In this post we will see how 802.11r supported client first associate to an SSID configured for 802.11r FT support. I have used 3850 (running on IOS-XE 3.6) as my WLC. Not all wireless clients support 802.11r, so you have to select a client supporting this standard. Most of the Apple idevices support 802.11r & you can find the complete list from this link. So here is my topology for this post.You can configure your 3850 as mobility controller & configure two AP connected switch ports as same access vlan as wireless management (vlan 20 in this example)
interface Vlan20 ip address 192.168.20.1 255.255.255.0 ! wireless mobility controller wireless management interface Vlan20 ! interface GigabitEthernet1/0/1 description LAP-1 switchport access vlan 20 switchport mode access interface GigabitEthernet1/0/2 description LAP-2 switchport access vlan 20 switchport mode access
I have configured my ACSv5.2 as RADIUS server. Here is the 3850 config related to AAA.
aaa new-model dot1x system-auth-control aaa group server radius RAD-GRP server name ACS aaa authentication dot1x MRN-DOT1X group RAD-GRP aaa authorization network MRN-AUTH group RAD-GRP aaa accounting network MRN-DOT1X start-stop group RAD-GRP aaa server radius dynamic-author client 192.168.100.2 server-key Cisco123 auth-type any aaa session-id common radius server ACS address ipv4 192.168.100.2 auth-port 1812 acct-port 1813 key Cisco123
Here is the SSID configuration. In default settings SSID will be created with WPA2/AES as encryption cipher & 802.1X as authentication suite.So you just simiply need to specify the client vlan & point it to predefined authentication list.Since I have used wlan-id >16, so I have to use AP Group to advertise the SSID.
wlan MRN-EAP 22 MRN-EAP client vlan 22 security dot1x authentication-list MRN-DOT1X no shutdown ! ap group APG1 wlan MRN-EAP vlan 22 ! 3850-1#ap name LAP1 ap-groupname APG1 Changing the AP's group name will cause the AP to reboot. Are you sure you want to continue? (y/n)[y]: y
Now if you do “show wlan id 22” you will see all the settings of this WLAN.
3850-1#show wlan id 22 WLAN Profile Name : MRN-EAP ================================================ Identifier : 22 Network Name (SSID) : MRN-EAP Status : Enabled Broadcast SSID : Enabled . Security 802.11 Authentication : Open System Static WEP Keys : Disabled 802.1X : Disabled Wi-Fi Protected Access (WPA/WPA2) : Enabled WPA (SSN IE) : Disabled WPA2 (RSN IE) : Enabled TKIP Cipher : Disabled AES Cipher : Enabled Auth Key Management 802.1x : Enabled PSK : Disabled CCKM : Disabled FT dot1x : Disabled FT PSK : Disabled PMF dot1x : Disabled PMF PSK : Disabled FT Support : Disabled FT Reassociation Timeout : 20 FT Over-The-DS mode : Enabled PMF Support : Disabled PMF Association Comeback Timeout : 1 PMF SA Query Time : 200 CKIP : Disabled IP Security : Disabled L2TP : Disabled Web Based Authentication : Disabled Conditional Web Redirect : Disabled Splash-Page Web Redirect : Disabled Auto Anchor : Disabled Sticky Anchoring : Enabled
As you can see above, FT+802.1X is disabled, FT support is disabled, FT-Over-the-DS mode enable. So you have to enable this on wlan (Go here for reference IOS-XE 3.6 Config Guide).
wlan MRN-EAP 22 MRN-EAP shutdown security wpa akm ft dot1x security ft no shutdown
If you have GUI preference of these settings you can do that as well (see below snapshot).I have set the AP channel & power level as shown below in order to take packet captures easily.
3850-1#show ap dot11 5ghz summary AP Name MAC Address Slot Admin State Oper State Channel Width TxPwr --------------------------------------------------------------------------------------------------- LAP2 2c3f.382a.b120 1 Enabled Up 40 20 7( ) LAP1 64a0.e7af.4740 1 Enabled Up 36 20 7( )
Now if you capture wireless frame on channel 36 while iPhone5 is associate to LAP1 you will see something like this (Filtered Beacon & ACK frames for simplistic view)If you look it at a glance, it is very similar to the normal EAP authentication process (Open system auth -> EAP Auth -> 4-Way Handshake). But if you look deep into this packet capture you will see some interesting detail specific to 802.11r.
Here is a detail view of a Beacon Frame send by AP. As you can see in included additional information element (Mobility Domain Information Element –MDIE) which is used to indicate the existence of a mobility domain as well as the FT transition supported. This IE has following fields (size in bytes shown within bracket)
Element ID(1) – Element ID 54 for Mobility Domain IE
MDID(2) Mobility Domain Identifier-identify group of AP constitute mobility domain
FT-over-DS bit – If set to 1 then FT-over-DS, if it is 0 then FT-over-the-air
Resource Request protocol capability.
Also you can see there are two AKM suits in the RSN-IE. 00-0F-AC-1 (802.1X/EAP) & 00-0F-AC-3 (FT over 802.1X).
In our case you can verify MDID value from controller itself as shown below (value 0xac34, it is interesting packet capture shows is as 0x34ac though).
3850-1#show wireless mobility summary Mobility Controller Summary: Mobility Role : Mobility Controller Mobility Protocol Port : 16666 Mobility Group Name : default Mobility Oracle Configured Mode : Disabled Mobility Oracle IP Address : 0.0.0.0 DTLS Mode : Enabled Mobility Domain ID for 802.11r : 0xac34 Mobility Keepalive Interval : 10 Mobility Keepalive Count : 3 Mobility Control Message DSCP Value : 48 Mobility Domain Member Count : 1
When the Supplicant send the “Association Request” frame that also include RSN-IE & MDIE as shown below. As you can see in RSN-IE it only listed FT over 802.1X as supported AKM suite.When AP send “Association Response” frame that has an another information element (ID=55) called FTIE – Fast BSS Transistion Information Element. This includes Element ID, Length, MIC, MIC control, ANonce, SNonce & optional information like R0KH-ID, R1KH-ID. These information needed to perform the FT authentication sequence during a fast BSS transition.
Next Supplicant & AS will do the /802.1X process to create the MSK that is used for FT key hierarchy. As you can see below initial mobility association frame exchange is similar to normal 802.1X. Only difference is FT 4-Way Handshake messages have additional infromation like MDIE, FTIE. Below figure (page 269 of CWSP official Study Guide) show the FT Initial mobility domain association.Here is the detail view of EAPOL-Key M1 which send by Authenticator to Supplicant that include ANonce.Here is the detail view of EAPOL-Key M2 which comprise of SNonce, RSNIE,MDIE & FTIE.Here is the detail view of EAPOL-Key M3. This include ANonce,MIC, RSNIE, MDIE, GTK, FTIE.At the end of M2, PTK is derived & hence M3 will be encrypted using PTK (that’s why you cannot see RSNIE,MDIE,GTK,FTIE here)Here is the detail view of EAPOL-Key M4After the initial association there are two method defined for client station to roam from original AP to a target AP.
1. Over-the-Air Fast BSS Transition
2. Over-the-DS Fast BSS Transition.
In a future post we will look at details of these two methods.
1. FT-over-DS-Association (frame capture used in this post)
2. CWSP Official Study Guide – Chapter 7
1. CWSP-802.11 Roaming Basics
2. CWSP-802.11r Key Hierarchy
3. CWSP-802.11r Over-the-Air-FT
4. CWSP-802.11r Over-the-DS-FT
5. CWSP-4 Way Handshake
6. CWSP- RSN IE
Kristjan Edvardsson said:
this is absolutely a kick ass blog you got there! Very nice.
Thanks Kris for the feedback great to see you found it useful.
Dinesh Jeffrine said:
Kristjan Thank you for detailed explanation. However, I would like to know whether 802.11r is supported between inter controllers ??
Kristjan Edvardsson said:
I cant see no reason why not. Intercontroller is just anchoring SSIDs. If the settings are the same the “home” controller is responsible for layer2 association related steps including 802.11r and 802.11k roaming mecanisms. Anchor controller is more or less layer3 termination after AP tunnels client through foreign to anchor controller.
Ashen Chanaka said:
This is a very descriptive blog. Thanks for your detailed explanation.
Thank you Ashen for kind remarks