Configuring 802.11r BSS Fast Transition

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for 802.11r Fast Transition

  • 802.11r client association is not supported on access points in standalone mode.

  • 802.11r fast roaming is not supported on access points in standalone mode.

  • 802.11r fast roaming between local authentication and central authentication WLAN is not supported.

  • For APs in FlexConnect mode, 802.11r fast roaming works only if the APs are in the same FlexConnect group.

  • EAP LEAP method is not supported.

  • TSpec is not supported for 802.11r fast roaming. Therefore, RIC IE handling is not supported.

  • If WAN link latency exists, fast roaming is also delayed. Voice or data maximum latency should be verified. The device handles 802.11r Fast Transition authentication request during roaming for both Over-the-Air and Over-the-DS methods.

  • This feature is supported only on open and WPA2 configured WLANs.

  • Legacy clients cannot associate with a WLAN that has 802.11r enabled if the driver of the supplicant that is responsible for parsing the Robust Security Network Information Exchange (RSN IE) is old and not aware of the additional AKM suites in the IE. Due to this limitation, clients cannot send association requests to WLANs. These clients, however, can still associate with non-802.11r WLANs. Clients that are 802.11r capable can associate as 802.11i clients on WLANs that have both 802.11i and 802.11r Authentication Key Management Suites enabled.

    The workaround is to enable or upgrade the driver of the legacy clients to work with the new 802.11r AKMs, after which the legacy clients can successfully associate with 802.11r enabled WLANs.

    Another workaround is to have two SSIDs with the same name but with different security settings (FT and non-FT).

  • Fast Transition resource request protocol is not supported because clients do not support this protocol. Also, the resource request protocol is an optional protocol.

  • To avoid any Denial of Service (DoS) attack, each device allows a maximum of three Fast Transition handshakes with different APs.

  • For APs in FlexConnect mode, 802.11r fast roaming works only if the APs are in the same FlexConnect group.

Related Concepts
Information About 802.11r Fast Transition
Related Tasks
Configuring 802.11r Fast Transition in an Open WLAN (CLI)
Disabling 802.11r Fast Transition (CLI)
Configuring 802.11r BSS Fast Transition on a Dot1x Security Enabled WLAN (CLI)
Configuring 802.11r Fast Transition on a PSK Security Enabled WLAN (CLI)

Information About 802.11r Fast Transition

802.11r, which is the IEEE standard for fast roaming, introduces a new concept of roaming where the initial handshake with the new AP is done even before the client roams to the target AP, which is called Fast Transition (FT). The initial handshake allows the client and APs to do the Pairwise Transient Key (PTK) calculation in advance. These PTK keys are applied to the client and AP after the client does the reassociation request or response exchange with new target AP.

802.11r provides two methods of roaming:

  • Over-the-Air

  • Over-the-DS (Distribution System)

The FT key hierarchy is designed to allow clients to make fast BSS transitions between APs without requiring reauthentication at every AP. WLAN configuration contains a new Authenticated Key Management (AKM) type called FT (Fast Transition).

From Release 3E, you can create an 802.11r WLAN that is also an WPAv2 WLAN. In earlier releases, you had to create separate WLANs for 802.11r and for normal security. Non-802.11r clients can now join 802.11r-enabled WLANs as the 802.11r WLANs can accept non-802.11r associations. If clients do not support mixed mode or 802.11r join, they can join non-802.11r WLANS. When you configure FT PSK and later define PSK, clients that can join only PSK can now join the WLAN in mixed mode.

How a Client Roams

For a client to move from its current AP to a target AP using the FT protocols, the message exchanges are performed using one of the following two methods:

  • Over-the-Air—The client communicates directly with the target AP using IEEE 802.11 authentication with the FT authentication algorithm.

  • Over-the-DS—The client communicates with the target AP through the current AP. The communication between the client and the target AP is carried in FT action frames between the client and the current AP and is then sent through the device.

Figure 1. Message Exchanges when Over the Air client roaming is configured. This figure shows the sequence of message exchanges that occur when Over the Air client roaming is configured.

Figure 2. Message Exchanges when Over the DS client roaming is configured. This figure shows the sequence of message exchanges that occur when Over the DS client roaming is configured.

Related Tasks
Configuring 802.11r Fast Transition in an Open WLAN (CLI)
Disabling 802.11r Fast Transition (CLI)
Configuring 802.11r BSS Fast Transition on a Dot1x Security Enabled WLAN (CLI)
Configuring 802.11r Fast Transition on a PSK Security Enabled WLAN (CLI)
Related References
Monitoring 802.11r Fast Transition (CLI)
Restrictions for 802.11r Fast Transition

How to Configure 802.11r Fast Transition

Configuring 802.11r Fast Transition in an Open WLAN (CLI)

SUMMARY STEPS

    1.    configure terminal

    2.    wlan profile-name

    3.    client vlan vlan-id

    4.    no security wpa

    5.    no security wpa akm dot1x

    6.    no security wpa wpa2

    7.    no wpa wpa2 ciphers aes

    8.    security ft

    9.    no shutdown

    10.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 configure terminal


    Example: 
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 2wlan profile-name


    Example: 
    Device# wlan test4
     

    Enters the WLAN configuration submode. The profile-name is the profile name of the configured WLAN.

     
    Step 3client vlan vlan-id


    Example:
    Device(config-wlan)# client vlan 0120
     

    Associate the client VLAN to the WLAN.

     
    Step 4no security wpa


    Example:
    Device(config-wlan)# no security wpa
     

    Disable WPA secuirty.

     
    Step 5 no security wpa akm dot1x


    Example:
    Device(config-wlan)# no security wpa akm dot1x
     

    Disable security AKM for dot1x.

     
    Step 6no security wpa wpa2


    Example:
    Device(config-wlan)# no security wpa wpa2
     

    Disables WPA2 security.

     
    Step 7no wpa wpa2 ciphers aes


    Example:
    Device(config-wlan)# no security wpa wpa2 ciphers aes
     

    Disables WPA2 ciphers for AES.

     
    Step 8security ft


    Example:
    Device(config-wlan)# security ft
     

    Specifies the 802.11r fast transition parameters.

     
    Step 9no shutdown


    Example:
    Device(config-wlan)# shutdown
     

    Shutdown the WLAN.

     
    Step 10end


    Example:
    Device(config-wlan)# end
     

    Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode

     
    Related Concepts
    Information About 802.11r Fast Transition
    Related References
    Monitoring 802.11r Fast Transition (CLI)
    Restrictions for 802.11r Fast Transition

    Configuring 802.11r BSS Fast Transition on a Dot1x Security Enabled WLAN (CLI)

    SUMMARY STEPS

      1.    configure terminal

      2.    wlan profile-name

      3.    client vlan vlan-name

      4.    local-auth local-auth-profile-eap

      5.    security dot1x authentication-list default

      6.    security ft

      7.    security wpa akm ft dot1x

      8.    no shutdown

      9.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 configure terminal


      Example: 
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 2wlan profile-name


      Example: 
      Device# wlan test4
       

      Enters the WLAN configuration submode. The profile-name is the profile name of the configured WLAN.

       
      Step 3client vlan vlan-name


      Example:
      Device(config-wlan)# client vlan 0120
       

      Associate the client VLAN to this WLAN.

       
      Step 4local-auth local-auth-profile-eap


      Example:
      Device(config-wlan)# local-auth
       

      Enable the local auth EAP profile.

       
      Step 5security dot1x authentication-list default


      Example:
      Device(config-wlan)# security dot1x authentication-list default
       

      Enable security authentication list for dot1x security. The configuration is similar for any dot1x security WLAN.

       
      Step 6security ft


      Example:
      Device(config-wlan)# security ft
              		Enables 802.11r Fast Transition on this WLAN. 
      Step 7security wpa akm ft dot1x


      Example:
      Device(config-wlan)# security wpa akm ft dot1x
              		Enables 802.1x security on the WLAN. 
      Step 8no shutdown


      Example:
      Device(config-wlan)# no shutdown
       

      Enable the WLAN.

       
      Step 9end


      Example:
      Device(config-wlan)# end
       

      Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode

       
      Related Concepts
      Information About 802.11r Fast Transition
      Related References
      Monitoring 802.11r Fast Transition (CLI)
      Restrictions for 802.11r Fast Transition

      Configuring 802.11r Fast Transition on a PSK Security Enabled WLAN (CLI)

      SUMMARY STEPS

        1.    configure terminal

        2.    wlan profile-name

        3.    client vlan vlan-name

        4.    no security wpa akm dot1x

        5.    security wpa akm ft psk

        6.    security wpa akm psk set-key {ascii {0 | 8} | hex {0 | 8}}

        7.    security ft

        8.    no shutdown

        9.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 configure terminal


        Example: 
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 2wlan profile-name


        Example: 
        Device# wlan test4
         

        Enters the WLAN configuration submode. The profile-name is the profile name of the configured WLAN.

         
        Step 3client vlan vlan-name


        Example:
        Device(config-wlan)# client vlan 0120
         

        Associates the client VLAN to this WLAN.

         
        Step 4 no security wpa akm dot1x


        Example:
        Device(config-wlan)# no security wpa akm dot1x
         

        Disables security AKM for dot1x.

         
        Step 5security wpa akm ft psk


        Example:
        Device(config-wlan)# security wpa akm ft psk
         

        Configures FT PSK support.

         
        Step 6security wpa akm psk set-key {ascii {0 | 8} | hex {0 | 8}}


        Example:
        Device(config-wlan)# security wpa akm psk set-key ascii 0 test
         

        Configures PSK AKM shared key.

         
        Step 7security ft


        Example:
        Device(config-wlan)# security ft
         

        Configures 802.11r Fast Transition.

         
        Step 8no shutdown


        Example:
        Device(config-wlan)# no shutdown
         

        Enables the WLAN.

         
        Step 9end


        Example:
        Device(config-wlan)# end
         

        Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode

         
        Related Concepts
        Information About 802.11r Fast Transition
        Related References
        Monitoring 802.11r Fast Transition (CLI)
        Restrictions for 802.11r Fast Transition

        Disabling 802.11r Fast Transition (CLI)

        SUMMARY STEPS

          1.    configure terminal

          2.    wlan profile-name

          3.    no security ft [over-the-ds | reassociation-timeout timeout-in-seconds]

          4.    end


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 configure terminal


          Example: 
          Device# configure terminal
           

          Enters global configuration mode.

           
          Step 2wlan profile-name


          Example: 
          Device# wlan test4
           

          Enters the WLAN configuration submode. The profile-name is the profile name of the configured WLAN.

           
          Step 3 no security ft [over-the-ds | reassociation-timeout timeout-in-seconds]


          Example: 
          Device(config-wlan)# no security ft over-the-ds
           

          Disables 802.11r Fast Transition on the WLAN.

          Note   

          Disabling 802.11r Fast Transition for over the data source enables over the air fast transition.

           

          Step 4end


          Example:
          Device(config)# end
           

          Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

           
          Related Concepts
          Information About 802.11r Fast Transition
          Related References
          Monitoring 802.11r Fast Transition (CLI)
          Restrictions for 802.11r Fast Transition

          Monitoring 802.11r Fast Transition (GUI)

          You can view the Authentication Key Management details of a client.

          Choose Monitor > Client. The Clients page appears. Click the corresponding client to view the client details. In the General tab, you can view the Authentication Key Management for the client such as FT, PSK, 802.1x, CCKM, 802.1x + CCKM. If the AKM is for 802.11r mixed mode, then FT-802.1x, FT-802.1x-CCKM, or FT-PSK appears.

          Monitoring 802.11r Fast Transition (CLI)

          The following command can be used to monitor 802.11r Fast Transition:

          Command Description
          show wlan name wlan-name

          Displays a summary of the configured parameters on the WLAN.

          show wireless client mac-address mac-address Displays the summary of the 802.11r authentication key management configuration on a client. 
          . . . 
. . .
Client Capabilities
  CF Pollable : Not implemented
  CF Poll Request : Not implemented
  Short Preamble : Not implemented
  PBCC : Not implemented
  Channel Agility : Not implemented
  Listen Interval : 15
  Fast BSS Transition : Implemented
Fast BSS Transition Details :
Client Statistics:
  Number of Bytes Received : 9019
  Number of Bytes Sent : 3765
  Number of Packets Received : 130
  Number of Packets Sent : 36
  Number of EAP Id Request Msg Timeouts : 0
  Number of EAP Request Msg Timeouts : 0
  Number of EAP Key Msg Timeouts : 0
  Number of Data Retries : 1
  Number of RTS Retries : 0
  Number of Duplicate Received Packets : 1
  Number of Decrypt Failed Packets : 0
  Number of Mic Failured Packets : 0
  Number of Mic Missing Packets : 0
  Number of Policy Errors : 0
  Radio Signal Strength Indicator : -48 dBm
  Signal to Noise Ratio : 40 dB
. . . 
. . .

          If the AKM for the client is 802.11r mixed mode, the following information appears in the output: 

          . . . 
. . . 
Authentication Key Management : FT-PSK
. . . 
. . .
          Related Concepts
          Information About 802.11r Fast Transition
          Related Tasks
          Configuring 802.11r Fast Transition in an Open WLAN (CLI)
          Disabling 802.11r Fast Transition (CLI)
          Configuring 802.11r BSS Fast Transition on a Dot1x Security Enabled WLAN (CLI)
          Configuring 802.11r Fast Transition on a PSK Security Enabled WLAN (CLI)

          Additional References for 802.11r Fast Transition

          Related Documents

          Related Topic Document Title
          WLAN Command Reference. WLAN Command Reference, Cisco IOS XE Release 3SE (Catalyst 3650 Switches)

          Error Message Decoder

          Description Link

          To help you research and resolve system error messages in this release, use the Error Message Decoder tool.

          https:/​/​www.cisco.com/​cgi-bin/​Support/​Errordecoder/​index.cgi

          Standards and RFCs

          Standard/RFC Title
          802.11r from IEEE.

          IEEE Standard for 802.11r

          MIBs

          MIB MIBs Link

          All MIBs supported for this release.

          To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

          http:/​/​www.cisco.com/​go/​mibs

          Technical Assistance

          Description Link

          The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

          To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

          Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

          http:/​/​www.cisco.com/​support

          Feature Information for 802.11r Fast Transition

          This table lists the features in this module and provides links to specific configuration information:

          Feature Name Release Feature Information
          802.11r Fast Transition Cisco IOS XE 3.3SE This feature was introduced.