cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2166
Views
3
Helpful
13
Replies
schaefermeier
Beginner

Apple ios devices roaming issue between controllers

  I have an issue with Apple IOS devices on my guest network that move between buildings with different controllers locking up their wireless connectivity and the only way that they are able to connect again to the network is to either have them return the the building that they were previously in or to go in and delete their client table entry on the controllers. This only happens occasionally, not every time.

TAC thinks that the apple device is disassociating when it leaves the area and is starting a totally new association when it gets to the new building and since we have a high user idle timeout value, due to we only want users performing web-auth once a day, it doesn't like it. They have asked us to move our user idle timeout to 5 minutes which would be unacceptable since users would have to constantly re-authenticate to our guest network.

Has anbody else experienced this issue with apple devices on a guest network with web-authentication and moving between areas managed by different controllers?

thanks

Scott

13 REPLIES 13

Are you using anchors ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Yes, I have one guest controller in the DMZ that terminates the guest traffic and multiple internal controllers.

Scott

Are there mobility domains built between both buildings controllers? And are you able to seamlessly roam between these buildings or not ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

All of my internal controllers are in the same mobility domain. External controller is not per Cisco best practices. I have made sure all the settings for the WLAN match acrosss controllers. Roaming is fine for everyone else. It is only apple ios devices that occasionally have the issue.

Scott

Are fast ssid enabled in foreigns, IG used in anchor?

when issue seen, to see the client status on Foreigns and Anchor, get show client detail from all WLCs for affected MAC.

We have FastSSID enabled across all controllers. Sorry I don't know what you meen by IG.

The client status on the first internal controller is "RUN". The client status on the new internal controller is "DHCP_REQ". The client status on the external guest controller is "WEB_AUTH_REQ". Their IP does not change becasue the DHCP lease is still good.

Scott

bjohnson5
Enthusiast

Scott,

I have seen this behavior with iPhone as well, though with dynamic L3 roaming within a mobility group. In our case we're using WPA2-PSK. One thing I noticed was that these clients don't show up in the PMK cache. My theory is that because of this there is no mobility announcement for these clients when they roam. Would be worth a doing mobility handoff/message debug to confirm. What code are you running?


Sent from Cisco Technical Support Android App

We only use L3 Web_Auth authentication for this SSID. No L2 security is used.

We are running 7.0.98.218. I know it is not good but we have been unable to upgrade so far because of a web_auth bug that was was just fixed in 7.0.235 and it takes some time for us to update code due to many hoops that must be jumped through in our environment.

I am pretty sure it is a mobility handoff issue as well but Cisco can't identify a specific bug.

Scott

In my experience, I've noticed that if you're not using 8021x authentication then the PMK information is not shown in the wlc. Which makes sense because the PNK is not generated by radius server, PMK for a pre-shared key is actually a combination of the pre-shared key and some random bumber information and mac info during the authentication process

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Right, so does this mean these would never L3 roam because its essentially a local auth (isn't WPA2-PSK still an 802.1X procedure though)?  Still, its an association in a mobility group.  Is a pmk-cache entry required for a mobility handoff?  Thanks,

Thats a great question .. Ill share with you what I think it is but I am not 100% sure, perhaps the Cisco guys can enlighten both of us.

You are correct that PSK and 802.1X share similar frame work. And that frame work is how the dynamic keys are generated. PSK and 802.1X do the same exact process.

I dont believe the PMK-cache is require for mobility roaming WHEN you use PSK. I think of the PMK-cache as the AAA key that is generated during the inital authentication. During this authentication the radius server pushes down this key to the WLC and the client. As you roam from controller to controller this key is also moved to negate the need of a full 802.1X auth.

PSK, different ball game. There is no AAA key to move around, because there is no radius server. Simply as you move from controller to controller you only do the dynamic key section of 802.1X. This is the 4 way handshake. The PMK is actually the PSK KEY, some random numbers, and the mac address of the ap and client.

I wrote a litte bit about these keys here:

http://www.my80211.com/8021x/2010/9/10/george-stefanick-cwsp-journey-chapter-5-keys-post4-9102010.html

No, so i dont think PMK Cache is needed. Although there are mobility messages where the PSK client will be moved from controller to controller, association wise.

Does that help any ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
bjohnson5
Enthusiast

Thanks George,

Absolutely. Looks like you are ready for some more certifications. The issue seen has been dead on with what Mats described. Much appreciated.

Sent from Cisco Technical Support iPhone App

yea sure looks that way ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Content for Community-Ad