cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
846
Views
0
Helpful
2
Replies

NAC agent on Wireless runs everytime we switch controllers

jthullen
Level 1
Level 1

      Hello all, we are seeing an issue in our enviroment and wanted inquire about it. We have a Cisco wireless infrastructure in place here - 2 5508 controllers and approx 200 3502 AP's. We have the AP's split evenly between the 2 controllers. We backend this system with an in-band NAC Applaince Clean Access Server for poster assesment. What we are noticing is that when a user "roams" from one AP to another, and if the AP's are connected to 2 seperate controllers, the NAC agent will run again. The Logs in the CAM support this, as we see the user being logged out and then logged back in. We have the 2 controllers configured in a mobility group that should allow roaming. So would this be expected behavior? Does the controller still send the RADIUS Accounting Stop packets to the CAS when it hands off a wireless session to another controller even if they are in a mobility group?  Any help or thoughts would be appreciated.

Thanks,

Jeff      

1 Accepted Solution

Accepted Solutions

Tarik Admani
VIP Alumni
VIP Alumni

Jeff,

Since you are using dot1x I found the following note in the mobility configuration guide:

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_mobility.html

All  clients configured with 802.1X/Wi-Fi Protected Access (WPA) security  complete a full authentication in order to comply with the IEEE  standard.

From your radius server do you see a second authentication attempt come in from the second controller? If so then most likely this is due to the radius accounting stop and start messages during the roaming.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

Jeff,

Since you are using dot1x I found the following note in the mobility configuration guide:

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_mobility.html

All  clients configured with 802.1X/Wi-Fi Protected Access (WPA) security  complete a full authentication in order to comply with the IEEE  standard.

From your radius server do you see a second authentication attempt come in from the second controller? If so then most likely this is due to the radius accounting stop and start messages during the roaming.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik, that is exacly what we have confirmed via logs is happening. Thank you for your help in getting this resolved and answered!

Jeff