10-17-2012 11:15 AM - edited 07-03-2021 10:51 PM
I have an issue with Apple IOS devices on my guest network that move between buildings with different controllers locking up their wireless connectivity and the only way that they are able to connect again to the network is to either have them return the the building that they were previously in or to go in and delete their client table entry on the controllers. This only happens occasionally, not every time.
TAC thinks that the apple device is disassociating when it leaves the area and is starting a totally new association when it gets to the new building and since we have a high user idle timeout value, due to we only want users performing web-auth once a day, it doesn't like it. They have asked us to move our user idle timeout to 5 minutes which would be unacceptable since users would have to constantly re-authenticate to our guest network.
Has anbody else experienced this issue with apple devices on a guest network with web-authentication and moving between areas managed by different controllers?
thanks
Scott
10-17-2012 11:49 AM
Are you using anchors ?
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
10-17-2012 12:01 PM
Yes, I have one guest controller in the DMZ that terminates the guest traffic and multiple internal controllers.
Scott
10-17-2012 12:22 PM
Are there mobility domains built between both buildings controllers? And are you able to seamlessly roam between these buildings or not ?
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
10-17-2012 01:00 PM
All of my internal controllers are in the same mobility domain. External controller is not per Cisco best practices. I have made sure all the settings for the WLAN match acrosss controllers. Roaming is fine for everyone else. It is only apple ios devices that occasionally have the issue.
Scott
10-18-2012 04:56 PM
Are fast ssid enabled in foreigns, IG used in anchor?
when issue seen, to see the client status on Foreigns and Anchor, get show client detail from all WLCs for affected MAC.
10-19-2012 06:26 AM
We have FastSSID enabled across all controllers. Sorry I don't know what you meen by IG.
The client status on the first internal controller is "RUN". The client status on the new internal controller is "DHCP_REQ". The client status on the external guest controller is "WEB_AUTH_REQ". Their IP does not change becasue the DHCP lease is still good.
Scott
10-31-2012 05:00 AM
Scott,
I have seen this behavior with iPhone as well, though with dynamic L3 roaming within a mobility group. In our case we're using WPA2-PSK. One thing I noticed was that these clients don't show up in the PMK cache. My theory is that because of this there is no mobility announcement for these clients when they roam. Would be worth a doing mobility handoff/message debug to confirm. What code are you running?
Sent from Cisco Technical Support Android App
10-31-2012 06:28 AM
We only use L3 Web_Auth authentication for this SSID. No L2 security is used.
We are running 7.0.98.218. I know it is not good but we have been unable to upgrade so far because of a web_auth bug that was was just fixed in 7.0.235 and it takes some time for us to update code due to many hoops that must be jumped through in our environment.
I am pretty sure it is a mobility handoff issue as well but Cisco can't identify a specific bug.
Scott
10-31-2012 05:46 AM
In my experience, I've noticed that if you're not using 8021x authentication then the PMK information is not shown in the wlc. Which makes sense because the PNK is not generated by radius server, PMK for a pre-shared key is actually a combination of the pre-shared key and some random bumber information and mac info during the authentication process
Sent from Cisco Technical Support iPhone App
10-31-2012 06:14 AM
Right, so does this mean these would never L3 roam because its essentially a local auth (isn't WPA2-PSK still an 802.1X procedure though)? Still, its an association in a mobility group. Is a pmk-cache entry required for a mobility handoff? Thanks,
10-31-2012 06:50 AM
Thats a great question .. Ill share with you what I think it is but I am not 100% sure, perhaps the Cisco guys can enlighten both of us.
You are correct that PSK and 802.1X share similar frame work. And that frame work is how the dynamic keys are generated. PSK and 802.1X do the same exact process.
I dont believe the PMK-cache is require for mobility roaming WHEN you use PSK. I think of the PMK-cache as the AAA key that is generated during the inital authentication. During this authentication the radius server pushes down this key to the WLC and the client. As you roam from controller to controller this key is also moved to negate the need of a full 802.1X auth.
PSK, different ball game. There is no AAA key to move around, because there is no radius server. Simply as you move from controller to controller
I wrote a litte bit about these keys here:
No, so i dont think PMK Cache is needed. Although there are mobility messages where the PSK client will be moved from controller to controller, association wise.
Does that help any ?
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
10-31-2012 07:12 AM
Thanks George,
Absolutely. Looks like you are ready for some more certifications. The issue seen has been dead on with what Mats described. Much appreciated.
Sent from Cisco Technical Support iPhone App
10-31-2012 07:18 AM
yea sure looks that way ..
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide