Cisco Cisco 2504 Wireless Controller Manual Técnica
FlexConnect with 802.11r
When you use 802.11r on a FlexConnect setup, the behavior is exactly the same as explained
previously (during fast-secure roaming), as long as the APs to where the client roams belong
to the same FlexConnect Group.
previously (during fast-secure roaming), as long as the APs to where the client roams belong
to the same FlexConnect Group.
●
802.11r works this way with either Central or Local Authentication for the FlexConnect setup,
as long as the APs are in Connected mode (with either central or local switching).
as long as the APs are in Connected mode (with either central or local switching).
●
Pros with 802.11r
This method is the first that uses a key hierarchy clearly defined by the IEEE on the 802.11
standard as an amendment (802.11r), so the implementation of these FT techniques are more
compatible between vendors and without different interpretations.
standard as an amendment (802.11r), so the implementation of these FT techniques are more
compatible between vendors and without different interpretations.
●
802.11r allows multiple techniques that are helpful, dependent on your needs (Over-the-Air
and Over-the-DS, for 802.1x/EAP security and for PSK security).
and Over-the-DS, for 802.1x/EAP security and for PSK security).
●
The wireless client performs fast-secure roaming to a new AP on the same WLAN/SSID, even
if it never associated with that AP, and without the need to save multiple PMKIDs.
if it never associated with that AP, and without the need to save multiple PMKIDs.
●
This is the first fast-secure roaming method that allows faster roaming even with PSK security,
and avoids the 4-Way handshake that is required when roaming between APs with
WPA/WPA2 PSK. The main purpose of the fast-secure roaming methods is to avoid the
802.1X/EAP handshake when this security method is implemented; however, for PSK security
the roaming event is accelerated even more with 802.11r by avoiding the 4-Way handshake.
and avoids the 4-Way handshake that is required when roaming between APs with
WPA/WPA2 PSK. The main purpose of the fast-secure roaming methods is to avoid the
802.1X/EAP handshake when this security method is implemented; however, for PSK security
the roaming event is accelerated even more with 802.11r by avoiding the 4-Way handshake.
●
Cons with 802.11r
There are a few wireless client devices that actually support Fast BSS Transitions, and in
most cases, they do not support all of the techniques available on 802.11r.
most cases, they do not support all of the techniques available on 802.11r.
●
Because of the fact that these implementations are very young, there are not enough test
results from real-production environments or enough debug results in order to address
possible caveats that might appear.
results from real-production environments or enough debug results in order to address
possible caveats that might appear.
●
When you configure a WLAN/SSID in order to use any of the FT methods, then only wireless
clients that support 802.11r are able to connect to this WLAN/SSID. The FT settings are not
optional for the clients, so those wireless clients that do not support 802.11r must connect with
a separate WLAN/SSID where FT is not configured at all.
clients that support 802.11r are able to connect to this WLAN/SSID. The FT settings are not
optional for the clients, so those wireless clients that do not support 802.11r must connect with
a separate WLAN/SSID where FT is not configured at all.
●
Conclusions
Keep in mind that the client is always the one that decides to roam to a specific AP, and the
WLC/AP cannot decide this for the client. The roaming event is initiated by the wireless client
once it considers it should roam.
WLC/AP cannot decide this for the client. The roaming event is initiated by the wireless client
once it considers it should roam.
●
The WLC supports a combination of most or all of the FSR (Fast-Secure Roaming) methods
together on the same WLAN/SSID. However, be aware that this normally does not work, as it
depends highly on the client behavior (very different across different mobile devices) in order
to support or even understand that which the WLC attempts to advertise as supported.
Instead of achieving interoperability in just one SSID, there are normally more issues than the
ones that are expected to be fixed, so this is not recommended. Deep testing with all possible
together on the same WLAN/SSID. However, be aware that this normally does not work, as it
depends highly on the client behavior (very different across different mobile devices) in order
to support or even understand that which the WLC attempts to advertise as supported.
Instead of achieving interoperability in just one SSID, there are normally more issues than the
ones that are expected to be fixed, so this is not recommended. Deep testing with all possible
●