Thanks Craig,

but i don't find the CWA appropriate...actually currently we are on such solution, but with CWA on WLC. The roaming is terrible.

And if i use MAC authentication - it is very weak (if used without profiling).

Alexander,

You state that forcing reauth on each roam is considered too secure, but easing restriction based on MAC (post auth) is considered too insecure.  You are coming to the obvious conclusion that policy is often a balance between security controls and user experience/productivity!

If EAP Chaining is serving your purpose, then consider appropriate key caching mechanisms based on clients and test.  For example, dot1x + adaptive 11r may be suitable, but best to confer with wireless team. 

Also, ISE 2.2+ supports RADIUS Token caching which could help reduce the need to reauth OTP on each reauth.  This may be your perfect balance between security and convenience, in addition to reduced reauth for viable key caching methods.

Craig

Craig,

you are absolutely right, this is known "issue" - as something becomes more secure is more hard for use. But this is life

Today i tested one part of the whole solution - authentication against the RADIUS Token Server (HID). EAP-FAST+EAP*GTC as inner method and everything works like a charm. No special protocols for fast roaming of the wireless (i know they are specific and most commonly not recommended if we want high compatibility). And even with roaming between APs - no requirement for token code input. BUT there is some session cache on the ISE, which i don't understand...because on each roaming between APs there was no request to the RADIUS token server, nor the client was asked for OTP code. And the RADIUS Token caching feature was not enabled in the RADIUS Token server configuration.

Can someone explain me what is this cache and how can it be controlled?

I didn't finished the EAP-Chaining test, because for some reason the Machine authentication via certificates was not successful. Always fails. If someone can share experience with this i'll be very thankful.

L2 roaming on secure network typically does not change session ID so would not expect disruption.

Yes, but this session info where is cached and what control of the cache we have (cache time, erasing entry in the cache)?

If the client is doing proper roaming in the wireless network, the wireless controller will not do a re-auth of the user. The authentication info of the client is retained in the wireless controller &  the controller will not pass any authentication request to ISE. When I say proper roaming, I would mean the client will be moving from AP to another, without being in some areas no coverage.

By default this is  an in-built feature in WPA2+AES and you don't need fast roaming protocols.How long the controller retains the information of client depends on many parameter like session time-out, idle-timeout, bcast key refresh & I would say that will be pure wireless question

Regards

Nikhil,

i read many thins these days related to the topic, but i cannot agree with your post.

With reference to this community document:

802.11 WLAN Roaming and Fast Secure Roa... - Cisco Support Community

In summary - it seems that full Authentication is done during normal, supported roaming. If we use fast roaming technologies on the WLC - we can speed up the things. Also if the authentication server has some caching functions - we can save some time. Otherwise - full authentication is done.