Yes the Android are running with the latest firmware. We have several SSIDs. Without authentication they roam well. Also with the following Settings they roam fine: SSID -> Security -> Layer 2 :

Security WPA+WPA2

PMF Disabled

Fast Transition inactive

WPA+WPA2 Parameters only WPA2 Policy-aes Enabled

Authentication Key Management

802.1X enabled

But the ios Device doesent roam at all.

Confirm the cisco sheet (Enterprise_Best_Practices_for_Apple_Devices_on_Cisco_Wireless_LAN) the configuration for the IOS must be like i describe at the beginn but with this settings now the Android have Problems to roam.

Now my question is if there are settings how work for Android and for ios or if there is a other solution.

Thanks

Hi Lukas,

To echo what Leo stated, it would be good to possibly migrate to a newer and recommended version of AireOS on your WLC:

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-TAC-Recommended-AireOS.html?cachemode=refresh

Now with that out of the way, sounds like you have an interesting scenario on your hands! If I understand you correctly, you're stating that your Android client devices on the latest Android build are roaming but not well. Whereas the iOS 10 devices are not roaming at all?

What is the make/model of Android client devices you are encountering this issue with? Given that Android devices vary wildly in capabilities and behavior across that partner ecosystem, this will be an important distinction.

What is the make/model of the Apple iOS devices you are encountering this issue with?

What is the name or WLAN ID that these respective devices are connecting to? Can you post the full WLAN config for review?

For starters, do you know if your Android devices support 802.11r (Fast Transition / FT)? If so, you may want to consider enabling it on a test WLAN and connect a test Android as well as iOS 10 device to the test SSID and roam about your facility. Otherwise, the iOS devices will only be able to use Sticky Key Caching (SKC), and depending on your Android devices in question, they may or may not use SKC or OKC as a PMK caching/fast secure roaming method. At worst, your clients are having to go through full 802.1X/EAP authentication at every roam, which is typically time consuming and can be disruptive to ongoing VoWiFi calls, etc.

Can't say unless we can check the device specs to confirm/deny. Best case scenario is if they both support 802.11r, then you can enable it and use FT over-the-air methodology as outlined in the iOS Enterprise Best Practices on Cisco WLANs as a general template:

http://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-3/Enterprise_Best_Practices_for_Apple_Devices_on_Cisco_Wireless_LAN.pdf

That said, as you observed issues with FT enabled (though do try FT over-the-air by disabling FT over-the-DS), the best thing at this point is to reproduce the issue you're observing and collect the following:

1. An over-the-air (OTA) packet capture (sniffer should be NTP synchronized).

• You'll need to have multiple USB WLAN adapters that can be placed into monitor mode using OmniPeek or similar (so long as it can save to a *.pcapng or similar pcap format file)
• This is due to the fact that you'll need to simultaneously monitor multiple channels and aggregate the frames into a single capture file given that the issue is with a roaming scenario (and thus multiple channels in use).

2. Save the CLI session output for the following WLC debugs to a text file:

• config sessions timeout 0
• config paging disable
• debug client <client_MAC-address>
• show client detail <client_MAC-address>   (Note: collect several samples of this last command every 10-15 seconds or so until the end of the test)

Once you have reproduced the issue and the test has concluded, you can disable the above debugs using the following CLI command:

• debug disable-all

3. At the end of your test, save the following CLI session output from your WLC to another text file:

• config paging disable
• show run-config
• show msglog
• show traplog

4. At the end of your test, also save the following CLI session output from the AP(s) you encountered the issue on to separate text files (per AP) as well:

• en
• term len 0
• show clock
• show tech
• show capwap client mn
• show int do1 dfs
• show logging
• more event.log
• show trace dot11_rst display time format local
• show trace dot11_rst
• show trace dot11_bcn display time format local
• show trace dot11_bcn

With that, you should be able to pinpoint what may be the issue or at the very least, get you started down the right path to resolution. You can also then upload these logs and OTA captures to a Cisco TAC case once opened and they can further advise if/as needed, and continue troubleshooting with you.

For those that are not faint of heart; if you want to do a true deep-dive (or if the above is found to not be sufficient in and of itself), you can go through all steps as outlined in the below article:

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/200480-Troubleshooting-Guide-for-Wireless-Clien.html

Hopefully that helps!