We are migrating a site from 5508 WLCs with 3502 APs towards a 9800 WLC with 9120 APs. To support a rip and replace scenario we loaded the 5508 with the 8.5MR5ircm image so roaming between the old and new network would be possible. DHCP has been setup with option 60 to send 9120s towards the new controllers, while keeping the 3500s on the old controllers. 

Now we have 2 SSID's, 1 open for general use, and 1 corporate SSID with  dot1x (EAP-TLS), and the situation is as follows:

•  The open SSID users stay on the same vlan while roaming from the old to the new controller and vice versa. The first test failed with the message on the 9800: Handoff Deny: Profile Mismatch. It turned out that FT was enabled on the new controller while disabled on the old. After we disabled it, roaming worked perfectly well.
• The corporate SSID is set up on the old controller with an interface group, where AP groups are set up with the correct vlan interface per campus building and floor. On the new controllers we are migrating to a new IP plan, with corresponding vlans. Now the roaming is working only 1 way, from the old controller to the new. In the client monitoring view on the 980 you see these client with an IP address from the old controller and marked as foreign, which is correct. Only, when we are roaming from the new 9800 controller to the old 5508 controller, we get again the mobility message: Handoff Deny: Profile Mismatch. All settings have been double checked, naming, security, FT, radius servers (even the order is the same as with the old controllers), and are set up equally. But it only works from 5508 to 9800, and not the other way around. Is this because of the interface group on the main WLAN profile of the 5508? Or do we have to look into other directions?

Best regards,

Chris Donkelaar