Answers -
1. what invalid pmkid says? Invalid password? If can someone clear here about what is pmkid and why it's needed.
Ans - PMKID is an unique identifier which gets generated as part of the auth mechanism between a client and AP. This ID identifies the PMK used for encrypting comm between and client and AP. During the 4 way handshake the first key that gets generated is MSK. PMK gets derived from MSK. The PMKID is derived from this key and exchanged as part of the handshake process. During fast roaming process, this PMKID allows clients to quickly and securely reconnect to different APs without re-authenticating from scratch.
2. How do I validate what makes pmkid being invalid? Does it have expiry time to be valid?
Ans - We do have option to validate but not east to figure out as it need OTA, WLC internal RA trace and EPC. Every single new auth will generate a new PMKID.
Coming back to your scenario, when the user is already connected to SSID and in RUN state, that means PMKID is already generated. This will come in picture if the device tries to roam. Although it might be physically not moving but if the driver is sensitive and getting signals from multiple APs with almost same signals strength, it can try to roam. Now when WLC says invalid pmkid, there could be 2 possibilities - either device is sending a wrong PMKID which WLC/AP is not aware of. Or else device is sending a correct PMKID, however WLC/AP is reporting it in wrong way. So in your scenario first thing that need to validated if the device is roaming across different APs while physically located in one place. If that's happening and you don't want that, data rates/power levels can be tweaked to see if you can stop that. If that gets stopped, roaming won't happen and subsequently no further issue for PMKID mismatch.
