802.11r wireless roaming on Datto Networking devices

Topic

This article discusses 802.11r wireless roaming on Datto Networking devices.

Environment

Datto Networking

Description

What is 802.11r Fast BSS Transition?

802.11r Fast BSS Transition is a method to speed up the roaming process when a client device is roaming from one access point (AP) to another. Without 802.11r, when a client device roams they must search for a new AP, disconnect from their current AP, and authenticate with a new AP. Reconnecting to a new AP can take enough time that time sensitive applications such as Zoom and Microsoft Teams may drop the call.

802.11r allows the APs to communicate with each other and agree to authenticate a device before it roams. When the client device roams to a new AP they don’t need to go through the complete authentication process, which dramatically reduces connection times.

Why 802.11r is helpful in WPA2-Enterprise and WPA2/3-Enterprise mixed deployments

Depending on your RADIUS configuration WPA2-Enterprise and WPA2/3-Enterprise requires up to 26 management frames to authenticate a client device. 802.11r dramatically reduces the number of management frames to only 4. This makes roaming between AP much smoother.

A great example for why 802.11r is recommended for enterprise deployments would be a client moving from one section of the building to another while on a Zoom or Microsoft Teams video call. Without 802.11r the video and audio may drop out or the call may disconnect completely. With 802.11r the video and audio may notice a slight stutter during the transition instead of a complete drop or disconnect.

Why 802.11r WPA3-Enterprise is not supported

WPA3-Enterprise enforces strong security settings and the design of this security method did not include 802.11r Fast BSS Transition support. All client devices and access points that are capable of WPA3-Enterprise cannot support 802.11r when they are configured for WPA3-Enterprise.

Why 802.11r is not needed for WPA2-Personal, WPA3-Personal, and WPA2/3-Personal deployments:

WPA2-Personal, WPA3-Personal, and WPA2/3-Personal security require 4 management frames to authenticate a client device. With 802.11r enabled, this is reduced to a minimum of 2 management frames. The speed up from this reduction of frames is unnoticeable.
Furthermore, many client devices don’t support 802.11r for WPA Personal security types. For example, Apple iPhones and most Android devices cannot successfully connect to networks with WPA Personal networks that have 802.11r configured

Table of supported and recommended 802.11r configurations

	802.11r Supported	802.11r Recommended
WPA2-Enterprise	Yes	Yes
WPA2/3-Enterprise	Yes	Yes
WPA3-Enterprise	No	No
WPA/WPA2-Enterprise	Yes	No
WPA2-Personal	Yes	No
WPA2/3-Personal	Yes	No
WPA3-Personal	Yes	No
WPA/WPA2-Personal	Yes	No

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.