Solved
@ccraddock wrote:
Thank you both so much for your responses. these are extremely helpful. I will fire up a test SSID in the next couple of days to test and see if I can connect with the Windows 8 and Windows 10 devices using 802.11r. All of the AP's will be on the same exact VLAN/Subnet, there will be no Layer 3 roaming in our environment. Can I assume that when 802.1x is being used that the AP that is initially connected to will then broadcast or otherwise communicate with all other AP's in the VLAN about that connection? Making roaming faster? If so is this some built in "behind the scenes" feature? if this is the case then it makes sense as to why all the AP's need to be on the same subnet.
Thanks.
See this:
For 802.11r, I'm honestly not sure if Meraki uses Over-the-DS or Over-the-Air but the gist is that yes, the first AP will share the PMKID to all the other ones in the same L2 domain.
Windows 10 is supposed to support 802.11r, so you could gain a benefit for this. Apple's OS X however does not support 802.11r, so this MIGHT be where you run into issues for that corporate SSID. Honestly I have tried it yet, so someone else might be able to comment on that one.
Adaptive mode is a special mode designed only for iOS 10 devices to utilize the 802.11r feature, and the other clients will still connect and not have any issues. So unless you have any iOS 10 devices using your EAP-TLS setup, then this won't really do anything for you.
Pretty sure the only 'fast roaming' that OSX supports is PMKID (think of this as fast-roam-back, meaning after he does a full auth to an AP, he can come back to it without having to do a full auth again, i think the limit is 8 access points for this per client). Would be nice if it supported OKC (all access points in the same L2 cache the client) but I'm preeeeetty sure they don't.
@ccraddock wrote:
Thanks for the reply! We run a mix of Windows 8 and Windows 10 devices, we also have roughly 10 or 12 Mac users all running anywhere from Sierra, to High Sierra and possibly Mojave. My concern is that we are moving away from a controller based wireless model where the controller handles all the fast roaming features to Meraki, and Im not sure how the Meraki AP's coordinate with eachother regarding the authentication keys and such. I would think that Meraki would have thought of this already though. Like I said, I have not deployed the Meraki equipment yet but plan to do so in the next couple weeks.
Fire up a test SSID with 802.11r set to Enabled and see if the Windows 8 can or can't connect, same with Windows 10. I don't have any Windows 8 machines to test with myself.
@ccraddock wrote:
Thank you both so much for your responses. these are extremely helpful. I will fire up a test SSID in the next couple of days to test and see if I can connect with the Windows 8 and Windows 10 devices using 802.11r. All of the AP's will be on the same exact VLAN/Subnet, there will be no Layer 3 roaming in our environment. Can I assume that when 802.1x is being used that the AP that is initially connected to will then broadcast or otherwise communicate with all other AP's in the VLAN about that connection? Making roaming faster? If so is this some built in "behind the scenes" feature? if this is the case then it makes sense as to why all the AP's need to be on the same subnet.
Thanks.
See this:
For 802.11r, I'm honestly not sure if Meraki uses Over-the-DS or Over-the-Air but the gist is that yes, the first AP will share the PMKID to all the other ones in the same L2 domain.
@PhilipDAth wrote:802.11r improves roaming by helping the client find other APs that it can roam to. 802.11r got a bad rep because of many security issues. The security issues are less severe when using it with 802.1x.
"Adaptive" mode only uses it with clients than can support it - but often not all clients that can support it. So you end up with lots of 802.11r capable clients not using 802.11r.
Phil I think your thinking of 802.11k? And for reference to the original poster, all that KRACK stuff has been patched if you were curious:
802.11r (kind of like OKC but even faster) will have a client do a full EAP authentication, and then cache the PMK on all the other access points (much more complicated that this but for simplicity sake lets not go into super details). Important note here since there is no WLC with Meraki, is that Meraki requires those AP's to be on the same L2 domain (same subnet basically). End-goal being that when the client does roam from AP to AP, he doesn't have to do a full EAP authentication all over again (which takes forever in the wireless world), and the process is now just 4 frames, with the 4 way handshake being 'baked' into the authentication and reassociation frames.
1. Authentication Request
2. Authentication Response
3. Re-association Request
4. Re-association Response
For reference, OKC (which Meraki supports/is enabled by default), would look as such:
1. Authentication Request
2. Authentication Response
3. Re-association Request
4. Re-association Response
5. EAPoL Key Message 1
6. EAPoL Key Message 2
7. EAPoL Key Message 3
8. EAPoL Key Message 4
On the Cisco WLC side, they have a 'mixed mode' for 802.11r so that clients that do support it, will use it, and clients that don't will not. This is great because the single SSID can serve both types of clients (presumably without issue).
I've honestly never bothered with 802.11r on the Meraki side yet but this thread is making me want to test it more now lol.
Phil correct me if I am wrong but the only documentation that I can find for 'Adaptive Mode' is that it is strictly for iOS 10 devices to benefit from 802.11r and that's basically it. Not sure if another device type that does support it would use it or not. Would have to ask support because their documentation seems lacking on this insight.
