WiFi fast roaming recommendations?

[stevelup]

The Ubiquti AP's can run without a controller but only once the initial boot has completed and it has received the config from the controller, from that point they continue running as per the config until such time a reboot happens. However these are not autonomous access points, they are still managed radios. Autonomous access points either store the config themselves and restore it during boot or they feature their own built-in mini-controller of sorts (such as the Arubu IAP series).

This is completely wrong. They are entirely autonomous once the controller has pushed the config to them. You do not need the controller running at all for normal operation, reboot or not.

There is no limit to the number of devices either. The 'controller' simply is not a controller in the sense you believe it is - it's simply an administration platform.

[sokoloff]

The Ubiquti AP's can run without a controller but only once the initial boot has completed and it has received the config from the controller, from that point they continue running as per the config until such time a reboot happens. However these are not autonomous access points, they are still managed radios. Autonomous access points either store the config themselves and restore it during boot or they feature their own built-in mini-controller of sorts (such as the Arubu IAP series).

This is completely wrong. They are entirely autonomous once the controller has pushed the config to them. You do not need the controller running at all for normal operation, reboot or not.

Can verify. I've tested this at my house (though with fairly short power cycles, so perhaps one might argue that a short-term power cycle is treated differently).

I setup Ubiquiti equipment at my parents' place and used one of their computers to run the Ubiquiti controller software. This software is manually launched, you then connect to a running web server in that program, and when you close the program or reboot the computer, nothing remains running. They subsequently lost power for days in Hurricane Florence and when power came back, their network came back (wired and wireless) without any Ubiquiti controller software running anywhere.

[Monkeh]

Oh, hey, wpa_supplicant and hostapd just got a new release for the first time in a couple of years.

https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

What's that I see, CVE-2017-13082 fixed? I thought FT was unfixable?

[Halcyon]

Oh, hey, wpa_supplicant and hostapd just got a new release for the first time in a couple of years.

https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

What's that I see, CVE-2017-13082 fixed? I thought FT was unfixable?

I thought you said it was already fixed?

I never said CVE-2017-13082 was "unfixable", I said (in summary) that it still poses a real security risk and most manufacturers are recommending against its use. You were the one claiming it had already been fixed and that it wasn't a security risk when this is simply not true in the vast majority of cases.

But this is good news, now that we've seen actual changes to the WPA supplicant (which I see was dated just a few days ago), this offers some reassurance to those customers who want to use 802.11r / Fast Roaming on their network, once manufacturers start adopting the changes. However don't expect this to be rolled out across the board, especially to older devices. One should always check whether their device is still vulnerable or not.

My professional advice is, if you aren't sure, leave Fast Roaming turned off. For most people, it really doesn't offer much of an advantage.

[Monkeh]

Oh, hey, wpa_supplicant and hostapd just got a new release for the first time in a couple of years.

https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

What's that I see, CVE-2017-13082 fixed? I thought FT was unfixable?

I thought you said it was already fixed?

But there wasn't an official release yet. I just saw this one pop up - we've been begging them to roll up all of this stuff and save distro packagers for ages. Among other things I can stop having to manually patch to get PMF support on clients now.

I never said CVE-2017-13082 was "unfixable", I said (in summary) that it still poses a real security risk and most manufacturers are recommending against its use. You were the one claiming it had already been fixed and that it wasn't a security risk when this is simply not true in the vast majority of cases.

Despite say, Cisco having already released patches and said 'patch and its fine'..

But this is good news, now that we've seen actual changes to the WPA supplicant (which I see was dated just a few days ago), this offers some reassurance to those customers who want to use 802.11r / Fast Roaming on their network, once manufacturers start adopting the changes. However don't expect this to be rolled out across the board, especially to older devices. One should always check whether their device is still vulnerable or not.

The actual change is rather older - I did link it previously. Most enterprise vendors rolled it out fast, consumer stuff I assume is broken on shipment and forever after.

[Halcyon]

...consumer stuff I assume is broken on shipment and forever after.

For the most part, I agree. The vast majority of consumer gear is just cheap garbage. The advantage they have over enterprise gear is they are usually plug-and-play so anyone without any networking knowledge should be able to get them up and running.