We've started testing a new 802.1X-enabled SSID and users are reporting that their Apple devices are disconnecting when they roam between AP. We have hundreds of MBP, Air, and iPhones, 50 Cisco 1142 AP and two Cisco 5508 WLC in HA mode.
I created a new 802.1X-enabled SSID which authenticates back to FreeRadius and OpenLDAP servers. It works except when users roam between AP their connection drops for about 10 seconds. Voice and video calls will drop and I lose about a dozen pings before it re-authenticates. Under Prefs -> Network on my laptop, I can see 802.1X go into an authenticating state. I've replicated the problem on laptops running both 10.9.1 and 10.8. It also happens on iOS devices but the disconnect is only 5 seconds instead of 10.
To try and resolve the issue, I reviewed Cisco's best practices for Apple devices and then I tried the following fixes. I re-tested between enabling each feature.
1. 802.11r & 802.11k
2. Fast transition, fast transition over-the-DS, and FT 802.1X
5. Increased the EAP timeout values
6. Disabled client load balancing
It appears that OS X is not sending cached credentials (PMKID) and the Cisco 5508 WLC is forcing the Apple laptops to go thru the full 802.1X authentication process each time they roam.
Is there a way to require OS X to use 802.11r and 802.11k?
I'd be grateful for any assistance or advice that you can offer.