802.11r, 802.11k, and 802.11w Deployment Guide, Cisco IOS-XE Release 3.3

Chapter 1: Introduction

This guide introduces the IOS XE release 3.3 deployment guide for the Cisco Converged Access CT5760 and Cat3850 products. It is designed to help users deploy and monitor new features introduced in the 3.3 release. The features described are fully supported in 11n capable Gen2 indoor Access Points, with beacon and probe changes supported in indoor 11n capable AP radios. The document builds on previous releases, assuming user familiarity with Converged Access products. For features not covered, refer to the CT5760 Controller Deployment Guide and Cisco Catalyst 3850 Switch Deployment Guide.

CT5760 Controller

The CT5760 is an innovative UADP ASIC-based wireless controller deployed as a centralized controller in the next-generation unified wireless architecture. CT5760 controllers are specifically designed to function as unified model central wireless controllers and support the newer Mobility functionality with Converged Access switches in the wireless architecture.

Figure 1: Cisco WLC 5760 - A photograph of the Cisco 5700 Series Wireless Controller, Model 5760.

The CT5760 is an extensible and high-performing wireless controller, capable of scaling up to 1000 access points and 12000 clients. It features 6 to 10 Gbps data ports. As a component of the Cisco Unified Wireless Network, the CT5760 series works in conjunction with Cisco Aironet access points, the Cisco Prime infrastructure, and the Cisco Mobility Services Engine to support business-critical wireless data, voice, and video applications.

Chapter 2: 802.11r Fast Transition Roaming

802.11r is the IEEE standard for fast roaming, introducing Fast Transition (FT). This feature allows the initial handshake with a new AP to occur before the client roams to the target AP. This enables clients and APs to perform Pairwise Transient Key (PTK) calculations in advance, applying these keys after the client re-associates with the new AP. The FT key hierarchy facilitates rapid BSS transitions between APs without requiring re-authentication at each AP, thereby reducing handoff times, enhancing security, and improving QoS. This is particularly beneficial for delay-sensitive applications like voice and video over Wi-Fi.

This chapter covers the following topics:

• How a Client Roams
• Over the Air Intra Controller Roam
• Over the Air Inter Controller Roam
• Over-the-DS Intra Controller Roam
• Over-the-DS Inter Controller Roam
• Web UI Configuration for Fast Transition Roaming
• CLI Configuration for Fast Transition Roaming

How a Client Roams

For a client to move from its current AP to a target AP using FT protocols, message exchanges follow one of two methods:

• Over-the-Air FT Roaming
• Over-the-DS (Distribution System) FT Roaming

Figure 2: Fast BSS Transition Over-the-Air in RSN - A sequence diagram illustrating the Over-the-Air Fast BSS Transition process between a STA (client), Current AP, and Target AP, detailing the authentication and reassociation message flows.

Figure 3: Fast BSS Transition Over the DS in RSN - A sequence diagram illustrating the Over-the-DS Fast BSS Transition process between a STA (client), Current AP, and Target AP, showing how communication is relayed through the Current AP.

Over the Air Intra Controller Roam

This describes the message exchange when a client roams between APs (AP1, AP2) connected to the same controller:

1. Client associated with AP1 wants to roam to AP2.
2. Client sends an FT Authentication Request to AP2 and receives an FT Authentication Response from AP2.
3. Client sends a Reassociation Request to AP2 and receives a Reassociation Response from AP2.
4. Client completes its roam from AP1 to AP2.

Figure 4: Over the Air Intra Controller Roam - A network diagram showing a client associated with AP1, with a roaming direction towards AP2, AP3, AP4, all connected to the same controller. It depicts the message exchange flow for an intra-controller roam.

Over the Air Inter Controller Roam

This describes the message exchange when a client roams between APs (AP1, AP2) connected to different controllers (WLC1, WLC2) within a mobility group:

1. Client associated with AP1 wants to roam to AP2.
2. Client sends FT Authentication Request to AP2 and receives FT Authentication Response from AP2.
3. Pairwise Master Key (PMK) is sent from WLC-1 to WLC-2. WLC-1 sends a mobility message to WLC-2 about the roaming client using the mobility infrastructure.

Figure 5: Over the Air Inter Controller Roam - A network diagram showing a client (Client-C1) associated with AP1 (connected to WLC-1) roaming to AP2 (connected to WLC-2). It illustrates the FT authentication flow and the PMK update message exchanged between the controllers.

Over-the-DS Intra Controller Roam

This describes the message exchange when a client roams between APs (AP1, AP2) connected to the same controller:

1. Client associated with AP1 wants to roam to AP2.
2. Client sends FT Authentication Request to AP1 and receives FT Authentication Response from AP1.
3. The APs are connected to the same controller, so pre-Authentication information is sent from the controller to AP2.
4. Client sends a Reassociation Request to AP2 and receives a Reassociation Response from AP2.

Figure 6: Over the DS Intra Controller Roam - A diagram illustrating the Over-the-DS Intra Controller Roam process, showing a client associated with AP1, with action frames exchanged between the client and AP1, and pre-authentication information passed from AP1 to AP2.

Over-the-DS Inter Controller Roam

This describes the message exchange when a client roams between APs (AP1, AP2) connected to different controllers (WLC1, WLC2) within a mobility group:

1. Client associated with AP1 wants to roam to AP2.
2. Client sends FT Authentication Request to AP1 and receives FT Authentication Response from AP1.
3. PMK is sent from WLC-1 to WLC-2. Controller WLC-1 sends a mobility message to WLC-2 about the roaming client.

Figure 7: Over the DS Inter Controller Roam - A network diagram similar to Figure 5, depicting a client roaming between APs on different controllers, showing the FT authentication and PMK update process.

Web UI Configuration for Fast Transition Roaming

802.11r fast transition roaming can be configured using the WLAN GUI:

1. Choose WLAN > Security > Layer2. Ensure Layer 2 Security is set to WPA+WPA2 or Open.
2. Check the Fast Transition checkbox to enable Over the Air FT for the WLAN.
3. Check the Over the DS checkbox to enable Over the DS FT.

Figure 8: 802.11r Web UI Configuration - A screenshot of the Cisco Wireless LAN Controller (WLC) graphical user interface, showing the WLAN configuration screen with options for Layer 2 Security, Fast Transition, Over the DS, and Reassociation Timeout.

CLI Configuration for Fast Transition Roaming

The following command configures Fast Transition Roaming under WLAN configuration:

security ft [ over-the-ds | reassociation-timeout timeout-in-seconds ]

Example:

Controller(config-wlan)# security ft reassociation-timeout 23

• over-the-ds: Enables 802.11r fast transition parameters over a distributed system.
• reassociation-timeout: Sets the 802.11r fast transition reassociation timeout. The range is 1 to 100 seconds.

WLAN configuration also includes a new Authenticated Key Management (AKM) type called FT (Fast Transition).

Controller(config-wlan)#security wpa akm ft ?

• dot1x: Configures 802.1x support.
• psk: Configures PSK support.

Monitoring 802.11r

Use the command show wlan name wlan-name to display WLAN parameters, including FT parameters.

Troubleshooting Support

Use the following debug and trace commands:

Controller#debug dot11 dot11r ?
all
events
keys

Controller#set trace dot11 dot11k ?
event
filter
keys
level

Limitations

• Supported only on OPEN and WPA2 WLANs.
• Non-802.11r clients cannot associate to WLANs with 802.11r enabled.
• Not supported with LEAP; LEAP uses a 32-byte MSK, while other EAP types use a 64-byte MSK.
• The domain of 802.11r is confined to the Mobility Group.
• FT Resource request protocol is not supported in this release due to lack of client support.
• Each controller allows a maximum of 3 FT handshakes with different APs under its control.

Chapter 3: 802.11k Assisted Roaming

The primary goal of this feature in IOS XE 3.3 is to provide an intelligent and optimized Neighbor List Element to 802.11k-supported (Apple) clients, enhancing their channel scanning, roaming, and battery usage. 802.11k allows capable clients to request a neighbor report containing information about known neighbor APs suitable for roaming. This process uses 802.11 management frames (action packets) to facilitate efficient roaming. By providing a neighbor list, clients can roam more quickly and efficiently, reducing channel utilization and improving battery life as they do not need to probe all channels.

This chapter covers:

• Assisted Roaming with 802.11k
• Assembling and Optimizing the Neighbor List
• 802.11k Information Elements (IEs)
• CLI Configuration for Assisted Roaming

Assisted Roaming with 802.11k

The 802.11k standard allows clients to request neighbor reports for service set transitions, reducing the need for active and passive scanning. Assisted roaming relies on an intelligent, client-optimized neighbor list that is generated dynamically on-demand. This list is based on client location and does not require the Mobility Services Engine (MSE). Different clients on the same switch but different APs may receive different neighbor lists based on their proximity to surrounding APs.

Assembling and Optimizing the Neighbor List

When a switch receives an 802.11k neighbor list request, it searches its RRM neighbor table. It then checks neighbors based on RSSI, current AP location, floor information (from Cisco Prime Infrastructure), and roaming history to reduce the list to six per band, optimized for the same floor.

802.11k Information Elements (IEs)

Clients request neighbor lists after associating with APs that advertise the RRM capability information element (IE) in their beacons. Key elements include:

• Country Element: Contains information for the station to identify its regulatory domain and configure its PHY accordingly.
• Power Constraint Element
• RRM enabled Capabilities Element: Signals that the AP can provide a neighbor list (bit 1 in beacon/probe response) or that the client is requesting one (bit 1 in association request).

Figure 9: 802.11k Information Elements - A Wireshark packet capture displaying various IEEE 802.11 information elements, including SSID, Supported Rates, Country Information, Power Constraint, RSN Information, and Vendor Specific elements, highlighting those related to 802.11k capabilities.

CLI Configuration for Assisted Roaming

Configure neighbor floor label bias:

Controller(config)# wireless assisted-roaming floor-bias 20

Configure an 802.11k neighbor list for a WLAN (enabled by default):

Controller(wlan)# assisted-roaming neighbor-list

Configure a dual-band 802.11k dual list (enabled by default):

Controller(wlan)# assisted-roaming dual-list

Note: The WLC does not have a GUI configuration for 802.11k; assisted roaming is enabled by default.

Configuration Example:

To configure Neighbor floor label bias:

Controller# configure terminal
Controller(config)# wireless assisted-roaming floor-bias 10

To enable 802.11k on a specific WLAN:

Controller(config)# wlan test
Controller(config (wlan)# assisted-roaming neighbor-list

Chapter 4: Prediction Based Roaming: Assisted Roaming for Non-802.11k Clients

This feature optimizes roaming for non-802.11k clients by generating a prediction neighbor list without requiring the client to send an 802.11k neighbor list request. When enabled on a WLAN, this optimization is applied after each successful client association/re-association. The list is built using the most updated probe data, predicting the next AP a client is likely to roam to. Clients are discouraged from roaming to less desirable neighbors by denying association if the request does not match the prediction list. The assisted roaming feature can be enabled per-WLAN or globally, with options for Denial count (maximum client refusals) and Prediction threshold (minimum entries required for activation).

CLI Configuration for Prediction Based Roaming

Enable assisted roaming prediction list feature for a WLAN (disabled by default):

Controller(wlan)# assisted-roaming prediction

Configure the minimum number of predicted APs required for the feature to activate (default is 3):

Controller# wireless assisted-roaming prediction-minimum

Configure the maximum number of times a client can be denied association (valid range 1-10, default 5):

Controller# wireless assisted-roaming denial-maximum 8

Configuration Example:

To configure the prediction list on a specific WLAN:

Controller# configure terminal
Controller(config)# wlan test
Controller(config)(wlan)# assisted-roaming prediction

To configure prediction list based on threshold and denial count:

Controller(config)# wireless assisted-roaming prediction-minimum 3
Controller(config)# wireless assisted-roaming denial-maximum 3

Neighbor List Response

The neighbor list includes information about BSSID, channel, and operation details of neighboring radios.

Figure 10: 802.11k Neighbor Report - A Wireshark packet capture detailing an 802.11k Neighbor Report Response, showing information such as BSSID, Channel Number, PHY type, and regulatory class for neighboring access points.

View the 802.11k Neighbor list per client using the command:

show wireless client mac-address <> detail

Figure 11: Nearby AP Statistics CLI Output - A command-line interface output displaying statistics for nearby access points, including signal strength indicators and a prediction list for assisted roaming.

Limitations

• Features not supported in this release: TSF Offset, TPC request/response, Beacon request/response, Quiet element with hardware beacon, 11v Location Tracking.
• No GUI configuration support.
• Load balancing and prediction-based roaming cannot be enabled simultaneously on a WLAN.

Troubleshooting Support

Use the following debug and trace commands:

Controller# debug dot11 dot11k ?
all
detail
errors
events
optimization
simulation

Controller# set trace dot11 dot11k ?
detail
errors
events
filter
history
level
optimization
simulation

Chapter 5: 802.11w Protected Management Frames

Wi-Fi is a broadcast medium where management frames (authentication, de-authentication, association, dissociation, beacons, probes) are typically open and unencrypted. While data traffic can be encrypted, these management frames must be protected from forgery to prevent attacks like spoofing. The 802.11w protocol protects a set of robust management frames, including Disassociation, De-authentication, and Robust Action frames. Protected management frames include Spectrum Management, QoS, DLS, Block Ack, Radio Measurement, Fast BSS Transition, SA Query, Protected Dual of Public Action, and Vendor-specific Protected.

When 802.11w is implemented:

• Client protection is enhanced by APs adding cryptographic protection to de-authentication and dissociation frames, preventing spoofing attacks.
• Infrastructure protection is added via a Security Association (SA) teardown protection mechanism, comprising an Association Comeback Time and an SA-Query procedure, to prevent spoofed association requests from disconnecting clients.

802.11w introduces a new IGTK Key for protecting broadcast/multicast robust management frames. IGTK is a random value assigned by the authenticator (WLC) to protect MAC management protocol data units (MMPDUs). When Management Frame Protection is negotiated, the AP encrypts GTK and IGTK values in the EAPOL-Key frame during the 4-way handshake.

Figure 12: IGTK Exchange in 4-way Handshake - A diagram illustrating the 4-way handshake process for establishing an IGTK (IGTK) key between a Supplicant and an Authenticator, detailing the messages exchanged and key derivation steps.

802.11w also defines a Broadcast/Multicast Integrity Protocol (BIP) for data integrity and replay protection of broadcast/multicast frames using a shared IGTK key.

802.11w Information Elements (IEs)

Modifications in the RSN capabilities field of RSNIE include:

• Bit 6: Management Frame Protection Required (MFPR).
• Bit 7: Management Frame Protection Capable (MFPC).
• New AKM Suites (5 and 6) and Cipher Suite type 6 for BIP are added.

The WLC adds this modified RSNIE in association and re-association responses, and APs add it to beacons and probe responses.

Figure 13: 802.11w Information Elements - A table and diagram illustrating the structure and content of 802.11w Information Elements within an RSNIE (Robust Security Network Information Element), showing fields like MFPR (Management Frame Protection Required) and MFPC (Management Frame Protection Capable).

Figure 14: 802.11w Information Elements - A Wireshark packet capture showing RSNIE capabilities and Group Management Cipher Suite elements, confirming that Management Frame Protection is required and capable.

Security Association (SA) Teardown Protection

SA teardown protection prevents replay attacks from terminating client sessions. It uses an Association Comeback Time and an SA-Query procedure to prevent spoofed association requests from disconnecting clients.

Figure 15: Association Reject with Comeback Time - A Wireshark packet capture showing an IEEE 802.11 Association Reject message with a status code indicating temporary rejection and an Association Comeback Time of 10 seconds.

CLI Configuration for Protected Management Frames

Configure PMF parameters:

security pmf [ association-comeback association-comeback-time-in-seconds | mandatory | optional | saquery saquery-time-interval-milliseconds ]

Example:

Controller(config-wlan)#security pmf saquery-retry-time 200

• association-comeback: Configures 802.11w association comeback time (1-20 seconds).
• mandatory: Requires clients to negotiate 802.11w MFP protection on a WLAN.
• optional: Enables 802.11w MFP protection on a WLAN.
• saquery-retry-time: Sets the interval (in milliseconds) for association response checks to verify client authenticity during comeback time (100-500 ms, multiples of 100).

WLAN configuration also includes a new AKM type for Protected Management Frames (PMF).

Controller(config-wlan)#security wpa akm pmf ?
dot1x
psk

Note: 802.11w cannot be enabled on WLANs with None, WEP-40, WEP-104, or WPA (AES or TKIP) encryption.

Note: The WLC does not have a GUI configuration for 802.11w.

Monitoring 802.11w

Use the command show wlan name wlan-name to display PMF parameters.

Troubleshooting Support

Use the following debug and trace commands:

Controller#debug pmf ?
all
events
keys

Controller#set trace pmf ?
events
filter
keys
level

Chapter 6: References

• 802.11r, 802.11k, and 802.11w support are part of various certifications (Voice-Enterprise, WMM Voice-Enterprise, WMM-AC, Protected Management Frame). For details, visit: http://www.wi-fi.org/certified-products-advanced-search
• 802.11r and 802.11k support on Apple devices running iOS 6.0 and higher: http://support.apple.com/kb/HT5535
• Enterprise Best Practices for Apple Mobile Devices on Cisco Wireless LANs: http://www.cisco.com/en/US/docs/wireless/technology/vowlan/bestpractices/EntBP-AppMobDevs-on-Wlans.pdf