Fast Roaming Protocol greyed out and cannot enable

Hi all, I have a new installation with 10x e500, all transmitting the same SSID. I need to enable Fast Roaming Protocol through the cloud based cnMaestro but it is greyed out and cannot do anything with it. cnMaestro Managed Roaming option was enabled but I made sure I disabled it before trying to enable Fast Roaming.

Why is this happening? Is it enabled by default? On the other hand, if it is enabled by default, why are OKC and 802.11r still greyed out?

OKC and 802.11r will be enabled when WPA2 Enterprise(802.1X) security option is chosen.
when WPA2 preshared keys is chosen, only 802.11r will be enabled(OKC will be greyed out).
when security is open both will be greyed out.


Thank you Anand,

However, I will not be using either 802.1X security or WPA2 preshared keys for authentication. As this is a wifi4eu project, authentication will be through a guest portal splash page with free access. Does this mean fast roaming 802.11r cannot be used? I did not get to the configuration of the splash page yet so I did not have the chance to test it.

802.11r and OKC is not needed when open authentication is configured. Please enable cnMaestro managed roaming for guest client to roam seamlessly.


Is it not needed or it is not intended to work by construction with open authentication? Because 802.11r is a requirement for wifi4eu! Otherwise the installation will not meet the criteria.

I think you need to enable WPA2 security on the WLAN for meeting this requirement.

I am looking it up just now and I think you are right! That makes me wonder if I am isiing something. How can they want free access and require 802.11r at the same time. I have to research more.

Thank you!

Another question… If I keep the cnMaestro Enhanced Managed Roaming disabled and I do not enable WPA2 (or any other form of authentication) is roaming totally not working?

There are two types of roaming , L2 and L3.

For L2 roaming, AP will exchange roam notification packets, since home and foreign AP are in the same L2 domain. if dot1x or WPA2 is enabled in this scenario, then OKC and 11r will give you better roaming experience.

In case of L3 roaming, home AP and foreign AP will be in separate network.
cnMaestro managed mobility ( Enhanced roaming) will be used in this scenario for client cache exchange. This feature is available only in Guest enabled WLAN.

802.11r specifies fast (BSS) transitions between access points by redefining the security key negotiation protocol, allowing both the negotiation and requests for wireless resources.

The key negotiation protocol in 802.11i needs WPA2-CCMP method ,the client is required to renegotiate its key on every handoff ( Client moving across APs) , a time-consuming process.

11r & OKC allow for the part of the key derived from the server to be cached in the wireless network, so that a reasonable number of future connections can be based on the cached key, avoiding the 802.1X process. For OPEN method there is no encryption keys exists so clients not required cache any keys

In my case it would be L2 roaming. So I would assume that since neither dot1x nor WPA2 will be enabled, roaming will occur not based on OKC or 11r but on disconnection of the client when the signal from the AP he is connected becomes very weak and then reconnecting to another AP with a better signal.

There will not be any roaming in open network. When client moves to another AP’s signal range, client will have to repeat the steps it performed with the previous associated AP. Design the WiFi in such a way that AP signal overlays for client’s to connect seamlessly.


Understood. The wifi it is indeed designed so the SSID overlaps between APs. This is why I wanted roaming in order for the clients to be pushed to the AP with the stronger signal. Thank you for your answers.