802.11r BSS Fast Transition

Information About 802.11r Fast Transition

802.11r, which is the IEEE standard for fast roaming, introduces a new concept of roaming where the initial handshake with a new AP is done even before the corresponding client roams to the target access point. This concept is called Fast Transition. The initial handshake allows a client and the access points to do the Pairwise Transient Key (PTK) calculation in advance. These PTK keys are applied to the client and the access points after the client responds to the reassociation request or responds to the exchange with new target AP.

The FT key hierarchy is designed to allow clients to make fast BSS transitions between APs without requiring reauthentication at every AP. WLAN configuration contains a new Authenticated Key Management (AKM) type called FT (Fast Transition).

Client Roaming

For a client to move from its current AP to a target AP using the FT protocols, message exchanges are performed using one of the following methods:

  • Over-the-Air—The client communicates directly with the target AP using IEEE 802.11 authentication with the FT authentication algorithm.

  • Over-the-Distribution System (DS)—The client communicates with the target AP through the current AP. The communication between the client and the target AP is carried in FT action frames between the client and the current AP and is then sent through the device.

Figure 1. Message Exchanges when Over–the–Air Client Roaming is Configured
Figure 2. Message Exchanges when Over–the–DS Client Roaming is Configured

Restrictions for 802.11r Fast Transition

  • EAP LEAP method is not supported.

  • Traffic Specification (TSPEC) is not supported for 802.11r fast roaming. Therefore, RIC IE handling is not supported.

  • If WAN link latency exists, fast roaming is also delayed. Voice or data maximum latency should be verified. The Cisco WLC handles 802.11r Fast Transition authentication requests during roaming for both Over-the-Air and Over-the-DS methods.

  • Legacy clients cannot associate with a WLAN that has 802.11r enabled if the driver of the supplicant that is responsible for parsing the Robust Security Network Information Exchange (RSN IE) is old and not aware of the additional AKM suites in the IE. Due to this limitation, clients cannot send association requests to WLANs. These clients, however, can still associate with non-802.11r WLANs. Clients that are 802.11r-capable can associate as 802.11i clients on WLANs that have both 802.11i and 802.11r Authentication Key Management Suites enabled.

    The workaround is to enable or upgrade the driver of the legacy clients to work with the new 802.11r AKMs, after which the legacy clients can successfully associate with 802.11r-enabled WLANs.

    Another workaround is to have two SSIDs with the same name, but with different security settings (FT and non-FT).

  • Fast Transition resource–request protocol is not supported because clients do not support this protocol. Also, the resource–request protocol is an optional protocol.

  • To avoid any Denial of Service (DoS) attack, each Cisco WLC allows a maximum of three Fast Transition handshakes with different APs.

  • Non-802.11r–capable devices will not be able to associate with FT-enabled WLAN.

  • We do not recommend 802.11r FT + PMF.

  • We recommend 802.11r FT Over-the-Air roaming for FlexConnect deployments.

  • 802.11r ft-over-ds is enabled by default, when a WLAN is created in the controller . In Cisco Wave 2 APs, local switching local authentication with 802.11r is not supported. To make the local switching local authentication work with Cisco Wave 2 APs, explicitly disable 802.11r in WLAN. A sample configuration is given below:

    wlan local-dot1x 24 local-dot1x
    no security ft over-the-ds
    no security ft adaptive
    security dot1x authentication-list spwifi_dot1x
    no shutdown

Monitoring 802.11r Fast Transition (CLI)

The following command can be used to monitor 802.11r Fast Transition:

Command Description
show wlan name wlan-name

Displays a summary of the configured parameters on the WLAN.

show wireless client mac-address mac-address Displays the summary of the 802.11r authentication key management configuration on a client.

. . . 
. . .
Client Capabilities
  CF Pollable : Not implemented
  CF Poll Request : Not implemented
  Short Preamble : Not implemented
  PBCC : Not implemented
  Channel Agility : Not implemented
  Listen Interval : 15
  Fast BSS Transition : Implemented
Fast BSS Transition Details :
Client Statistics:
  Number of Bytes Received : 9019
  Number of Bytes Sent : 3765
  Number of Packets Received : 130
  Number of Packets Sent : 36
  Number of EAP Id Request Msg Timeouts : 0
  Number of EAP Request Msg Timeouts : 0
  Number of EAP Key Msg Timeouts : 0
  Number of Data Retries : 1
  Number of RTS Retries : 0
  Number of Duplicate Received Packets : 1
  Number of Decrypt Failed Packets : 0
  Number of Mic Failured Packets : 0
  Number of Mic Missing Packets : 0
  Number of Policy Errors : 0
  Radio Signal Strength Indicator : -48 dBm
  Signal to Noise Ratio : 40 dB
. . . 
. . . 

Configuring 802.11r BSS Fast Transition on a Dot1x Security Enabled WLAN (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan profile-name

Example:

Device# wlan test4

Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN.

Step 3

client vlan vlan-name

Example:

Device(config-wlan)# client vlan 0120

Associates the client VLAN to this WLAN.

Step 4

local-auth local-auth-profile-eap

Example:

Device(config-wlan)# local-auth

Enables the local auth EAP profile.

Step 5

security dot1x authentication-list default

Example:

Device(config-wlan)# security dot1x authentication-list default

Enables security authentication list for dot1x security. The configuration is similar for all dot1x security WLANs.

Step 6

security ft

Example:

Device(config-wlan)# security ft
Enables 802.11r Fast Transition on the WLAN.

Step 7

security wpa akm ft dot1x

Example:

Device(config-wlan)# security wpa akm ft dot1x
Enables 802.1x security on the WLAN.

Step 8

no shutdown

Example:

Device(config-wlan)# no shutdown

Enables the WLAN.

Step 9

end

Example:

Device(config-wlan)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode

Configuring 802.11r Fast Transition in an Open WLAN (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan profile-name

Example:

Device# wlan test4

Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN.

Step 3

client vlan vlan-id

Example:

Device(config-wlan)# client vlan 0120

Associates the client VLAN to the WLAN.

Step 4

no security wpa

Example:

Device(config-wlan)# no security wpa

Disables WPA security.

Step 5

no security wpa akm dot1x

Example:

Device(config-wlan)# no security wpa akm dot1x

Disables security AKM for dot1x.

Step 6

no security wpa wpa2

Example:

Device(config-wlan)# no security wpa wpa2

Disables WPA2 security.

Step 7

no wpa wpa2 ciphers aes

Example:

Device(config-wlan)# no security wpa wpa2 ciphers aes

Disables WPA2 ciphers for AES.

Step 8

security ft

Example:

Device(config-wlan)# security ft

Specifies the 802.11r Fast Transition parameters.

Step 9

no shutdown

Example:

Device(config-wlan)# shutdown

Shuts down the WLAN.

Step 10

end

Example:

Device(config-wlan)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode

Configuring 802.11r Fast Transition on a PSK Security–Enabled WLAN (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan profile-name

Example:

Device# wlan test4

Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN.

Step 3

client vlan vlan-name

Example:

Device(config-wlan)# client vlan 0120

Associates the client VLAN to this WLAN.

Step 4

no security wpa akm dot1x

Example:

Device(config-wlan)# no security wpa akm dot1x

Disables security AKM for dot1x.

Step 5

security wpa akm ft psk

Example:

Device(config-wlan)# security wpa akm ft psk

Configures Fast Transition PSK support.

Step 6

security wpa akm psk set-key {ascii {0 | 8} | hex {0 | 8}}

Example:

Device(config-wlan)# security wpa akm psk set-key ascii 0 test

Configures PSK AKM shared key.

Step 7

security ft

Example:

Device(config-wlan)# security ft

Configures 802.11r Fast Transition.

Step 8

no shutdown

Example:

Device(config-wlan)# no shutdown

Enables the WLAN.

Step 9

end

Example:

Device(config-wlan)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode

Disabling 802.11r Fast Transition (GUI)

Procedure


Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

On the WLANs page, click the WLAN name.

Step 3

In the Edit WLAN window, click the Security > Layer2 tab.

Step 4

From the Fast Transition drop-down list, choose Disabled. Note that you cannot enable or disable Fast Transition, if you have configured an SSID with Open Authentication.

Step 5

Click Update & Apply to Device.


Disabling 802.11r Fast Transition (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan profile-name

Example:

Device# wlan test4

Enters WLAN configuration submode. The profile-name is the profile name of the configured WLAN.

Step 3

no security ft [over-the-ds | reassociation-timeout timeout-in-seconds]

Example:

Device(config-wlan)# no security ft over-the-ds 

Disables 802.11r Fast Transition on the WLAN.

Step 4

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.