Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3650 Switches)
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Your software release may not support all the features documented in this module. For the latest feature information and caveats,
see the release notes for your platform and software release. To find information about the features documented in this module,
and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this
document.
Use Cisco Feature Navigator to find information about platform support and Cisco
software image support. To access Cisco Feature Navigator, go to
http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Restrictions for
802.11r Fast Transition
802.11r client
association is not supported on access points in standalone mode.
802.11r fast
roaming is not supported on access points in standalone mode.
802.11r fast
roaming between local authentication and central authentication WLAN is not
supported.
For APs in
FlexConnect mode, 802.11r fast roaming works only if the APs are in the same
FlexConnect group.
EAP LEAP method
is not supported.
TSpec is not
supported for 802.11r fast roaming. Therefore, RIC IE handling is not
supported.
If WAN link
latency exists, fast roaming is also delayed. Voice or data maximum latency
should be verified. The
switch
handles 802.11r Fast Transition authentication request during roaming for both
Over-the-Air and Over-the-DS methods.
This feature is
supported only on open and WPA2 configured WLANs.
Legacy clients
cannot associate with a WLAN that has 802.11r enabled if the driver of the
supplicant that is responsible for parsing the Robust Security Network
Information Exchange (RSN IE) is old and not aware of the additional AKM suites
in the IE. Due to this limitation, clients cannot send association requests to
WLANs. These clients, however, can still associate with non-802.11r WLANs.
Clients that are 802.11r capable can associate as 802.11i clients on WLANs that
have both 802.11i and 802.11r Authentication Key Management Suites enabled.
The workaround
is to enable or upgrade the driver of the legacy clients to work with the new
802.11r AKMs, after which the legacy clients can successfully associate with
802.11r enabled WLANs.
Another
workaround is to have two SSIDs with the same name but with different security
settings (FT and non-FT).
Fast Transition
resource request protocol is not supported because clients do not support this
protocol. Also, the resource request protocol is an optional protocol.
To avoid any
Denial of Service (DoS) attack, each
switch
allows a maximum of three Fast Transition handshakes with different APs.
For
APs in FlexConnect mode, 802.11r fast roaming works only if the APs are in the
same FlexConnect group.
Information About
802.11r Fast Transition
802.11r, which is the
IEEE standard for fast roaming, introduces a new concept of roaming where the
initial handshake with the new AP is done even before the client roams to the
target AP, which is called Fast Transition (FT). The initial handshake allows
the client and APs to do the Pairwise Transient Key (PTK) calculation in
advance. These PTK keys are applied to the client and AP after the client does
the reassociation request or response exchange with new target AP.
802.11r provides two
methods of roaming:
Over-the-Air
Over-the-DS
(Distribution System)
The FT key hierarchy
is designed to allow clients to make fast BSS transitions between APs without
requiring reauthentication at every AP. WLAN configuration contains a new
Authenticated Key Management (AKM) type called FT (Fast Transition).
From Release
3E, you can
create an 802.11r WLAN that is also an WPAv2 WLAN. In earlier releases, you had
to create separate WLANs for 802.11r and for normal security. Non-802.11r
clients can now join 802.11r-enabled WLANs as the 802.11r WLANs can accept
non-802.11r associations. If clients do not support mixed mode or 802.11r join,
they can join non-802.11r WLANS. When you configure FT PSK and later define
PSK, clients that can join only PSK can now join the WLAN in mixed mode.
How a Client
Roams
For a client to move
from its current AP to a target AP using the FT protocols, the message
exchanges are performed using one of the following two methods:
Over-the-Air—The
client communicates directly with the target AP using IEEE 802.11
authentication with the FT authentication algorithm.
Over-the-DS—The
client communicates with the target AP through the current AP. The
communication between the client and the target AP is carried in FT action
frames between the client and the current AP and is then sent through the
switch.
How to Configure 802.11r Fast Transition
Configuring 802.11r Fast Transition in an Open WLAN (CLI)
Procedure
Command or Action
Purpose
Step 1
configureterminal
Example:
Switch# configure terminal
Enters global configuration mode.
Step 2
wlanprofile-name
Example:
Switch# wlan test4
Enters the WLAN configuration submode. The profile-name is the profile name of the configured WLAN.
Step 3
clientvlanvlan-id
Example:
Switch(config-wlan)# client vlan 0120
Associate the client VLAN to the WLAN.
Step 4
nosecuritywpa
Example:
Switch(config-wlan)# no security wpa
Disable WPA secuirty.
Step 5
nosecuritywpaakmdot1x
Example:
Switch(config-wlan)# no security wpa akm dot1x
Disable security AKM for dot1x.
Step 6
nosecuritywpawpa2
Example:
Switch(config-wlan)# no security wpa wpa2
Disables WPA2 security.
Step 7
nowpawpa2ciphersaes
Example:
Switch(config-wlan)# no security wpa wpa2 ciphers aes
Disables WPA2 ciphers for AES.
Step 8
securityft
Example:
Switch(config-wlan)# security ft
Specifies the 802.11r fast transition parameters.
Step 9
noshutdown
Example:
Switch(config-wlan)# shutdown
Shutdown the WLAN.
Step 10
end
Example:
Switch(config-wlan)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode
Configuring 802.11r BSS Fast Transition on a Dot1x Security Enabled WLAN (CLI)
Procedure
Command or Action
Purpose
Step 1
configureterminal
Example:
Switch# configure terminal
Enters global configuration mode.
Step 2
wlanprofile-name
Example:
Switch# wlan test4
Enters the WLAN configuration submode. The profile-name is the profile name of the configured WLAN.
Switch(config-wlan)# security wpa akm psk set-key ascii 0 test
Configures PSK AKM shared key.
Step 7
securityft
Example:
Switch(config-wlan)# security ft
Configures 802.11r Fast Transition.
Step 8
noshutdown
Example:
Switch(config-wlan)# no shutdown
Enables the WLAN.
Step 9
end
Example:
Switch(config-wlan)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode
Configuring 802.11
Fast Transition (GUI)
Procedure
Step 1
Click
Configuration > Wireless > WLANs
The
WLANs page is displayed.
Step 2
Locate the WLAN
you want to configure by using the search mechanism on the page.
Step 3
Click on the
WLAN
Profile of the WLAN.
The
WLAN
> Edit page is displayed.
Step 4
Click the
Security and
Layer
2 tab.
Step 5
Enable the
Fast
Transition check box to enable BSS Fast Transition.
Uncheck the
Fast
Transition check box to disable BSS Fast Transition.
Step 6
To enable BSS
Fast Transition over the distributed system, enable the
Over the
DS checkbox. This is enabled by default.
Note
Disabling
over the DS enables over the air fast transition.
Step 7
(Optional) Specify a
reassociation timeout value in seconds in the
Reassociation Timeout text box. The range is 1 to
100 seconds. The default value is 20 seconds.
Step 8
Click
Apply.
Step 9
To configure the
WLAN in 802.11r mixed-mode, choose one of the following options from the
Auth Key
Mgmt drop-down list:
FT + 802.1x
FT + PSK
FT + 802.1x +CCKM
Disabling 802.11r Fast Transition (CLI)
Procedure
Command or Action
Purpose
Step 1
configureterminal
Example:
Switch# configure terminal
Enters global configuration mode.
Step 2
wlanprofile-name
Example:
Switch# wlan test4
Enters the WLAN configuration submode. The profile-name is the profile name of the configured WLAN.
Disabling 802.11r Fast Transition for over the data source enables over the air fast transition.
Step 4
end
Example:
Switch(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Monitoring 802.11r
Fast Transition (GUI)
You can view the
Authentication Key Management details of a client.
Choose
Monitor
> Client. The Clients page appears. Click the corresponding
client to view the client details. In the
General tab, you can view the Authentication Key
Management for the client such as FT, PSK, 802.1x, CCKM, 802.1x + CCKM.
If the AKM is for 802.11r
mixed mode, then FT-802.1x, FT-802.1x-CCKM, or FT-PSK appears.
Monitoring 802.11r
Fast Transition (CLI)
The following
command can be used to monitor 802.11r Fast Transition:
Command
Description
showwlannamewlan-name
Displays a
summary of the configured parameters on the WLAN.
showwirelessclientmac-addressmac-address
Displays the summary of the
802.11r authentication key management configuration on a client.
. . .
. . .
Client Capabilities
CF Pollable : Not implemented
CF Poll Request : Not implemented
Short Preamble : Not implemented
PBCC : Not implemented
Channel Agility : Not implemented
Listen Interval : 15
Fast BSS Transition : Implemented
Fast BSS Transition Details :
Client Statistics:
Number of Bytes Received : 9019
Number of Bytes Sent : 3765
Number of Packets Received : 130
Number of Packets Sent : 36
Number of EAP Id Request Msg Timeouts : 0
Number of EAP Request Msg Timeouts : 0
Number of EAP Key Msg Timeouts : 0
Number of Data Retries : 1
Number of RTS Retries : 0
Number of Duplicate Received Packets : 1
Number of Decrypt Failed Packets : 0
Number of Mic Failured Packets : 0
Number of Mic Missing Packets : 0
Number of Policy Errors : 0
Radio Signal Strength Indicator : -48 dBm
Signal to Noise Ratio : 40 dB
. . .
. . .
If the AKM
for the client is 802.11r mixed mode, the following information appears in the
output:
The Cisco Support website provides extensive online resources,
including documentation and tools for troubleshooting and
resolving technical issues with Cisco products and technologies.
To receive security and technical information about your
products, you can subscribe to various services, such as the
Product Alert Tool (accessed from Field Notices), the Cisco
Technical Services Newsletter, and Really Simple Syndication
(RSS) Feeds.
Access to most tools on the Cisco Support website requires a
Cisco.com user ID and password.