Support for 802.11r Standard

ArubaOS provides support for Fast BSS Transition as part of the 802.11r implementation. Fast BSS Transition mechanism minimizes the delay when a voice client transitions from one BSS to another within the same ESS. Fast BSS Transition establishes security and QoS states at the target AP before or during a re-association. This minimizes the time required to resume data connectivity when a BSS transition happens.

The following table provides the modes in which Fast BSS Transition is supported:

Table 1: Supported VAP Forwarding Modes

VAP Forwarding Mode

Support for 802.11r

Tunnel Mode

Yes

Decrypt-Tunnel Mode

Yes

Split-Tunnel Mode

No

Bridge Mode

Beta quality

Important Points to Remember

Fast BSS Transition is operational only if the wireless client has support for 802.11r standard. If the client does not have support for 802.11r standard, it falls back to normal WPA2 authentication method.
If dot11r is enabled, iOS clients such as iPad/iPhone gen1 (limitation on iOS) and all MAC-OS clients (limitation on MAC) fail to connect to the network.

Configuring Fast BSS Transition

You can enable and configure Fast BSS Transition on a per Virtual AP basis. You must create an 802.11r profile and associate that with the Virtual AP profile through an SSID profile. You can create and configure an 802.11r profile using the WebUI or CLI.

 

Fast BSS transition is operational only with WPA2-Enterprise or WPA2-Personal.

In the WebUI

1. Navigate to the Configuration > Wireless > AP Configurationwindow. Select either the AP Group or AP Specific tab.
a. If you selected the AP Group tab, click the AP group name for which you want to configure the 802.11R profile.
b. If you selected the AP Specific tab, click the AP for which you want to configure the 802.11R profile.
2. In the Profiles list, expand the Wireless LANmenu, then expand the Virtual APmenu.
3. Select the Virtual AP profile for which you want to configure the 802.11r settings and expand SSID Profile.
4. Select the SSID profile on which you want to configure the 802.11r settings and select 802.11R Profile.
a. To edit an existing 802.11r profile, click the 802.11R Profiledrop-down list in the Profile Detailswindow pane and select the 802.11r profile you want to edit.

or

b. To create a new 802.11r Profile, click the 802.11R Profile drop-down list and select New. Enter a new 802.11r profile name in the field to the right of the drop-down list.

 

You cannot use spaces in profile names.

5. Configure the following 802.11r radio settings.
a. Select the Advertise 802.11r Capability option to allow Virtual APs using this profile to advertise 802.11r capability.
b. Enter the mobility domain ID value (1-65535) in the 802.11r Mobility Domain ID field. The default value is 1.
c. Enter the R1 Key timeout value in seconds (60-86400) for decrypt-tunnel or bridge mode in the 802.11r R1 Key Duration field. The default value is 3600.
6. ClickApply to save your settings.

In the CLI

Create an 802.11r profile using the following command:

(host) (config) #wlan dot11r-profile voice-enterprise

Enable Fast BSS Transition using the following command:

(host) (802.11R Profile "voice-enterprise") #dot11r

Configure a mobility domain ID that uniquely identifies a mobility domain using the following command:

(host) (802.11R Profile "voice-enterprise") #mob-domain-id <1-65535>

The default value is 1.

Configure the r1 key timeout value in seconds for decrypt-tunnel or bridge mode using the following command:

(host) (802.11R Profile "voice-enterprise") #key_duration <60-86400>

The default value is 3600 seconds.

Apply the 802.11r profile to an SSID profile using the following command:

(host) (config) #wlan ssid-profile voice dot11r-profile voice-enterprise

You can advertise the 802.11r capability on the Virtual AP profile by applying the SSID profile. Use the following command to apply the SSID profile to the Virtual AP profile:

(host) (config) #wlan virtual-ap voice-AP ssid-profile voice

Troubleshooting Fast BSS Transition

ArubaOS provides various troubleshooting options to verify the Fast BSS Transition functionalities.

In decrypt-tunnel mode and bridge mode, each r0 key generates up to four r1 keys and the controller pushes each r1 key to the corresponding AP. A few commands are added to help verifying the pushing functionality:

Execute the following command to view all the r1 keys that are stored in an AP:

(host)(config) #show ap debug dot11r state

[ap-name <ap-name> | ip-addr <ip-addr>]

You can filter the output based on the AP name, BSSID, or IP address.

(host)(config) #show ap debug dot11r state ap-name MAcage-105-GL

Stored R1 Keys

--------------

Station MAC Mobility Domain ID Validity Duration R1 Key

----------- ------------------ ----------------- ------

00:50:43:21:01:b8 1 3568 (32): 94 ff 18 0a 5f 47 8b 3e 95 2b 93 31 bd 44 58 fe fe 6a ad aa 1d d7 29 94 fb 5b 7c 15 76 66 d2 1f

You can use the following command to remove an r1 key from an AP when the AP does not have a cached r1 key during Fast BSS Transition roaming.

(host) #ap debug dot11r remove-key <sta-mac> ap-name <ap-name> | ip-addr <ip-addr>

(host) #ap debug dot11r remove-key 00:50:43:21:01:b8 ap-name MAcage-105-GL

Execute the following command to check if the r1 key is removed from the AP:

(host)(config) #show ap debug dot11r state ap-name MAcage-105-GL

Stored R1 Keys

--------------

Station MAC Mobility Domain ID Validity Duration R1 Key

----------- ------------------ ----------------- ------

Execute the following command to view the hit/miss rate of r1 keys cached on an AP before a Fast BSS Transition roaming. This counter helps to verify if enough r1 keys are pushed to the neighboring APs.

(host)(config) #show ap debug dot11r efficiency <client-mac>

(host)(config) #show ap debug dot11r efficiency

Fast Roaming R1 Key Efficiency

------------------------------

Client MAC Hit (%) Miss (%)

---------- ------- --------

00:50:43:21:01:b8 0 (0%) 0 (0%)