cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

552
Views
0
Helpful
2
Replies
jthullen
Beginner

NAC agent on Wireless runs everytime we switch controllers

      Hello all, we are seeing an issue in our enviroment and wanted inquire about it. We have a Cisco wireless infrastructure in place here - 2 5508 controllers and approx 200 3502 AP's. We have the AP's split evenly between the 2 controllers. We backend this system with an in-band NAC Applaince Clean Access Server for poster assesment. What we are noticing is that when a user "roams" from one AP to another, and if the AP's are connected to 2 seperate controllers, the NAC agent will run again. The Logs in the CAM support this, as we see the user being logged out and then logged back in. We have the 2 controllers configured in a mobility group that should allow roaming. So would this be expected behavior? Does the controller still send the RADIUS Accounting Stop packets to the CAS when it hands off a wireless session to another controller even if they are in a mobility group?  Any help or thoughts would be appreciated.

Thanks,

Jeff      

1 ACCEPTED SOLUTION

Accepted Solutions
Tarik Admani
Advocate

Jeff,

Since you are using dot1x I found the following note in the mobility configuration guide:

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_mobility.html

All  clients configured with 802.1X/Wi-Fi Protected Access (WPA) security  complete a full authentication in order to comply with the IEEE  standard.

From your radius server do you see a second authentication attempt come in from the second controller? If so then most likely this is due to the radius accounting stop and start messages during the roaming.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

2 REPLIES 2
Tarik Admani
Advocate

Jeff,

Since you are using dot1x I found the following note in the mobility configuration guide:

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_mobility.html

All  clients configured with 802.1X/Wi-Fi Protected Access (WPA) security  complete a full authentication in order to comply with the IEEE  standard.

From your radius server do you see a second authentication attempt come in from the second controller? If so then most likely this is due to the radius accounting stop and start messages during the roaming.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Tarik, that is exacly what we have confirmed via logs is happening. Thank you for your help in getting this resolved and answered!

Jeff

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel