Wireless Access

I am looking for assistance with configuring and enabling 802.11r. I have already enabled what I believe is necessary and assigned a domain ID, but it does not appear to be working.

This is in a lab environment with 5 APs, all showing 'R' on 'show ap active', and the client also supports 802.11r. The 'show ap debug dot11r' commands do not display any significant information.
I also understand that OKC and 802.11r cannot run together (from what I read, could be wrong), so I have turned off OKC without success on the 11r part.

It seems like I'm missing something. Can someone please guide me on how to properly implement and verify 802.11r in action?
By the way, I'm using Clear Pass as the Radius Server. Not sure if 802.11r needs it because I really don't know or have seen examples of 802.11r behavior. 

Thank you for your help.

Hi there,
802.11r can be a bit confusing sometimes, no surprise.

The basic idea is that the client won't have to go over a full Radius authentication whenever it roams, only 4-way handshake, the controller should send R1/PMK key to neighbor APs, there is a way to check that on AOS10 but not sure about AOS8.

One way to verify if 802.11r actually works is to check the logs when the client roams, we shouldn't see full Radius auth, perhaps compare 2 flows: one with .11r and one without.

But what if we see a full auth?
Well, we can't be sure to blame 802.11r, why? Because there is a possibility that the client decides to roam in a late hopeless situation, remember: roaming is a client decision, or the RF does not really help.

 
One idea crossed my mind:
When using a dot1x SSID you can check the cached PMKID entries using the command:
Show dot1x supplicant-info pmkid mac <Client_MAC>
I didn't test that, perhaps you can check in the lab and confirm if there is a PMKID among neighbor APs for the same client MAC.

Hope that helps.

Thanks @Jebreel,
I learned something new, I was unaware of that 'show dot1x' command. 
I give it a try and I can see PMKID replication (Im not sure if this is the right word) in other APs. However, I think that is a normal behavior of PMKID and OKC, there is nothing indicating me this was cached because of 802.11r. 

By the way, I use the same command on the production Controller, which do not have 802.11r enabled, and still see PMKID of 1 mac address in different APs BSSID.
When you say to check logs of client roams, do you mean the 'show auth-tracebuf' or something else?

Thanks to @chulcher,
Yes, they are spread out and I can see the device roaming with a software, yes 802.1X is enabled.

I disabled OKC to force 802.11r, devices are connecting and roaming, but still I do not know a way to tell for sure, that 11r is working.

Question: Should I see a R1 key or some kind of key cached at other APs when the device connect for the first time without roaming? 
Or it has to be a roaming event, for the APs/Controller shares theses keys?

When your dealing with AOS 8, everything is handled by the controller and there's zero need to cache keys on APs.  The controller is handling all of the roaming process.

The easiest way to determine if 802.11r is operating:

1. disable OKC
2. force 802.1X client to roam
3. observe RADIUS log to see if client had to authenticate on roam

If you're in a lab environment with five APs, are you certain that you've forced a roam?

You're using an 802.1X enabled WLAN?

OKC and 802.11r are similar features/technology, just that 802.11r is an actual standard and OKC isn't.  There are some clients that will work with OKC but won't with 802.11r, and vice versa.

I achieved what I wanted!!

In case this is helpful to anyone else:
1. Check the 'show auth-tracebuf' command.
When a device roams with 802.11r, the output will specifically show "ft roam for wireless." The "ft" part means Fast Transition, which is what 802.11r is all about.

Once a device has roamed this way, you won't see new RADIUS logs for it. 

The same goes for your RADIUS server, like ClearPass. You won't see any new entries for that client after the initial connection.

2. Check the show log user-debug all output.
If you enable user-debug logging for the client, you'll see a bunch of entries with the "FT" keyword. This is the Fast Transition process happening in real-time and is evidence that 802.11r is in use.

3. Don't bother with 'show ap debug dot11r'
I tried this command, and it was useless. It looks like the main controller handles all the 802.11r processing, not the individual access points. So, unlike with an Instant AP setup, this command won't give you the information you're looking for.

Hi Carriv.

Many thx for posting results. Your results are as expected. .11r is here to elimimate the need for full auth when moving between APs during roaming. In controller environment it is handled by controllers.

Best, Gorazd