802.11r Support for Flex Local Authentication

802.11r support for flexconnect local authentication

802.11r support for FlexConnect local authentication is a fast transition capability that

  • enables fast roaming for locally authenticated FlexConnect clients by sharing Pairwise Master Key (PMK) cache entries

  • uses site tag or Mobility Domain ID (MDID) grouping to distribute PMK cache entries across APs, and

  • supports up to 100 APs per group by default and 300 with high scale mode, with a maximum of 1000 PMK entries per AP.

Implementation details

In releases prior to Cisco IOS XE Amsterdam 17.2.1, the FlexConnect mode fast transition was supported only in centrally authenticated clients. This was achieved by sharing the Pairwise Master Key (PMK) to all the FlexConnect APs in the same site tag. From Cisco IOS XE Amsterdam 17.2.1, fast transition is supported even for locally authenticated clients.

The client PMK cache entries are shared and distributed to all the APs in the same site tag. From Cisco IOS XE Amsterdam 17.2.1, another grouping called Mobility Domain ID (MDID) is introduced, for sharing the PMK cache entries. MDID can be configured for APs using the open configuration model only. There is no CLI or GUI support.

The PMK cache distribution in a FlexConnect local site (using either the site tag or MDID) is restricted to 100 APs per group by default and 300 with high scale mode, with a maximum support for 1000 PMK entries per AP.

The following are the 802.11r support guidelines:

  • Supports 802.11r on FlexConnect local authentication only with Over-the-Air method of roaming. Over-the-DS (Distribution System) is not supported.

  • Supports adaptive 11r for Apple clients.

  • Supports both Fast Transition + 802.1x and Fast Transition + PSK.


    Note

    This is supported only when clients join the standalone mode AP.

802.11r support verification for flex local authentication

Use the following commands to verify 802.11r support for flex local authentication by checking PMK caches and 802.11r flex roam attempts.

To verify the number of PMK caches, use the show wireless pmk-cache command: 

Device# show wireless pmk-cache 
Number of PMK caches in total : 1                                       

Type      Station             Entry Lifetime  VLAN Override         IP Override         Audit-Session-Id              Username
--------------------------------------------------------------------------------------------------------------------------------------
DOT11R    74xx.bx5a.07xx      87              NA                                        000000000000000FF3562B5D      jey

To verify the 802.11r flex roam attempts, use the show wireless client mac-address 74xx.bx5a.07xx mobility history command: 

Device# show wireless client mac-address 74xx.bx5a.07xx mobility history  
Recent association history (most recent on top):

AP Name                                       BSSID           AP Slot    Assoc Time               Instance   Mobility Role   Run Latency (ms)     Dot11 Roam Type                                                                                                                               
-----------------------------------------------------------------------------------------------------------------------------------------------------------------                                                                                                                               
APM-9120-1-GCP                                d4xx.80xx.8fxx  1          12/11/2019 18:44:37      1          Local           2                    802.11R                                                                                                                                  
APM-4800-3                                    f4xx.e6xx.08xx  1          12/11/2019 18:43:02      1          Local           17547                N/A    

show wireless stats client detail | sec roam
Total 11r flex roam attempts                     : 1