Mobility Domain ID - Dot11i Roaming

Mobility domain ID—802.11i roaming

A mobility domain ID is a wireless network grouping mechanism that

  • enables APs to form a continuous radio frequency space for seamless client roaming,

  • facilitates synchronization and sharing of Pairwise Master Keys (PMKs) across APs, and

  • manages roaming boundaries by linking APs under a common mobility domain for 802.11i and WPA, as well as 802.11r (Fast Transition).

A mobility domain can be defined in two ways:

  • Static configuration: APs are grouped under a common mobility domain ID (MDID).

  • Dynamic computation: Spatial clustering algorithms group APs based on neighbor associations.

The MDID is used by 802.11r to define the network boundary where fast roaming is supported.

Within a mobility domain, APs share PMKs. This capability allows clients to roam quickly without fully reauthenticating.

If an MDID is configured, it overrides the site tag for PMK sharing control.

Key characteristics and functionality

  • PMK sharing: When an MDID is configured for a group of APs, all APs in that group share PMK cache keys, even if they belong to different site tags. Share PMKs only within the same mobility domain to ensure fast and secure client roaming.

  • Precedence: If a mobility domain is defined, the MDID takes precedence over the AP site tag for PMK caching.

  • Flexibility: The MDID method supports PMK cache sharing for both central and local authentication modes.

Implementation information

  • Configuration method: You can configure MDID only through the open configuration model. There is no CLI or GUI support for this feature.

  • Scale: Each mobility domain (site tag or MDID) supports up to 100 APs in Cisco IOS XE 17.2.1. Each AP supports up to 1,000 PMK cache entries in this release.

  • Restriction: The Mobility Domain ID—802.11i Roaming feature does not function when Flex APs operate in standalone mode because controller coordination is required for key sharing.

Historical context and release notes

  • Before Cisco IOS XE 17.2.1, the PMK cache was shared across FlexConnect APs using the AP site tag. All APs in the same site tag could share the PMK cache, but this support applied only to central authentication.

  • Since Cisco IOS XE 17.2.1, you can assign a unique MDID to each AP. All APs with the same MDID share PMK cache keys regardless of site tag assignment. MDID-based PMK cache sharing now works for both central and local authentication. It also ensures that APs outside an MDID do not participate in the same PMK cache, even if they are under the same site tag.

Notes


Note

  • The Mobility Domain ID—802.11i Roaming feature does not function when Flex APs operate in standalone mode because controller coordination is required for key sharing.

  • You can set MDID only through the open configuration model.

  • In Cisco IOS XE 17.2.1, each site tag or MDID supports up to 100 APs, and each AP supports up to 1,000 PMK entries.

You can configure MDID only through open configuration models. For more information, see the Cisco IOS XE Programmability Configuration Guide at https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/172/b_172_programmability_cg.html.

Verify mobility domain ID - 802.11i roaming

This examples shows how to view and verify the 802.11i roaming configuration:

Device#  show running-config | section specific-config
ap specific-config 58ac.70dc.xxxx hostname AP58AC.70DC.XXXX 
   roaming-domain roaming_domain_2 
ap specific-config 78xc.f09d.xxxx hostname AP78XC.F09D.XXXX 
   roaming-domain roaming_domain_3