.

Enabling 802.11k is a no brainer.  All devices that support it will be able to receive the neighborlist and take advantage of that list to do less scanning and thus roaming faster.

Ok that makes sense @GIdenJoe . I have literally seen no problems w roaming. If i turn on the adaptive version it will stave off compatibility issues, no?

 

regarding 802.11k, i can’t find the control for that... where is it?

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.

It is my understanding that 802.11k is just always enabled.

Correct. Adaptive means that 802.11r is not announced via the RSN IE so non supporting clients will not trip over it. But clients that support adaptive will get the clue via an aironet IE and will negotiate 802.11r at association.

 

802.11k is always on.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels