Meraki

RaphaelL · ‎Nov 22 2022

Hi ,

I was reading the documentation about CoA ( https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIU... )

Roaming with CoA

There are a number of advantages to CoA and it enables many new use cases. SSIDs that require fast roaming should not use CoA. Fast roaming mechanisms like PMKsa, OKC, and 802.11r will be disabled on the SSID that is configured for CoA. Clients are forced to complete EAP on every association which ensures that the RADIUS server will send the CoA to the correct Access Point.

Let's say I have an SSID with WPA2-Enterprise and a Radius server configured. I also have 802.11r enabled AND CoA configured. Does that mean that 802.11r won't work at all since Clients are forced to complete EAP on every association

Will it cause conflict ?

alemabrahao · ‎Nov 22 2022

I understood that when you enable CoA the 802.11r will be disabled.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

PhilipDAth · ‎Nov 22 2022

I don't know the answer.

I can tell you 802.11r has fallen out of favour. I used to use it all the time 5 years ago. I don't use it at all now.

There was a bunch of non-fixable security issues with the protocol.

https://documentation.meraki.com/General_Administration/Support/802.11r_Vulnerability_(CVE%3A_2017-1...

GIdenJoe · ‎Nov 22 2022

I would retract that statement 😉
802.11r is only out of favor in WPA2-Personal SSID's.
For 802.1X WPA2-Enterprise it is standard to use 802.11r.

I find this behavior @RaphaelL describes disturbing. In regular Cisco AP's you have flexconnect and there these kinds of details are shared between all AP's in the same flex group(AireOS)/same site tag(IOS-XE) to have 802.11r work perfectly with CoA. I would only ask if Meraki would do the same for AP's inside the same dashboard network...

So basically as it stands now: the moment you put that CoA button to enabled your SSID will not use 802.11r...

KarstenI · ‎Nov 23 2022

Perhaps we should all add a wish that FT should be implemented together with CoA.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

RaphaelL · ‎Oct 25 2023

After a year , they re-added the warning :

I will be testing if that's true...

RaphaelL · ‎Oct 25 2023

EDIT :~~Pretty sure it now disables 802.11r...~~

According to : https://mac-wifi.com/how-to-verify-whether-802-11k-and-11r-are-enabled-via-a-capture/

If the section Mobility Domain is present , the SSID is supporting 802.11r. Which it goes against the warning... will re-open my case.

Purroy

With MR32.1.x and ISE 3.3.0.430-Patch 5 there is support for CoA + 802.11r fast roaming simultaneously.

RaphaelL · Do you *need* to have ISE 3.3.0.430-Patch 5 or is it just prefered ?

Do you need to have ISE 3.3.0.430-Patch 5 or is it just prefered ?

KarstenI

Can you elaborate on how it is handled internally? Is there an AP to AP communication for the PMK-R1, or distributed through the cloud ...

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Meraki

Community

CoA and Fast Roaming

CoA and Fast Roaming

Roaming with CoA