Cisco WLC 8.3 Adaptive 11r
On the Cisco Infrastructure side, Cisco AP will advertise the support for adaptive 802.11r in beacons and probes, and FT over the DS capability will be set.
On the client side, devices running iOS 10 or higher will look for the adaptive 11r feature support in the IE. If the capability bit is set, it will look for AKM (dot1x or PSK) and use FT dot1x or FT PSK respectively. The Apple device will send IE with FT support in its association request and also include the Vendor specific OUI.
Cisco WLAN will process the association request and respond with 802.11r support in association response, allowing FT association. The 4-Way handshake will involve FT Association.
This feature is supported on Local mode as well as FlexConnect mode APs, for all 802.11n and 802.11ac wave 1 APs controlled by a WLC running AireOS release 8.32.
Legacy devices that do not recognize the FT AKM’s beacons and probe responses will not be able to join the WLAN. We need a way to identify the Client device capability and allow 11r capable device to join on the WLAN as an FT enabled device and at the same time to allow legacy device to join as an 11i/WPA2 device. Cisco WLC Software release 8.3 will enable 802.11r on an 802.11i-enabled WLAN selectively for Apple devices1. The capable Apple devices will identify this functionality and perform an FT Association on the WLAN.
- Create a new WLAN (SSID) with PSK Layer 2 authentication (802.1x is also supported). The Adaptive 11r Feature is enabled by default. Over the DS is selected by default and re-association timeout is set to 20 seconds.
Note: When upgrading from a previous release, the Adaptive 11r feature will be disabled by default for an existing WLAN.
This can be changed using the GUI or the CLI command:
- config wlan security ft adaptive enable/disable
- Enable AKM as 802.1x or PSK instead of FT 802.1x or FT PSK.
- Enable the WLAN and associate three different clients to the SSID
- iPad and iPhone devices running iOS 10 or higher
- iPad and iPhone devices running iOS 9 or lower
- Non-iOS device
- Verify that
- iPad or iPhone running iOS 10 or higher associates as a 11r client
- iPad or iPhone running iOS 9 or lower associates as a regular 802.11i client
- Non-Apple device associates as a regular 802.11i client
- Verify that
- iPad or iPhone running iOS 10 or higher fast roams to a new AP
- iPad or iPhone running iOS 9 or lower slow roams to a new AP
Additional Guidelines for Configuration
1. Configure 802.1x or PSK as AKM instead of the FT variants
- config wlan security wpa akm 802.1x enable or
- config wlan security wpa akm psk enable
- Enable/Disable FT over the ds and set re-assoc timeout, if required
- config wlan security ft over-the-ds enable/disable
- config wlan security ft reassociation-timeout