, , , ,

In this post we will see how 802.11r supported client first associate to an SSID configured for 802.11r FT support. I have used 3850 (running on IOS-XE 3.6) as my WLC. Not all wireless clients support 802.11r, so you have to select a client supporting this standard. Most of the Apple idevices support 802.11r & you can find the complete list from this link. So here is my topology for this post.802.11r-FT-Initial-20You can configure your 3850 as mobility controller & configure two AP connected switch ports as same access vlan as wireless management (vlan 20 in this example)

interface Vlan20
 ip address
wireless mobility controller
wireless management interface Vlan20
interface GigabitEthernet1/0/1
 description LAP-1
 switchport access vlan 20
 switchport mode access
interface GigabitEthernet1/0/2
 description LAP-2
 switchport access vlan 20
 switchport mode access

I have configured my ACSv5.2 as RADIUS server. Here is the 3850 config related to AAA.

aaa new-model
dot1x system-auth-control
aaa group server radius RAD-GRP
 server name ACS
aaa authentication dot1x MRN-DOT1X group RAD-GRP
aaa authorization network MRN-AUTH group RAD-GRP
aaa accounting network MRN-DOT1X start-stop group RAD-GRP
aaa server radius dynamic-author
 client server-key Cisco123
 auth-type any
aaa session-id common
radius server ACS
 address ipv4 auth-port 1812 acct-port 1813
 key Cisco123

Here is the SSID configuration. In default settings SSID will be created with WPA2/AES as encryption cipher & 802.1X as authentication suite.So you just simiply need to specify the client vlan & point it to predefined authentication list.Since I have used wlan-id >16, so I have to use AP Group to advertise the SSID.

 client vlan 22
 security dot1x authentication-list MRN-DOT1X
 no shutdown
ap group APG1
wlan MRN-EAP
vlan 22
3850-1#ap name LAP1 ap-groupname APG1
Changing the AP's group name will cause the AP to reboot.
Are you sure you want to continue? (y/n)[y]: y

Now if you do “show wlan id 22” you will see all the settings of this WLAN.

3850-1#show wlan id 22
WLAN Profile Name     : MRN-EAP
Identifier                                     : 22
Network Name (SSID)                            : MRN-EAP
Status                                         : Enabled
Broadcast SSID                                 : Enabled
    802.11 Authentication                      : Open System
    Static WEP Keys                            : Disabled
    802.1X                                     : Disabled
    Wi-Fi Protected Access (WPA/WPA2)          : Enabled
        WPA (SSN IE)                           : Disabled
        WPA2 (RSN IE)                          : Enabled
            TKIP Cipher                        : Disabled
            AES Cipher                         : Enabled
        Auth Key Management
            802.1x                             : Enabled
            PSK                                : Disabled
            CCKM                               : Disabled
            FT dot1x                           : Disabled
            FT PSK                             : Disabled
            PMF dot1x                          : Disabled
            PMF PSK                            : Disabled
    FT Support                                 : Disabled
        FT Reassociation Timeout               : 20
        FT Over-The-DS mode                    : Enabled
    PMF Support                                : Disabled
        PMF Association Comeback Timeout       : 1
        PMF SA Query Time                      : 200
    CKIP                                       : Disabled
    IP Security                                : Disabled
    L2TP                                       : Disabled
    Web Based Authentication                   : Disabled
    Conditional Web Redirect                   : Disabled
    Splash-Page Web Redirect                   : Disabled
    Auto Anchor                                : Disabled
    Sticky Anchoring                           : Enabled

As you can see above, FT+802.1X is disabled, FT support is disabled, FT-Over-the-DS mode enable. So you have to enable this on wlan (Go here for reference IOS-XE 3.6 Config Guide).

 security wpa akm ft dot1x
 security ft
 no shutdown

If you have GUI preference of these settings you can do that as well (see below snapshot).802.11r-FT-Initial-02I have set the AP channel & power level as shown below in order to take packet captures easily.

3850-1#show ap dot11 5ghz summary 
AP Name            MAC Address     Slot  Admin State  Oper State  Channel             Width  TxPwr   
LAP2               2c3f.382a.b120     1  Enabled      Up          40                     20    7( )  
LAP1               64a0.e7af.4740     1  Enabled      Up          36                     20    7( )

Now if you capture wireless frame on channel 36 while iPhone5 is associate to LAP1 you will see something like this (Filtered Beacon & ACK frames for simplistic view)802.11r-FT-Initial-03If you look it at a glance, it is very similar to the normal EAP authentication process (Open system auth -> EAP Auth -> 4-Way Handshake). But if you look deep into this packet capture you will see some interesting detail specific to 802.11r.

Here is a detail view of a Beacon Frame send by AP. As you can see in included additional information element (Mobility Domain Information ElementMDIE) which is used to indicate the existence of a mobility domain as well as the FT transition supported. This IE has following fields (size in bytes shown within bracket)

Element ID(1) – Element ID 54 for Mobility Domain IE
MDID(2) Mobility Domain Identifier-identify group of AP constitute mobility domain
FT Capability(1)
FT-over-DS bit – If set to 1 then FT-over-DS, if it is 0 then FT-over-the-air
Resource Request protocol capability.

Also you can see there are two AKM suits in the RSN-IE. 00-0F-AC-1 (802.1X/EAP) & 00-0F-AC-3 (FT over 802.1X).

802.11r-FT-Initial-04In our case you can verify MDID value from controller itself as shown below (value 0xac34, it is interesting packet capture shows is as 0x34ac though).

3850-1#show wireless mobility summary 
Mobility Controller Summary:
Mobility Role                                   : Mobility Controller
Mobility Protocol Port                          : 16666
Mobility Group Name                             : default
Mobility Oracle Configured Mode                 : Disabled
Mobility Oracle IP Address                      :
DTLS Mode                                       : Enabled
Mobility Domain ID for 802.11r                  : 0xac34
Mobility Keepalive Interval                     : 10
Mobility Keepalive Count                        : 3
Mobility Control Message DSCP Value             : 48
Mobility Domain Member Count                    : 1

When the Supplicant send the “Association Request” frame that also include RSN-IE & MDIE as shown below. As you can see in RSN-IE it only listed FT over 802.1X as supported AKM suite.802.11r-FT-Initial-05When AP send “Association Response” frame that has an another information element (ID=55) called FTIE Fast BSS Transistion Information Element. This includes Element ID, Length, MIC, MIC control, ANonce, SNonce & optional information like R0KH-ID, R1KH-ID. These information needed to perform the FT authentication sequence during a fast BSS transition.
802.11r-FT-Initial-06Next Supplicant & AS will do the  /802.1X process to create the MSK that is used for FT key hierarchy. As you can see below initial mobility association frame exchange is similar to normal 802.1X. Only difference is FT 4-Way Handshake messages have additional infromation like MDIE, FTIE. Below figure (page 269 of CWSP official Study Guide) show the FT Initial mobility domain association.802.11r-FT-Initial-08Here is the detail view of EAPOL-Key M1 which send by Authenticator to Supplicant that include ANonce.802.11r-FT-Initial-09Here is the detail view of EAPOL-Key M2 which comprise of SNonce, RSNIE,MDIE & FTIE.802.11r-FT-Initial-10Here is the detail view of EAPOL-Key M3. This include ANonce,MIC, RSNIE, MDIE, GTK, FTIE.At the end of M2, PTK is derived & hence M3 will be encrypted using PTK (that’s why you cannot see RSNIE,MDIE,GTK,FTIE here)802.11r-FT-Initial-11Here is the detail view of EAPOL-Key M4802.11r-FT-Initial-12After the initial association there are two method defined for client station to roam from original AP to a target AP.
1. Over-the-Air Fast BSS Transition
2. Over-the-DS Fast BSS Transition.

In a future post we will look at details of these two methods.

1. FT-over-DS-Association (frame capture used in this post)
2. CWSP Official Study Guide – Chapter 7

Related Posts

1. CWSP-802.11 Roaming Basics
2. CWSP-802.11r Key Hierarchy
3. CWSP-802.11r Over-the-Air-FT
4. CWSP-802.11r Over-the-DS-FT
5. CWSP-4 Way Handshake