Aruba Apps

We see that we have the following error in the logs.

802.11r fast roam failed for client yy.yy.yy.yy.yy.yy to BSSID xx:xx:xx:xx:xx:xx of AP hostname AP_P0_10. Reason: PMKR1 for station is not present on the AP

We believe that the devices are not roaming correctly.

What can be the cause?

I just deployed AOS10 with Aruba Central and I get the same thing in my environment. I believe it's because the Primary Key for radius isn't being delivered to all the APs from central in my case as there isn't the traditional cluster/controller type design. But then again, I could be wrong. But based on what I kind of see I think it referes to this roaming 

Validate Pairwise Master Key (PMK) ID
This parameter instructs the controller to check the Pairwise Master Key (PMK) ID sent by the client and mainly
helps when OKC is enabled. It ensures that the PMKID on the client and server matches before the controller
uses the cached opportunistic key, If it does not match then the client will go through the complete 802.1X key
exchange

Again, that is the exact verbiage from the Aruba docs. So, without a controller I do wonder how that works. I would love to see some more VRD around AOS 10 that explains these things like the old docs do.

What does your implementation look like?

I lied the AOS 10 VSG doc does mention this. 

AUTHENTICATION STATE/KEY SYNC

Authentication keys are synchronized across APs by the Key Management Service (KMS) in Central. This allows a client to roam between APs without re-authenticating or rekeying their encrypted traffic. This decreases the load on the RADIUS servers, but also speeds up the roaming process for a seamless user experience. Key synchronization and management are automatically handled by the APs and Central, so no additional user configuration is required.

So, I am very curious about this error as well. 

Hello, The possible cause of the error message "802.11r fast roam failed for client yy.yy.yy.yy.yy.yy to BSSID xx:xx:xx:xx:xx: xx of AP hostname AP_P0_10. Reason: PMKR1 for the station is not present on the AP" could be that the PMK (Pairwise Master Key) Rekeying-1 (PMKR1) for the client device is not present or not properly configured on the access point (AP) with the specified BSSID. This can prevent the smooth roaming of devices between access points in a wireless network using 802.11r fast roaming.  

I contacted support and they told me to disable all 802.11r/k/v features. I did as they prescribed and it did nothing to resolve the issue. The was closed and at this point I haven't been able to find out why. Did you have any progress on it @ejara ?

I see this error mostly on APs that has no visibility with their neighbors. There were some discussion about AOS10 roaming at ATM23 as it is very different than on AOS8. I'm also very interested about the progress on this. Currently we added some AP to increase the coverage and waiting for the results.

Best, Gorazd

I was originally getting this message on my AP-655s.  I tried a few things and not sure what the thing was that actually fixed the issue for me but I do not see the PMKR1 error anymore.

What I did:
1. Enabled Channel Quality Aware - https://www.arubanetworks.com/techdocs/central/2.5.6/content/nms/apps/airmatch/airmatch-cfg.htm?Highlight=Channel%20Quality%20Aware.  This has caused an issue with the config syncing for the APs and I have a ticket open about that.  The sync issue looks like it is trying to apply some settings that are default for APs and it is not seeing the change in the config.  It seemed to me that ARM/Channel Power/Channel movement was not working, so I assumed that something was wrong with ARM/AirMatch.  Seems like AirMatch/ClientMatch is working for me now.

2. Rebooted all APs.

3. Disabled and re-enabled ClientMatch and AirMatch for our Aruba Central tenant (DO THIS AT YOUR OWN RISK - NON Aruba site)
https://central.wifidownunder.com/deployment-clientmatch.html 





Here is the config sync Issues I get on the APs after enabling Channel Quality Aware.  This doesnt seem to cause any issues but I have a ticket open.