We are encountering some problem while trying to configure our Cisco Aironet Autonomous AP (AIR-SAP2602E-E-K9) in order to support FT-PSK authentication (802.11r).
Basically, we are following the document "Cisco IOS Configuration Guide for Autonomous Cisco Aironet Access Points, Cisco IOS Release 15.3(3)JBB", so we have enabled 802.11r on both radio interface and SSID manager. The result is the attached AP configuration (dott11r_cisco_config.txt). The related part shoud be:
dot11 dot11r pre-authentication over-ds
dot11 dot11r reassociation-time value 1200
....
dot11 ssid FT_PSK
authentication open
authentication key-management wpa version 2 dot11r
guest-mode
..
When an 802.11r capable clients tries to connect to "FT-PSK" SSID, the procedure fails and the resulting AP log is the following:
1 Oct 9 01:51:26.035 Information Interface Dot11Radio0, Deauthenticating Station 000a.f5dc.e2bc Reason: Sending station has left the BSS
2 Oct 9 01:51:15.979 Information Interface Dot11Radio0, Station 000a.f5dc.e2bc Associated KEY_MGMT[NONE]
Here there are the details about the AP and the firmware version:
Product/Model Number: AIR-SAP2602E-E-K9
Top Assembly Serial Number: FCZ1744U0LQ
System Software Filename: ap3g2-k9w7-xx.153-3.JBB5
System Software Version: 15.3(3)JBB5
Bootloader Version: BOOTLDR: C3600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JAY, RELEASE SOFTWARE (fc1)
System Uptime: 1 hour, 11 minutes
Additionally, we have also tried to do a similar test with the same client using a different network composed by two lightweight APs and a Cisco 5508 Wireless Controller without any issue. In that case the client has been able to connect to the network.
Do you have any idea about reason of the failure?