clients frequently re-authenticate with ISE - Page 2

cghaderpour · ‎01-24-2025

Hello friends

I have Cisco ISE and Meraki in place to authenticate wireless clients (windows and Apple iPads) using eap-tls and certificate.

The authentication process seems to be working and I see clients auto join the new SSID when they get the new wifi profile and machine certificate. However in live logs I see many clients re-authenticate frequently on ISE and keep doing that for the whole day and some authenticate once and stay connected. I'm wondering what could cause this happening for them. could AP roaming cause this issue? I mean when client move ap to ap do they need to re-authenticate with ISE again? If this is not the case what else can be the root cause?

Thanks

Karsten Iwen · ‎01-26-2025

As @Arne Bier said. 802.11r (FT) is the ultimate tool to distribute the keys to the roaming candidate APs. With the Meraki Way of implementing it (activating simultaneously non Fast-Transition and Fast Transition) I have not seen many incompatibilities lately. At least not in office environments.

But even without that, legacy OKC and SKC, which are enabled by default, can improve the situation.

In the Meraki environment, it is also crucial that all APs that have a roaming path are part of the same dashboard network. If you have, for example, one network for Floor 1 and a different network for Floor 2, this will always be a slow roam if the client decides to change between APs of other floors.

For troubleshooting: Pick the most active client in the ISE Live Log and compare the activity to the Meraki Client-Roaming-Analysis.