Dear Community,
I am new to Meraki wireless and so I had a few concerns regarding the roaming action with Meraki Wireless when an SSID uses 802.1x. We have not currently deployed our Meraki wireless network and are still running our legacy Aruba Wireless network. We are currently using EAP-TLS with a Microsoft NPS Radius server for one of our corporate SSID's. All of the wireless clients have user certificates that are presented to the server during authentication (Windows devices and Macbooks are present in the environment). Currently, machines are able to roam pretty seamlessly between AP's. The SSIDs will be operating in bridge mode with all AP's on the same subnet. We are using MR33 AP's on MR25.13 Firmware.
My questions are these:
1) Are there any issues I should be aware of as it pertains to roaming between Meraki AP's when connected to an SSID that requires 802.1x authentication? I was reading that 802.11r is supposed to help this but also saw that it could cause issues? I was also reading that PEAP "fast reconnect" is an option but we are not running PEAP.
2) If 802.11r is enabled, should I be using "Enabled" or "Adaptive" mode?
Please let me know what you think? I have not yet deployed the wireless but plan to do so in the next couple of weeks.
Thanks.
Solved! Go to solution.
@ccraddock wrote:
Thank you both so much for your responses. these are extremely helpful. I will fire up a test SSID in the next couple of days to test and see if I can connect with the Windows 8 and Windows 10 devices using 802.11r. All of the AP's will be on the same exact VLAN/Subnet, there will be no Layer 3 roaming in our environment. Can I assume that when 802.1x is being used that the AP that is initially connected to will then broadcast or otherwise communicate with all other AP's in the VLAN about that connection? Making roaming faster? If so is this some built in "behind the scenes" feature? if this is the case then it makes sense as to why all the AP's need to be on the same subnet.
Thanks.
See this:
For 802.11r, I'm honestly not sure if Meraki uses Over-the-DS or Over-the-Air but the gist is that yes, the first AP will share the PMKID to all the other ones in the same L2 domain.
Thanks for the reply! We run a mix of Windows 8 and Windows 10 devices, we also have roughly 10 or 12 Mac users all running anywhere from Sierra, to High Sierra and possibly Mojave. My concern is that we are moving away from a controller based wireless model where the controller handles all the fast roaming features to Meraki, and Im not sure how the Meraki AP's coordinate with eachother regarding the authentication keys and such. I would think that Meraki would have thought of this already though. Like I said, I have not deployed the Meraki equipment yet but plan to do so in the next couple weeks.
@ccraddock wrote:
Thanks for the reply! We run a mix of Windows 8 and Windows 10 devices, we also have roughly 10 or 12 Mac users all running anywhere from Sierra, to High Sierra and possibly Mojave. My concern is that we are moving away from a controller based wireless model where the controller handles all the fast roaming features to Meraki, and Im not sure how the Meraki AP's coordinate with eachother regarding the authentication keys and such. I would think that Meraki would have thought of this already though. Like I said, I have not deployed the Meraki equipment yet but plan to do so in the next couple weeks.
Fire up a test SSID with 802.11r set to Enabled and see if the Windows 8 can or can't connect, same with Windows 10. I don't have any Windows 8 machines to test with myself.
Thank you both so much for your responses. these are extremely helpful. I will fire up a test SSID in the next couple of days to test and see if I can connect with the Windows 8 and Windows 10 devices using 802.11r. All of the AP's will be on the same exact VLAN/Subnet, there will be no Layer 3 roaming in our environment. Can I assume that when 802.1x is being used that the AP that is initially connected to will then broadcast or otherwise communicate with all other AP's in the VLAN about that connection? Making roaming faster? If so is this some built in "behind the scenes" feature? if this is the case then it makes sense as to why all the AP's need to be on the same subnet.
Thanks.
@ccraddock wrote:
Thank you both so much for your responses. these are extremely helpful. I will fire up a test SSID in the next couple of days to test and see if I can connect with the Windows 8 and Windows 10 devices using 802.11r. All of the AP's will be on the same exact VLAN/Subnet, there will be no Layer 3 roaming in our environment. Can I assume that when 802.1x is being used that the AP that is initially connected to will then broadcast or otherwise communicate with all other AP's in the VLAN about that connection? Making roaming faster? If so is this some built in "behind the scenes" feature? if this is the case then it makes sense as to why all the AP's need to be on the same subnet.
Thanks.
See this:
For 802.11r, I'm honestly not sure if Meraki uses Over-the-DS or Over-the-Air but the gist is that yes, the first AP will share the PMKID to all the other ones in the same L2 domain.
It appears PMK caching and OKC was the answer I was looking for. I am glad to know the Meraki AP's do this by default. As far as 802.11r is concerned, ill probably attempt it in adaptive mode to start as we will have a separte SSID using WPA2-PSK that allows folks to connect their mobile devices to.
Thanks again everyone for your efforts to assist me.
802.1x is an authentication framework, and EAP-TLS is a specific method. If you are using EAP-TLS then you are using 802.1x.
You can continue to use EAP-TLS with an NPS server with Meraki if you like.
PEAP is another specific authentication method of 802.1x. The roaming will be identical weather you use EAP-TLS or PEAP.
802.11r improves roaming by helping the client find other APs that it can roam to. 802.11r got a bad rep because of many security issues. The security issues are less severe when using it with 802.1x.
I woiuld tend to use 802.11r in "Enabled" mode if you have modern devices connecting. If you have a device than can not support 802.11r then they will not be able to connect to the network.
"Adaptive" mode only uses it with clients than can support it - but often not all clients that can support it. So you end up with lots of 802.11r capable clients not using 802.11r.
@PhilipDAth wrote:802.11r improves roaming by helping the client find other APs that it can roam to. 802.11r got a bad rep because of many security issues. The security issues are less severe when using it with 802.1x.
"Adaptive" mode only uses it with clients than can support it - but often not all clients that can support it. So you end up with lots of 802.11r capable clients not using 802.11r.
Phil I think your thinking of 802.11k? And for reference to the original poster, all that KRACK stuff has been patched if you were curious:
802.11r (kind of like OKC but even faster) will have a client do a full EAP authentication, and then cache the PMK on all the other access points (much more complicated that this but for simplicity sake lets not go into super details). Important note here since there is no WLC with Meraki, is that Meraki requires those AP's to be on the same L2 domain (same subnet basically). End-goal being that when the client does roam from AP to AP, he doesn't have to do a full EAP authentication all over again (which takes forever in the wireless world), and the process is now just 4 frames, with the 4 way handshake being 'baked' into the authentication and reassociation frames.
1. Authentication Request
2. Authentication Response
3. Re-association Request
4. Re-association Response
For reference, OKC (which Meraki supports/is enabled by default), would look as such:
1. Authentication Request
2. Authentication Response
3. Re-association Request
4. Re-association Response
5. EAPoL Key Message 1
6. EAPoL Key Message 2
7. EAPoL Key Message 3
8. EAPoL Key Message 4
On the Cisco WLC side, they have a 'mixed mode' for 802.11r so that clients that do support it, will use it, and clients that don't will not. This is great because the single SSID can serve both types of clients (presumably without issue).
I've honestly never bothered with 802.11r on the Meraki side yet but this thread is making me want to test it more now lol.
Phil correct me if I am wrong but the only documentation that I can find for 'Adaptive Mode' is that it is strictly for iOS 10 devices to benefit from 802.11r and that's basically it. Not sure if another device type that does support it would use it or not. Would have to ask support because their documentation seems lacking on this insight.