Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

802.1r and fast roaming

HI everyone. 

I couldn't find anything regarding this. I want my clients to have a better roaming experience. base on my study the client goes through the 802.1x process if they re-associate with different AP (even on the same WLC) and 802.1r or FT 802.1x option seems to be the answer if I don't want to use CCKM server. 

first of all is it correct? on my debug I get this line which is actually saying no Data transfer at this stage when its in the EAPol process. 

then to enable 802.1r I've selected the Fast transition and over DS and also ticked the FT 802.1x. 

is that all? 

Thanks for your reply 

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

Hi,

Hi,

Thanks for the debug.

By the way I am in the other end of AU (ie MEL) - it was 10:38PM when I responded to you yesterday :)

So here is what I found from the debug, looks like no Fast Roaming (802.11r) occur & every-time client is go through full Auth Process & then 4-Way handshake. I can see 6 times client roam to different AP, only shown first 3 here.

*apfMsConnTask_3: Oct 03 08:17:46.471: 00:24:2b:6f:4e:98 Sending Assoc Response to station on BSSID 2c:3f:38:59:a1:90 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_3: Oct 03 08:17:46.471: 00:24:2b:6f:4e:98 apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 00:24:2b:6f:4e:98 on AP 2c:3f:38:59:a1:90 from Associated to Associated

*spamApTask0: Oct 03 08:17:46.474: 00:24:2b:6f:4e:98 Sent 1x initiate message to multi thread task for mobile 00:24:2b:6f:4e:98
*Dot1x_NW_MsgTask_0: Oct 03 08:17:46.474: 00:24:2b:6f:4e:98 EAP-PARAM Debug - eap-params for Wlan-Id :1 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_0: Oct 03 08:17:46.474: 00:24:2b:6f:4e:98 Disable re-auth, use PMK lifetime.
*Dot1x_NW_MsgTask_0: Oct 03 08:17:46.474: 00:24:2b:6f:4e:98 dot1x - moving mobile 00:24:2b:6f:4e:98 into Connecting state
*Dot1x_NW_MsgTask_0: Oct 03 08:17:46.474: 00:24:2b:6f:4e:98 Sending EAP-Request/Identity to mobile 00:24:2b:6f:4e:98 (EAP Id 1)
*apfMsConnTask_7: Oct 03 08:22:03.689: 00:24:2b:6f:4e:98 Sending Assoc Response to station on BSSID 2c:3f:38:2a:a6:b0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_7: Oct 03 08:22:03.689: 00:24:2b:6f:4e:98 apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 00:24:2b:6f:4e:98 on AP 2c:3f:38:2a:a6:b0 from Associated to Associated

*pemReceiveTask: Oct 03 08:22:03.690: 00:24:2b:6f:4e:98 10.66.54.50 Removed NPU entry.
*spamApTask3: Oct 03 08:22:03.692: 00:24:2b:6f:4e:98 Sent 1x initiate message to multi thread task for mobile 00:24:2b:6f:4e:98
*Dot1x_NW_MsgTask_0: Oct 03 08:22:03.692: 00:24:2b:6f:4e:98 EAP-PARAM Debug - eap-params for Wlan-Id :1 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_0: Oct 03 08:22:03.692: 00:24:2b:6f:4e:98 Disable re-auth, use PMK lifetime.
*Dot1x_NW_MsgTask_0: Oct 03 08:22:03.692: 00:24:2b:6f:4e:98 dot1x - moving mobile 00:24:2b:6f:4e:98 into Connecting state
*Dot1x_NW_MsgTask_0: Oct 03 08:22:03.693: 00:24:2b:6f:4e:98 Sending EAP-Request/Identity to mobile 00:24:2b:6f:4e:98 (EAP Id 1)
*apfMsConnTask_4: Oct 03 08:23:06.663: 00:24:2b:6f:4e:98 Sending Assoc Response to station on BSSID 2c:3f:38:30:17:10 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_4: Oct 03 08:23:06.663: 00:24:2b:6f:4e:98 apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 00:24:2b:6f:4e:98 on AP 2c:3f:38:30:17:10 from Associated to Associated

*spamApTask0: Oct 03 08:23:06.665: 00:24:2b:6f:4e:98 Sent 1x initiate message to multi thread task for mobile 00:24:2b:6f:4e:98
*Dot1x_NW_MsgTask_0: Oct 03 08:23:06.666: 00:24:2b:6f:4e:98 EAP-PARAM Debug - eap-params for Wlan-Id :1 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_0: Oct 03 08:23:06.666: 00:24:2b:6f:4e:98 Disable re-auth, use PMK lifetime.
*Dot1x_NW_MsgTask_0: Oct 03 08:23:06.666: 00:24:2b:6f:4e:98 dot1x - moving mobile 00:24:2b:6f:4e:98 into Connecting state
*Dot1x_NW_MsgTask_0: Oct 03 08:23:06.666: 00:24:2b:6f:4e:98 Sending EAP-Request/Identity to mobile 00:24:2b:6f:4e:98 (EAP Id 1)

Regarding your code version & 802.11r client support I found this during today WLC 8.0 Delta Webinar.

1. 802.11r mixed mode support in 7.6 & 8.0 (both codes)
2. Still few supplicants  (Mac OSX, Netgear,ect) does not like mixed mode WLAN, so they may have trouble associate if you enable FT

Here is the list for 802.11r mixed mode support client & OS as per today's webex.

I suspect your Dell Client may not support 802.11r & hence do the full auth every time. 

If possible get a debug client output for a iPhone or iPad (running iOS6 or above). So we can compare & see the difference.

 

Hope this answer help me to get my rating up. :) 

it came down 4 ->3 ->2 in last 3 responses :) 

 

HTH

Rasika

VIP Purple

HiThanks for the debug output

Hi

Thanks for the debug output.

Yes this time we can clearly see some FT (802.11r) happening with this client. As you can see "Reassociation Request - client send this to initiate a roam) followed by (re)association Response. Also you see FT completion message as well. There are no EAP auth process or seperate 4-way Handshakes involved (we saw this with Dell client). This is exactly what you should see when 802.11r Over-the-DS FT.

http://mrncciew.com/2014/09/08/cwsp-802-11r-over-the-ds-ft/

Here are some reference from your debug  highlighting FT

*apfMsConnTask_0: Oct 06 10:28:14.705: 40:b3:95:15:50:ba Reassociation received from mobile on BSSID f4:0f:1b:a3:fb:0f

*apfMsConnTask_0: Oct 06 10:28:14.708: 40:b3:95:15:50:ba Sending Assoc Response to station on BSSID f4:0f:1b:a3:fb:00 (status 0) ApVapId 1 Slot 0

*Dot1x_NW_MsgTask_2: Oct 06 10:28:14.712: 40:b3:95:15:50:ba Finishing FT roaming for mobile 40:b3:95:15:50:ba

 

*apfMsConnTask_2: Oct 06 10:28:24.918: 40:b3:95:15:50:ba Reassociation received from mobile on BSSID f4:0f:1b:a4:2e:70

*apfMsConnTask_0: Oct 06 10:28:14.708: 40:b3:95:15:50:ba Sending Assoc Response to station on BSSID f4:0f:1b:a3:fb:00 (status 0) ApVapId 1 Slot 0

*Dot1x_NW_MsgTask_2: Oct 06 10:28:24.924: 40:b3:95:15:50:ba Finishing FT roaming for mobile 40:b3:95:15:50:ba

 

*apfMsConnTask_5: Oct 06 10:29:02.960: 40:b3:95:15:50:ba Reassociation received from mobile on BSSID f8:c2:88:74:2b:5f

*apfMsConnTask_5: Oct 06 10:29:02.962: 40:b3:95:15:50:ba Updated location for station old AP f4:0f:1b:a4:2e:70-1, new AP f8:c2:88:74:2b:50-1

*apfMsConnTask_5: Oct 06 10:29:02.963: 40:b3:95:15:50:ba Sending Assoc Response to station on BSSID f8:c2:88:74:2b:5f (status 0) ApVapId 1 Slot 1

*Dot1x_NW_MsgTask_2: Oct 06 10:29:02.965: 40:b3:95:15:50:ba Finishing FT roaming for mobile 40:b3:95:15:50:ba

 

*apfMsConnTask_1: Oct 06 10:29:41.843: 40:b3:95:15:50:ba Reassociation received from mobile on BSSID f8:c2:88:85:ae:8f

*apfMsConnTask_1: Oct 06 10:29:41.845: 40:b3:95:15:50:ba Updated location for station old AP f8:c2:88:74:2b:50-1, new AP f8:c2:88:85:ae:80-1

*apfMsConnTask_1: Oct 06 10:29:41.846: 40:b3:95:15:50:ba Sending Assoc Response to station on BSSID f8:c2:88:85:ae:8f (status 0) ApVapId 1 Slot 1

*Dot1x_NW_MsgTask_2: Oct 06 10:29:41.850: 40:b3:95:15:50:ba Finishing FT roaming for mobile 40:b3:95:15:50:ba

 

So based on those two provided debug output we can confirm the first client (Dell) is not doing/supporting 802.11r FT

 

HTH

Rasika

**** Pls rate all useful responses ****

 

 

 

14 REPLIES
VIP Purple

HiYou need to remember that

Hi

You need to remember that 802.11r is not supported by all clients (mainly supported by Apple iOS clients only). Also if you running anything below WLC 8.x then you cannot have 802.11r & non-802.11r client on same SSID. You have to have two SSID (one for 802.11r clients & one for non-802.11r) if you running 7.4. or 7.6

Below should gives you some more detail about 802.11r fast roaming.

1. 802.11r FT Association
2. 802.11r Over-the-Air FT
3. 802.11r Over-the-DS FT
4. 802.11k AP Assisted Roaming

Configuration wise, yse you have to enable it on SSID (802.1X +FT) & then select whether you want to do it over the-DS or over-the-air. Make sure you tested as different type of clients may behave differently.

 

HTH

Rasika

*** Pls rate all useful responses ****

New Member

HIthanks as always for your

HI

thanks as always for your answer. 

if I enable th e802.11r it pops up with the message saying that clints which not support it wont connect to the SSID at all. I enabled it and all my clients are connecting to the network. so i am confused by what you said that mostly Apple client only support 802.11r because I have no Apple at this moment and all dell laptops! 

VIP Purple

HiInteresting, In 8.0 Release

Hi

Interesting, In 8.0 Release notes given below stated 802.11r mixed mode support (Yes that popup coming even in 8.0 which should not be the case)

http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn80.html

  • Support is added for the 802.11r mixed mode. You do not have to create a separate WLAN for 802.11r support. You can specify the non-802.11r clients to associate with an SSID that is enabled with 802.11r.

Which version are you running on your WLC ? Also could you attached "show wlan <WLAN_ID>"  & "debug client <MAC_ADDRESS> output when a client is roaming from one AP to another, in the next response. That will tells us what kind of roaming involve. 

HTH

Rasika

**** Pls rate all useful responses ****

New Member

HI and as usual thanks for

HI and as usual thanks for helping me

Im using 5508 with 7.6.120.0 Sw version. I posted the debug you asked please note the following:

I have multiple brand in the school and none of them dropped the connection after 802.11r enabled. Maybe that's the mixed mode. 

on WLAN

FT Support.................................... Enabled

FT-1X(802.11r).......................... Enabled

SKC Cache Support.......................... Disabled

on the client

 Fast BSS Transition........................ Not implemented

but is can see the Fast BSS Transition Client Statistics:

Wonder to see what is your idea about it :)

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.10.02 08:20:09 =~=~=~=~=~=~=~=~=~=~=~=
debug pag         config pa?
paging         passwd-cleartext 
(Cisco Controller) >config paging disable 
 
 
(Cisco Controller) >show wlan 1 ?
               
<WLAN id>      Displays the configuration of a WLAN.
apgroups       Display all AP Groups information defined in the system.
foreignAp      Displays the configuration for support of Foreign Access Points.
summary        Displays a summary of all WLANs.
               
(Cisco Controller) >show wlan 1
 
 
WLAN Identifier.................................. 1
Profile Name..................................... PMACS
Network Name (SSID).............................. PMACS
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status
    Radius Profiling ............................ Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
    Local Profiling ............................. Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 35
Number of Active Clients......................... 5
Exclusionlist.................................... Disabled
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 12 hours
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... PMACS-WLC03
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ wirelessclients
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
    PMIPv6 MAG Profile........................... Unconfigured
    PMIPv6 Default Realm......................... Unconfigured
    PMIPv6 NAI Type.............................. Hexadecimal
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................   0  0
Average Realtime Data Rate.......................   0  0
Burst Data Rate..................................   0  0
Burst Realtime Data Rate.........................   0  0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................   0  0
Average Realtime Data Rate.......................   0  0
Burst Data Rate..................................   0  0
Burst Realtime Data Rate.........................   0  0
Scan Defer Priority.............................. 
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 6
DTIM period for 802.11b radio.................... 6
Radius Servers
   Authentication................................ 10.66.0.10 1812
   Accounting.................................... 10.66.1.254 1813
      Interim Update............................. Disabled
      Framed IPv6 Acct AVP ...................... Prefix
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
 
   802.11 Authentication:........................ Open System
   FT Support.................................... Enabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
      Auth Key Management
         802.1x.................................. Enabled
         PSK..................................... Disabled
         CCKM.................................... Enabled
         FT-1X(802.11r).......................... Enabled
         FT-PSK(802.11r)......................... Disabled
         PMF-1X(802.11w)......................... Disabled
         PMF-PSK(802.11w)........................ Disabled
      FT Reassociation Timeout................... 20
      FT Over-The-DS mode........................ Enabled
      GTK Randomization.......................... Disabled
      SKC Cache Support.......................... Disabled
      CCKM TSF Tolerance......................... 1000
   WAPI.......................................... Disabled
   Wi-Fi Direct policy configured................ allowed
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   FlexConnect Local Switching................... Disabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   flexconnect PPPoE pass-through................ Disabled
   flexconnect local-switching IP-source-guar.... Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Disabled
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60
   Eap-params.................................... Disabled
AVC Visibilty.................................... Enabled
AVC Profile Name................................. BlockedApps
Flow Monitor Name................................ Traffic
Split Tunnel (Printers).......................... Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
 
 Mobility Anchor List
 WLAN ID     IP Address            Status
 -------     ---------------       ------
 
802.11u........................................ Disabled
 
MSAP Services.................................. Disabled
 
Local Policy
----------------
Priority  Policy Name
--------  ---------------
 
 
(Cisco Controller) >show client detail 88:53:2e:9c:49:88
Client MAC Address............................... 88:53:2e:9c:49:88
Client Username ................................. ###############\bkhorshid
AP MAC Address................................... 2c:3f:38:2a:a6:b0
AP Name.......................................... Senior_EnglishOffice 
AP radio slot Id................................. 1  
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 1  
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 2c:3f:38:2a:a6:bf  
Connected For ................................... 46034 secs
Channel.......................................... 161
IP Address....................................... 10.66.54.40
Gateway Address.................................. 10.66.54.1
Netmask.......................................... 255.255.254.0
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Client CCX version............................... 4  
Client E2E version............................... 1  
Re-Authentication Timeout........................ 86152
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
  APSD ACs.......................................  BK  BE  VI  VO 
Power Save....................................... OFF
Current Rate..................................... m4
Supported Rates.................................. 12.0,18.0,24.0,36.0,48.0,
    ............................................. 54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
Audit Session ID................................. none
AAA Role Type.................................... none
Local Policy Applied............................. none
IPv4 ACL Name.................................... none
FlexConnect ACL Applied Status................... Unavailable
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
Client Type...................................... SimpleIP
mDNS Status...................................... Disabled
mDNS Profile Name................................ none
No. of mDNS Services Advertised.................. 0
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... PEAP
Interface........................................ wireless_seniorschool_vlan54
VLAN............................................. 54
Quarantine VLAN.................................. 0
Access VLAN...................................... 54
Client Capabilities:
      CF Pollable................................ Not implemented
      CF Poll Request............................ Not implemented
      Short Preamble............................. Not implemented
      PBCC....................................... Not implemented
      Channel Agility............................ Not implemented
      Listen Interval............................ 90
      Fast BSS Transition........................ Not implemented
Client Wifi Direct Capabilities:
      WFD capable................................ No
      Manged WFD capable......................... No
      Cross Connection Capable................... No
      Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
      Number of Bytes Received................... 66720
      Number of Bytes Sent....................... 62828
      Total Number of Bytes Sent................. 62828
      Total Number of Bytes Recv................. 66720
      Number of Bytes Sent (last 90s)............ 8732
      Number of Bytes Recv (last 90s)............ 8494
      Number of Packets Received................. 525
      Number of Packets Sent..................... 457
      Number of Interim-Update Sent.............. 0
      Number of EAP Id Request Msg Timeouts...... 0
      Number of EAP Id Request Msg Failures...... 0
      Number of EAP Request Msg Timeouts......... 0
      Number of EAP Request Msg Failures......... 0
      Number of EAP Key Msg Timeouts............. 2
      Number of EAP Key Msg Failures............. 0
      Number of Data Retries..................... 562
      Number of RTS Retries...................... 0
      Number of Duplicate Received Packets....... 0
      Number of Decrypt Failed Packets........... 0
      Number of Mic Failured Packets............. 0
      Number of Mic Missing Packets.............. 0
      Number of RA Packets Dropped............... 0
      Number of Policy Errors.................... 0
      Radio Signal Strength Indicator............ -64 dBm
      Signal to Noise Ratio...................... 28 dB
Client Rate Limiting Statistics:
      Number of Data Packets Recieved............ 0
      Number of Data Rx Packets Dropped.......... 0
      Number of Data Bytes Recieved.............. 0
      Number of Data Rx Bytes Dropped............ 0
      Number of Realtime Packets Recieved........ 0
      Number of Realtime Rx Packets Dropped...... 0
      Number of Realtime Bytes Recieved.......... 0
      Number of Realtime Rx Bytes Dropped........ 0
      Number of Data Packets Sent................ 0
      Number of Data Tx Packets Dropped.......... 0
      Number of Data Bytes Sent.................. 0
      Number of Data Tx Bytes Dropped............ 0
      Number of Realtime Packets Sent............ 0
      Number of Realtime Tx Packets Dropped...... 0
      Number of Realtime Bytes Sent.............. 0
      Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
      VisualARTS_B(slot 0)
        antenna0: 6 secs ago..................... -86 dBm
        antenna1: 6 secs ago..................... -92 dBm
      VisualARTS_A(slot 0)
        antenna0: 6 secs ago..................... -78 dBm
        antenna1: 6 secs ago..................... -82 dBm
      Senior_EnglishOff(slot 0)
        antenna0: 6 secs ago..................... -48 dBm
        antenna1: 6 secs ago..................... -60 dBm
      Senior_EnglishOff(slot 1)
        antenna0: 9 secs ago..................... -72 dBm
        antenna1: 9 secs ago..................... -71 dBm
      Senior_DS2.7(slot 0)
        antenna0: 6 secs ago..................... -86 dBm
        antenna1: 6 secs ago..................... -87 dBm
      Senior_DS2.3(slot 0)
        antenna0: 6 secs ago..................... -82 dBm
        antenna1: 6 secs ago..................... -81 dBm
      Senior_DS2.6(slot 0)
        antenna0: 6 secs ago..................... -90 dBm
        antenna1: 6 secs ago..................... -85 dBm
      Senior_DS1.6(slot 0)
        antenna0: 6 secs ago..................... -77 dBm
        antenna1: 6 secs ago..................... -75 dBm
      Senior_DS1.6(slot 1)
        antenna0: 9 secs ago..................... -85 dBm
        antenna1: 9 secs ago..................... -87 dBm
      Senior_DS1.2A(slot 0)
        antenna0: 6 secs ago..................... -76 dBm
        antenna1: 6 secs ago..................... -74 dBm
      Senior_DS1.2A(slot 1)
        antenna0: 9 secs ago..................... -84 dBm
        antenna1: 9 secs ago..................... -83 dBm
      Senior_DS2.4A(slot 0)
        antenna0: 6 secs ago..................... -82 dBm
        antenna1: 6 secs ago..................... -76 dBm
      Senior_DS2.2(slot 0)
        antenna0: 6 secs ago..................... -82 dBm
        antenna1: 6 secs ago..................... -80 dBm
      Senior_DS1.1(slot 0)
        antenna0: 6 secs ago..................... -76 dBm
        antenna1: 6 secs ago..................... -78 dBm
      Senior_Students_R(slot 0)
        antenna0: 6 secs ago..................... -66 dBm
        antenna1: 6 secs ago..................... -67 dBm
      Senior_Students_R(slot 1)
        antenna0: 9 secs ago..................... -84 dBm
        antenna1: 9 secs ago..................... -82 dBm
      Senior_DS1.4(slot 0)
        antenna0: 6 secs ago..................... -66 dBm
        antenna1: 6 secs ago..................... -69 dBm
      Senior_DS1.4(slot 1)
        antenna0: 9 secs ago..................... -72 dBm
        antenna1: 9 secs ago..................... -81 dBm
      Senior_DS1.2B(slot 0)
        antenna0: 6 secs ago..................... -75 dBm
        antenna1: 6 secs ago..................... -77 dBm
      Senior_DS1.5(slot 0)
        antenna0: 6 secs ago..................... -77 dBm
        antenna1: 6 secs ago..................... -75 dBm
      Senior_Library_A(slot 0)
        antenna0: 6 secs ago..................... -69 dBm
        antenna1: 6 secs ago..................... -75 dBm
      Senior_Library_A(slot 1)
        antenna0: 9 secs ago..................... -85 dBm
        antenna1: 9 secs ago..................... -89 dBm
      Senior_Library_C(slot 0)
        antenna0: 6 secs ago..................... -69 dBm
        antenna1: 6 secs ago..................... -79 dBm
      Senior_Library_B(slot 0)
        antenna0: 6 secs ago..................... -81 dBm
        antenna1: 6 secs ago..................... -83 dBm
DNS Server details:
      DNS server IP ............................. 10.66.0.10
      DNS server IP ............................. 10.66.0.11
Assisted Roaming Prediction List details:
 
 
 Client Dhcp Required:     False
Allowed (URL)IP Addresses
-------------------------
 
 
(Cisco Controller) >show client detail 88:53:2e:9c:49:88
Client MAC Address............................... 88:53:2e:9c:49:88
Client Username ................................. +++++++++++++++++++++\bkhorshid
AP MAC Address................................... 2c:3f:38:30:17:10
AP Name.......................................... Senior_DS1.2A     
AP radio slot Id................................. 1  
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 1  
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 2c:3f:38:30:17:1f  
Connected For ................................... 34 secs
Channel.......................................... 64 
IP Address....................................... 10.66.54.40
Gateway Address.................................. 10.66.54.1
Netmask.......................................... 255.255.254.0
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Client CCX version............................... 4  
Client E2E version............................... 1  
Re-Authentication Timeout........................ 86372
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
  APSD ACs.......................................  BK  BE  VI  VO 
Power Save....................................... OFF
Current Rate..................................... m4/0.0
Supported Rates.................................. 12.0,18.0,24.0,36.0,48.0,
    ............................................. 54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
Audit Session ID................................. none
AAA Role Type.................................... none
Local Policy Applied............................. none
IPv4 ACL Name.................................... none
FlexConnect ACL Applied Status................... Unavailable
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
Client Type...................................... SimpleIP
mDNS Status...................................... Disabled
mDNS Profile Name................................ none
No. of mDNS Services Advertised.................. 0
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... 0
Interface........................................ wireless_seniorschool_vlan54
VLAN............................................. 54
Quarantine VLAN.................................. 0
Access VLAN...................................... 54
Client Capabilities:
      CF Pollable................................ Not implemented
      CF Poll Request............................ Not implemented
      Short Preamble............................. Not implemented
      PBCC....................................... Not implemented
      Channel Agility............................ Not implemented
      Listen Interval............................ 90
      Fast BSS Transition........................ Not implemented
Client Wifi Direct Capabilities:
      WFD capable................................ No
      Manged WFD capable......................... No
      Cross Connection Capable................... No
      Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
      Number of Bytes Received................... 17593
      Number of Bytes Sent....................... 11052
      Total Number of Bytes Sent................. 11052
      Total Number of Bytes Recv................. 17593
      Number of Bytes Sent (last 90s)............ 11052
      Number of Bytes Recv (last 90s)............ 17593
      Number of Packets Received................. 151
      Number of Packets Sent..................... 66
      Number of Interim-Update Sent.............. 0
      Number of EAP Id Request Msg Timeouts...... 0
      Number of EAP Id Request Msg Failures...... 0
      Number of EAP Request Msg Timeouts......... 0
      Number of EAP Request Msg Failures......... 0
      Number of EAP Key Msg Timeouts............. 0
      Number of EAP Key Msg Failures............. 0
      Number of Data Retries..................... 52
      Number of RTS Retries...................... 0
      Number of Duplicate Received Packets....... 0
      Number of Decrypt Failed Packets........... 0
      Number of Mic Failured Packets............. 0
      Number of Mic Missing Packets.............. 0
      Number of RA Packets Dropped............... 0
      Number of Policy Errors.................... 0
      Radio Signal Strength Indicator............ -66 dBm
      Signal to Noise Ratio...................... 27 dB
Client Rate Limiting Statistics:
      Number of Data Packets Recieved............ 0
      Number of Data Rx Packets Dropped.......... 0
      Number of Data Bytes Recieved.............. 0
      Number of Data Rx Bytes Dropped............ 0
      Number of Realtime Packets Recieved........ 0
      Number of Realtime Rx Packets Dropped...... 0
      Number of Realtime Bytes Recieved.......... 0
      Number of Realtime Rx Bytes Dropped........ 0
      Number of Data Packets Sent................ 0
      Number of Data Tx Packets Dropped.......... 0
      Number of Data Bytes Sent.................. 0
      Number of Data Tx Bytes Dropped............ 0
      Number of Realtime Packets Sent............ 0
      Number of Realtime Tx Packets Dropped...... 0
      Number of Realtime Bytes Sent.............. 0
      Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
      VisualARTS_A(slot 0)
        antenna0: 74 secs ago.................... -78 dBm
        antenna1: 74 secs ago.................... -82 dBm
      VisualARTS_A(slot 1)
        antenna0: 48 secs ago.................... -83 dBm
        antenna1: 48 secs ago.................... -88 dBm
      Senior_EnglishOff(slot 0)
        antenna0: 74 secs ago.................... -48 dBm
        antenna1: 74 secs ago.................... -60 dBm
      Senior_EnglishOff(slot 1)
        antenna0: 33 secs ago.................... -68 dBm
        antenna1: 33 secs ago.................... -77 dBm
      Senior_DS2.7(slot 0)
        antenna0: 74 secs ago.................... -86 dBm
        antenna1: 74 secs ago.................... -87 dBm
      Senior_DS2.7(slot 1)
        antenna0: 48 secs ago.................... -91 dBm
        antenna1: 48 secs ago.................... -90 dBm
      Senior_DS2.3(slot 1)
        antenna0: 48 secs ago.................... -90 dBm
        antenna1: 48 secs ago.................... -92 dBm
      Senior_DS2.6(slot 0)
        antenna0: 74 secs ago.................... -90 dBm
        antenna1: 74 secs ago.................... -85 dBm
      Senior_DS2.6(slot 1)
        antenna0: 54 secs ago.................... -89 dBm
        antenna1: 54 secs ago.................... -90 dBm
      Senior_DS1.6(slot 0)
        antenna0: 74 secs ago.................... -77 dBm
        antenna1: 74 secs ago.................... -75 dBm
      Senior_DS1.6(slot 1)
        antenna0: 33 secs ago.................... -64 dBm
        antenna1: 33 secs ago.................... -70 dBm
      Senior_DS1.2A(slot 1)
        antenna0: 33 secs ago.................... -50 dBm
        antenna1: 33 secs ago.................... -42 dBm
      Senior_DS2.4A(slot 1)
        antenna0: 46 secs ago.................... -91 dBm
        antenna1: 46 secs ago.................... -93 dBm
      Senior_HeadOfHous(slot 1)
        antenna0: 46 secs ago.................... -83 dBm
        antenna1: 46 secs ago.................... -84 dBm
      Senior_DS1.1(slot 1)
        antenna0: 34 secs ago.................... -58 dBm
        antenna1: 34 secs ago.................... -65 dBm
      Senior_Students_R(slot 1)
        antenna0: 46 secs ago.................... -91 dBm
        antenna1: 46 secs ago.................... -94 dBm
      Senior_DS1.4(slot 1)
        antenna0: 33 secs ago.................... -77 dBm
        antenna1: 33 secs ago.................... -75 dBm
      Senior_DS1.2B(slot 1)
        antenna0: 33 secs ago.................... -58 dBm
        antenna1: 33 secs ago.................... -58 dBm
      Senior_DS1.5(slot 1)
        antenna0: 34 secs ago.................... -72 dBm
        antenna1: 34 secs ago.................... -76 dBm
      Senior_Library_A(slot 0)
        antenna0: 74 secs ago.................... -69 dBm
        antenna1: 74 secs ago.................... -75 dBm
      Senior_Library_A(slot 1)
        antenna0: 48 secs ago.................... -89 dBm
        antenna1: 48 secs ago.................... -90 dBm
      Senior_Library_C(slot 1)
        antenna0: 54 secs ago.................... -90 dBm
        antenna1: 54 secs ago.................... -90 dBm
      Senior_Library_B(slot 0)
        antenna0: 74 secs ago.................... -81 dBm
        antenna1: 74 secs ago.................... -83 dBm
      Senior_Library_B(slot 1)
        antenna0: 54 secs ago.................... -88 dBm
        antenna1: 54 secs ago.................... -91 dBm
DNS Server details:
      DNS server IP ............................. 10.66.0.10
      DNS server IP ............................. 10.66.0.11
Assisted Roaming Prediction List details:
 
 
 Client Dhcp Required:     False
Allowed (URL)IP Addresses
-------------------------
 
 
(Cisco Controller) >
VIP Purple

HiYes, from configuration

Hi

Yes, from configuration point of view you have enabled 802.1x + FT + CCKM on your WLAN 1.

 

I would like to see a "debug client <dell_mac_address>" output when that client is roaming from 1 AP to another to see exactly which type of roam in involve.

Pls attach that output (since it is a long  do not paste it here) in your next response. I wonder whether client actually doing a 802.11r  

 

HTH

Rasika

**** Pls rate all useful responses ****

New Member

Sure ;) here in Australia is

Sure ;) here in Australia is 20:38 pm. First thing in the morning i'll attach the debug. Thanks for the follow up

New Member

here is the debug client dell

here is the debug client dell_Mac

VIP Purple

Hi,

Hi,

Thanks for the debug.

By the way I am in the other end of AU (ie MEL) - it was 10:38PM when I responded to you yesterday :)

So here is what I found from the debug, looks like no Fast Roaming (802.11r) occur & every-time client is go through full Auth Process & then 4-Way handshake. I can see 6 times client roam to different AP, only shown first 3 here.

*apfMsConnTask_3: Oct 03 08:17:46.471: 00:24:2b:6f:4e:98 Sending Assoc Response to station on BSSID 2c:3f:38:59:a1:90 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_3: Oct 03 08:17:46.471: 00:24:2b:6f:4e:98 apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 00:24:2b:6f:4e:98 on AP 2c:3f:38:59:a1:90 from Associated to Associated

*spamApTask0: Oct 03 08:17:46.474: 00:24:2b:6f:4e:98 Sent 1x initiate message to multi thread task for mobile 00:24:2b:6f:4e:98
*Dot1x_NW_MsgTask_0: Oct 03 08:17:46.474: 00:24:2b:6f:4e:98 EAP-PARAM Debug - eap-params for Wlan-Id :1 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_0: Oct 03 08:17:46.474: 00:24:2b:6f:4e:98 Disable re-auth, use PMK lifetime.
*Dot1x_NW_MsgTask_0: Oct 03 08:17:46.474: 00:24:2b:6f:4e:98 dot1x - moving mobile 00:24:2b:6f:4e:98 into Connecting state
*Dot1x_NW_MsgTask_0: Oct 03 08:17:46.474: 00:24:2b:6f:4e:98 Sending EAP-Request/Identity to mobile 00:24:2b:6f:4e:98 (EAP Id 1)
*apfMsConnTask_7: Oct 03 08:22:03.689: 00:24:2b:6f:4e:98 Sending Assoc Response to station on BSSID 2c:3f:38:2a:a6:b0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_7: Oct 03 08:22:03.689: 00:24:2b:6f:4e:98 apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 00:24:2b:6f:4e:98 on AP 2c:3f:38:2a:a6:b0 from Associated to Associated

*pemReceiveTask: Oct 03 08:22:03.690: 00:24:2b:6f:4e:98 10.66.54.50 Removed NPU entry.
*spamApTask3: Oct 03 08:22:03.692: 00:24:2b:6f:4e:98 Sent 1x initiate message to multi thread task for mobile 00:24:2b:6f:4e:98
*Dot1x_NW_MsgTask_0: Oct 03 08:22:03.692: 00:24:2b:6f:4e:98 EAP-PARAM Debug - eap-params for Wlan-Id :1 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_0: Oct 03 08:22:03.692: 00:24:2b:6f:4e:98 Disable re-auth, use PMK lifetime.
*Dot1x_NW_MsgTask_0: Oct 03 08:22:03.692: 00:24:2b:6f:4e:98 dot1x - moving mobile 00:24:2b:6f:4e:98 into Connecting state
*Dot1x_NW_MsgTask_0: Oct 03 08:22:03.693: 00:24:2b:6f:4e:98 Sending EAP-Request/Identity to mobile 00:24:2b:6f:4e:98 (EAP Id 1)
*apfMsConnTask_4: Oct 03 08:23:06.663: 00:24:2b:6f:4e:98 Sending Assoc Response to station on BSSID 2c:3f:38:30:17:10 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_4: Oct 03 08:23:06.663: 00:24:2b:6f:4e:98 apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 00:24:2b:6f:4e:98 on AP 2c:3f:38:30:17:10 from Associated to Associated

*spamApTask0: Oct 03 08:23:06.665: 00:24:2b:6f:4e:98 Sent 1x initiate message to multi thread task for mobile 00:24:2b:6f:4e:98
*Dot1x_NW_MsgTask_0: Oct 03 08:23:06.666: 00:24:2b:6f:4e:98 EAP-PARAM Debug - eap-params for Wlan-Id :1 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_0: Oct 03 08:23:06.666: 00:24:2b:6f:4e:98 Disable re-auth, use PMK lifetime.
*Dot1x_NW_MsgTask_0: Oct 03 08:23:06.666: 00:24:2b:6f:4e:98 dot1x - moving mobile 00:24:2b:6f:4e:98 into Connecting state
*Dot1x_NW_MsgTask_0: Oct 03 08:23:06.666: 00:24:2b:6f:4e:98 Sending EAP-Request/Identity to mobile 00:24:2b:6f:4e:98 (EAP Id 1)

Regarding your code version & 802.11r client support I found this during today WLC 8.0 Delta Webinar.

1. 802.11r mixed mode support in 7.6 & 8.0 (both codes)
2. Still few supplicants  (Mac OSX, Netgear,ect) does not like mixed mode WLAN, so they may have trouble associate if you enable FT

Here is the list for 802.11r mixed mode support client & OS as per today's webex.

I suspect your Dell Client may not support 802.11r & hence do the full auth every time. 

If possible get a debug client output for a iPhone or iPad (running iOS6 or above). So we can compare & see the difference.

 

Hope this answer help me to get my rating up. :) 

it came down 4 ->3 ->2 in last 3 responses :) 

 

HTH

Rasika

New Member

thanks for the replyim

thanks for the reply

im actually a fan of your website and even subscribe to your articles. im in Perth and pleasure to be in touch with you.

i will post an iphone debug first thing in the morning on Monday.

by the way as you said i roam around and i had some new connection which is the complete eap process. but what about the re-association? is it not cached? pmkid? 

i rated based on the info which ive got from the respond

one last thing, is it possible to post a full 802.1x auth line by line debug explanation on your website? you have a great one but its for psk 

VIP Purple

Good to know you as well  :)I

Good to know you as well  :)

I will try to do a post on 802.1X debug of a Cisco WLC.

I'll have a look on the iPhone debug once you posted.

Regarding rating system I was just kidding, not serious :)

Have a great weekend.

Rasika

New Member

HIHere we go , tested on

HI

Here we go , tested on iPhone 5 . Interested to see what you'll find in it :)

VIP Purple

HiThanks for the debug output

Hi

Thanks for the debug output.

Yes this time we can clearly see some FT (802.11r) happening with this client. As you can see "Reassociation Request - client send this to initiate a roam) followed by (re)association Response. Also you see FT completion message as well. There are no EAP auth process or seperate 4-way Handshakes involved (we saw this with Dell client). This is exactly what you should see when 802.11r Over-the-DS FT.

http://mrncciew.com/2014/09/08/cwsp-802-11r-over-the-ds-ft/

Here are some reference from your debug  highlighting FT

*apfMsConnTask_0: Oct 06 10:28:14.705: 40:b3:95:15:50:ba Reassociation received from mobile on BSSID f4:0f:1b:a3:fb:0f

*apfMsConnTask_0: Oct 06 10:28:14.708: 40:b3:95:15:50:ba Sending Assoc Response to station on BSSID f4:0f:1b:a3:fb:00 (status 0) ApVapId 1 Slot 0

*Dot1x_NW_MsgTask_2: Oct 06 10:28:14.712: 40:b3:95:15:50:ba Finishing FT roaming for mobile 40:b3:95:15:50:ba

 

*apfMsConnTask_2: Oct 06 10:28:24.918: 40:b3:95:15:50:ba Reassociation received from mobile on BSSID f4:0f:1b:a4:2e:70

*apfMsConnTask_0: Oct 06 10:28:14.708: 40:b3:95:15:50:ba Sending Assoc Response to station on BSSID f4:0f:1b:a3:fb:00 (status 0) ApVapId 1 Slot 0

*Dot1x_NW_MsgTask_2: Oct 06 10:28:24.924: 40:b3:95:15:50:ba Finishing FT roaming for mobile 40:b3:95:15:50:ba

 

*apfMsConnTask_5: Oct 06 10:29:02.960: 40:b3:95:15:50:ba Reassociation received from mobile on BSSID f8:c2:88:74:2b:5f

*apfMsConnTask_5: Oct 06 10:29:02.962: 40:b3:95:15:50:ba Updated location for station old AP f4:0f:1b:a4:2e:70-1, new AP f8:c2:88:74:2b:50-1

*apfMsConnTask_5: Oct 06 10:29:02.963: 40:b3:95:15:50:ba Sending Assoc Response to station on BSSID f8:c2:88:74:2b:5f (status 0) ApVapId 1 Slot 1

*Dot1x_NW_MsgTask_2: Oct 06 10:29:02.965: 40:b3:95:15:50:ba Finishing FT roaming for mobile 40:b3:95:15:50:ba

 

*apfMsConnTask_1: Oct 06 10:29:41.843: 40:b3:95:15:50:ba Reassociation received from mobile on BSSID f8:c2:88:85:ae:8f

*apfMsConnTask_1: Oct 06 10:29:41.845: 40:b3:95:15:50:ba Updated location for station old AP f8:c2:88:74:2b:50-1, new AP f8:c2:88:85:ae:80-1

*apfMsConnTask_1: Oct 06 10:29:41.846: 40:b3:95:15:50:ba Sending Assoc Response to station on BSSID f8:c2:88:85:ae:8f (status 0) ApVapId 1 Slot 1

*Dot1x_NW_MsgTask_2: Oct 06 10:29:41.850: 40:b3:95:15:50:ba Finishing FT roaming for mobile 40:b3:95:15:50:ba

 

So based on those two provided debug output we can confirm the first client (Dell) is not doing/supporting 802.11r FT

 

HTH

Rasika

**** Pls rate all useful responses ****

 

 

 

New Member

Thanks , You r a legend. 

Thanks , You r a legend.

 

VIP Purple

Glad to help you on this..

Glad to help you on this.. hope it makes you understand 802.11r roaming little better.

Rasika

3995
Views
13
Helpful
14
Replies