Hi all,
We have an SSID (broadcasted) using 802.1X enterprise authentication by user client cert against Cisco ISE/Windows AD.
APs are MR52 on version 27.6.
The option to enable 802.11r does not appear on the SSID settings page.
It does appear on, for example, and SSID with PSK auth.
Can anyone suggest why the 802.11r option is missing? Is there something I'm not understanding here? I thought 802.11r was supposed to be of benefit where such authentication is in use, in order to avoid a full de-auth and re-auth by clients when they roam. Currently we are experiencing delays with clients getting re-authenticated on this SSID. Sometimes users are saying that they have to disable and re-enable wireless on their machines in order to get them to reconnect, and sometimes even reboot.
Solved! Go to solution.
We have an answer from Meraki support.
It is Cisco ISE causing the non-availability of 802.11r.
Apparently because RADIUS CoA is enabled by design when using Cisco ISE for authentication, this disables 802.11r. According to Meraki, "due to CoA...we need to do a full authentication on every roam in order to apply the policy."
Moreover there is no way to disable CoA.
So if you're using Cisco ISE for authentication, you can say goodbye to 802.11r. Which isn't a good look, given that these are two Cisco products. This is going to cause us significant difficulties.
What is the "Addressing and traffic options" you have set for that SSID as 802.11r will be removed as an option if they are set to either "NAT" or "Layer 3 roaming" ?
Sorry I should have mentioned that we are using bridge mode. We never use NAT or L3.
I use ISE and and 802.11r is available... PMF aka 802.11w will disable 802.11r
Protected Management Frames (802.11w) can be used to prevent client spoofing, but when it is required Fast Roaming (802.11r) is not supported.
802.11r is also not available while using NAT mode or Layer 3 roaming.
@chrissw : This feature can be enabled from the Configure > Access control page under Network access > 802.11r. If this option does not appear, a firmware update may be required.
Check below
https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/802.11k_and_802.11r_Overview
Thanks but I've read that bit of documentation, and I know where the 802.11r option should appear (see below).
Is a firmware update required from 27.6? Perhaps someone from Meraki can answer that.
What is more strange is that an SSID with PSK authentication does have 802.11r available as an option.
Also my own test network, which has 802.1X-enterprise authentication against an open source RADIUS server also has 802.11r available.
I cannot work out what it is about our use, in production, of authentication against Cisco ISE, which backs off to Windows AD, is preventing 802.11r from even being available.
From my experience, one of the things that disables 802.11r is 802.11w. Try to set as Enabled or Disabled to see if 802.11r appears..
We have an answer from Meraki support.
It is Cisco ISE causing the non-availability of 802.11r.
Apparently because RADIUS CoA is enabled by design when using Cisco ISE for authentication, this disables 802.11r. According to Meraki, "due to CoA...we need to do a full authentication on every roam in order to apply the policy."
Moreover there is no way to disable CoA.
So if you're using Cisco ISE for authentication, you can say goodbye to 802.11r. Which isn't a good look, given that these are two Cisco products. This is going to cause us significant difficulties.
But in this case you probably also have a splash-page configured. If you just use the ISE for .1X, you typically still have 802.11r available. With just AAA to the ISE there is no need to CoA.
What about if you use ISE for posture assessment using CWA or LWA for login?
We are finding out this issue in our environment. coming from WLC 2504 with 10 AP's that works perfectly well for posture (*and guest wireless roaming), these new CW9166I's dont do well with posture, ISE and roaming. clients continue to randomly get de-authenticated from the network while still staying connected to the SSID. This only happens on the myRADIUS, ISE authentication settings, guest wireless WPA2, PSK is fine.
If the user disconnects or disables wireless card, waits 10 seconds and reconnects the session is re-authenticated. OR If the user opens AnyConnect and selects in ISE posture (system scan) module "Block connection from untrusted servers" this also triggers a re-authentication without having to disconnect the wireless.
Since the guest wireless is in the meraki bridge mode, it drops the connection when roaming as 802.11r is not possible in bridge mode.