Meraki

Community

CoA and Fast Roaming

RaphaelL
Kind of a big deal
Kind of a big deal
‎Nov 22 2022 11:23 AM
‎Nov 22 2022 11:23 AM

CoA and Fast Roaming

Hi ,

 

I was reading the documentation about CoA  ( https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIU... ) 

 

Roaming with CoA

There are a number of advantages to CoA and it enables many new use cases. SSIDs that require fast roaming should not use CoA. Fast roaming mechanisms like PMKsa, OKC, and 802.11r will be disabled on the SSID that is configured for CoA. Clients are forced to complete EAP on every association which ensures that the RADIUS server will send the CoA to the correct Access Point.

 

Let's say I have an SSID with WPA2-Enterprise and a Radius server configured. I also have 802.11r enabled AND CoA configured. Does that mean that 802.11r won't work at all since Clients are forced to complete EAP on every association

 

Will it cause conflict ?

Labels:
0 Kudos
6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 22 2022 11:49 AM
‎Nov 22 2022 11:49 AM

I understood that when you enable CoA the 802.11r will be disabled.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 22 2022 11:57 AM
‎Nov 22 2022 11:57 AM

I don't know the answer.

 

I can tell you 802.11r has fallen out of favour.  I used to use it all the time 5 years ago.  I don't use it at all now.

 

There was a bunch of non-fixable security issues with the protocol.

https://documentation.meraki.com/General_Administration/Support/802.11r_Vulnerability_(CVE%3A_2017-1... 

 

 

In response to PhilipDAth
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Nov 22 2022 1:08 PM
‎Nov 22 2022 1:08 PM

I would retract that statement 😉
802.11r is only out of favor in WPA2-Personal SSID's.
For 802.1X WPA2-Enterprise it is standard to use 802.11r.

I find this behavior @RaphaelL describes disturbing.  In regular Cisco AP's you have flexconnect and there these kinds of details are shared between all AP's in the same flex group(AireOS)/same site tag(IOS-XE) to have 802.11r work perfectly with CoA.  I would only ask if Meraki would do the same for AP's inside the same dashboard network...

 

So basically as it stands now: the moment you put that CoA button to enabled your SSID will not use 802.11r...

KarstenI
Kind of a big deal
Kind of a big deal
‎Nov 23 2022 1:02 AM
‎Nov 23 2022 1:02 AM

Perhaps we should all add a wish that FT should be implemented together with CoA.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 25 2023 9:54 AM
‎Oct 25 2023 9:54 AM

After a year , they re-added the warning : 

 

RaphaelL_0-1698252841344.png

 

I will be testing if that's true... 

In response to RaphaelL
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 25 2023 10:34 AM
‎Oct 25 2023 10:34 AM

EDIT :Pretty sure it now disables 802.11r... 

 

According to : https://mac-wifi.com/how-to-verify-whether-802-11k-and-11r-are-enabled-via-a-capture/

 

If the section Mobility Domain is present , the SSID is supporting 802.11r. Which it goes against the warning... will re-open my case.

 

RaphaelL_0-1698255233430.png

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.