How can I check to see if 802.11r is enabled?

Summary

802.11r fast secure roaming option is disabled on WLANs by default, but can be configured. See these screens for how to determine if 802.11r is enabled.

Question

How can I check to see if 802.11r is enabled?

Customer Environment

Ruckus controller or controller-less wireless networks.

Root Cause

A WPA2 vulnerability in 4-way handshake prompted Ruckus Security advisory # 101617, and 802.11r settings can mitigate exposure. https://ruckus-support.s3.amazonaws.com/private/documents/2040/faq-security-advisory-id-101617-v1.2.pdf?AWSAccessKeyId=AKIAJM3QLNNKLOV235TQ&Expires=1508346449&Signature=PYM7E8ve6MPmU5GWrnUs3HoCblI%3D

Troubleshooting Steps

Verify if your WLANs have 802.11r enabled.

Workaround

Background:
802.11r, which is the IEEE standard for fast roaming, introduces a new concept of roaming where the initial handshake
with the new AP is done even before the client roams to the target AP, which is called Fast Transition (FT). The initial
handshake allows the client and APs to do the Pairwise Transient Key (PTK) calculation in advance. These PTK keys
are applied to the client and AP after the client does the re-association request or response exchange with the new
target AP. The FT key hierarchy is designed to allow clients to make fast BSS transitions between APs without requiring
re-authentication at every AP. 802.11r eliminates much of the handshaking overhead while roaming, thus reducing the
handoff times between APs while providing security and QoS. This is useful for client devices that have delay-sensitive
applications such as voice and video and is the key requirement for voice over Wi-Fi.

Note: - Fast BSS Transition is operational only if the wireless client has support for 802.11r standard. If the client does
not have support for 802.11r standard, it falls back to normal WPA2 authentication method.

The 802.11r option is only available under PSK and 802.1x authentication WLANs.


Workaround:
Verify if your WLANs have 802.11r enabled, disable temporarily until security patch firmware is released and installed.

Resolution

Disable 802.11r on WLANs temporarily until security patch firmware is released and installed.

How to determine if 802.11r is enabled on Ruckus OS platforms:

ZoneDirector 9.13 and earlier:

User-added image

ZoneDirector 10.0 and later:

User-added image

SmartZone 3.4 and higher:

User-added image

SmartZone 3.5.1 (current release):

User-added image

Note: The option to enable/disable 802.11r in SZ WebUI is available only when there is a Zone configured on that
(new) WLAN.
If you create a new WLAN and directly go to the encryption section and enable WPA2, the options for 802.11r are not there.
If you select a Zone (above in the "General" section), the 802.11r options become available.


Ruckus Unleashed (200.5):

User-added image



 

Article Number:
000006475

Updated:
October 27, 2017 01:21 PM (about 1 month ago)

Tags:
Firmware, Security, Known Issues and Workarounds, Unleashed, ZoneDirector, SmartCell Gateway, virtual SmartCell Gateway, SZ100

Votes:
2

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.