802.11r Support for Flex Local Authentication

Information About 802.11r Support for FlexConnect Local Authentication

In releases prior to Cisco IOS XE Amsterdam 17.2.1, the FlexConnect mode fast transition was supported only in centrally authenticated clients. This was achieved by sharing the Pairwise Master Key (PMK) to all the FlexConnect APs in the same site tag. From Cisco IOS XE Amsterdam 17.2.1, fast transition is supported even for locally authenticated clients.

The client PMK cache entries are shared and distributed to all the APs in the same site tag. From Cisco IOS XE Amsterdam 17.2.1, another grouping called Mobility Domain ID (MDID) is introduced, for sharing the PMK cache entries. MDID can be configured for APs using the open configuration model only. There is no CLI or GUI support.

The PMK cache distribution in a FlexConnect local site (using either the site tag or MDID) is restricted to 100 APs per group, with a maximum support for 1000 PMK entries per AP.

Support Guidelines

The following are the 802.11r support guidelines:

  • Supports 802.11r on FlexConnect local authentication only with Over-the-Air method of roaming. Over-the-DS (Distribution System) is not supported.

  • Supports adaptive 11r for Apple clients.

  • Supports both Fast Transition + 802.1x and Fast Transition + PSK.


    Note

    This is supported only when clients join the standalone mode AP.

Verifying 802.11r Support for Flex Local Authentication

To verify the number of PMK caches, use the show wireless pmk-cache command:
Device# show wireless pmk-cache 
Number of PMK caches in total : 1                                       

Type      Station             Entry Lifetime  VLAN Override         IP Override         Audit-Session-Id              Username
--------------------------------------------------------------------------------------------------------------------------------------
DOT11R    74xx.bx5a.07xx      87              NA                                        000000000000000FF3562B5D      jey
To verify the 802.11r flex roam attempts, use the show wireless client mac-address 74xx.bx5a.07xx mobility history command:
Device# show wireless client mac-address 74xx.bx5a.07xx mobility history  
Recent association history (most recent on top):

AP Name                                       BSSID           AP Slot    Assoc Time               Instance   Mobility Role   Run Latency (ms)     Dot11 Roam Type                                                                                                                               
-----------------------------------------------------------------------------------------------------------------------------------------------------------------                                                                                                                               
APM-9120-1-GCP                                d4xx.80xx.8fxx  1          12/11/2019 18:44:37      1          Local           2                    802.11R                                                                                                                                  
APM-4800-3                                    f4xx.e6xx.08xx  1          12/11/2019 18:43:02      1          Local           17547                N/A    

show wireless stats client detail | sec roam
Total 11r flex roam attempts                     : 1