×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Wireless 802.11r and .k on WLC

Answered Question
Dec 11th, 2013
User Badges:

Hello all,


I've seen that in 7.4 and later Release on the WLC5508 you can configure 802.11r and 11k support using Fast Transaction so that iOS7 won't experience connection loss during Roaming...my question is on the same WLAN can I configure 802.1X and FT-802.1X Authentication so that I'll be able to have on the same SSID non802.11r and 802.11r capable client? Or this setup will create association problem ?


BR

OG

Correct Answer by Scott Fella about 3 years 8 months ago

Maybe this can help explain it also:

http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/gu...

Legacy clients cannot associate with a WLAN that has 802.11r enabled if the driver of the supplicant that is responsible for parsing the Robust Security Network Information Exchange (RSN IE) is old and not aware of the additional AKM suites in the IE. Due to this limitation, clients cannot send association requests to WLANs. These clients, however, can still associate with non-802.11r WLANs. Clients that are 802.11r capable can associate as 802.11i clients on WLANs that have both 802.11i and 802.11r Authentication Key Management Suites enabled. The workaround is to enable or upgrade the driver of the legacy clients to work with the new 802.11r AKMs, after which the legacy clients can successfully associate with 802.11r enabled WLANs. Another workaround is to have two SSIDs with the same name but with different security settings (FT and non-FT).


Sent from Cisco Technical Support iPhone App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Scott Fella Wed, 12/11/2013 - 04:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Once you enable 802.11r, clients that don't support it will not connect. I have two SSID's with different names, one has 802.21r enabled and the other doesn't. Both use 802.1x.

Sent from Cisco Technical Support iPhone App

oguarisco Wed, 12/11/2013 - 04:22
User Badges:

Hello Scott,


thanks for the useful info...but this means that before connecting the device to the WLAN you have to know if it's 802.11r capable or not, only then you can authenticate and associate to the specific WLAN defined ...


It will be easier to have a single WLAN that permit 802.11r capable and non802.11r client to associate to the same SSID, I've seen that WLC 7.4 permit a configuration on a SSID for both 802.1x and FT-802.1x authentication method...


OG

Scott Fella Wed, 12/11/2013 - 04:27
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

It's either on or not. I too would wish I can have one ssid with it enabled and non 802.11t devices still connect, but it doesn't work that way. When you try to enable 802.11r, the WLC will prompt you with a warning.

Sent from Cisco Technical Support iPhone App

Correct Answer
Scott Fella Wed, 12/11/2013 - 04:43
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Maybe this can help explain it also:

http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/gu...

Legacy clients cannot associate with a WLAN that has 802.11r enabled if the driver of the supplicant that is responsible for parsing the Robust Security Network Information Exchange (RSN IE) is old and not aware of the additional AKM suites in the IE. Due to this limitation, clients cannot send association requests to WLANs. These clients, however, can still associate with non-802.11r WLANs. Clients that are 802.11r capable can associate as 802.11i clients on WLANs that have both 802.11i and 802.11r Authentication Key Management Suites enabled. The workaround is to enable or upgrade the driver of the legacy clients to work with the new 802.11r AKMs, after which the legacy clients can successfully associate with 802.11r enabled WLANs. Another workaround is to have two SSIDs with the same name but with different security settings (FT and non-FT).


Sent from Cisco Technical Support iPhone App

oguarisco Wed, 12/11/2013 - 04:53
User Badges:

Thanks a lot for the detailed info...so basically you have two WLANs one FT and other non-FT BUT with same SSID ...

Scott Fella Wed, 12/11/2013 - 05:09
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Yes you can do it that way, or have different ssid names. Again, you can always test it out. Configure a new ssid with 802.11r enabled and see what devices connect and what devices fail to connect.

Sent from Cisco Technical Support iPhone App

vlad.mihailov Wed, 12/11/2013 - 09:07
User Badges:

Scott,


Thank you for this reply. I was about to dig in to this incopatibility myself and you hit the nail! So in time.


Vlad.

oguarisco Wed, 12/11/2013 - 04:45
User Badges:

not good this one ...

I've noticed that configuring FT-802.1X on an SSID WLC warns about the chance that client non802.11r capable won't been able to associate...

Scott Fella Wed, 12/11/2013 - 04:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Yup... I have an older iPad 1st gen that I test with and it doesn't join. Only my iPhone and iPad that supports 802.11r.

Sent from Cisco Technical Support iPhone App

oguarisco Wed, 12/11/2013 - 09:47
User Badges:

I'll test it in the next weeks and let you know

OG

Sent from Cisco Technical Support iPhone App

Actions

This Discussion

Related Content