Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2782
Views
8
Helpful
4
Replies

Client going through whole 802.1x authentication process while roaming?

vinod rathore
Level 1
Level 1

‎07-13-2015 06:17 AM - edited ‎07-05-2021 03:34 AM

Hello Friends,

I have been noticing that client roaming is not seamless and clients are getting fluctuation while roaming.

We've implemented AIR-CT2504-K9 WLC and AIR-CAP1602I-N-K9 AP in our network.

Authentication parameters are - WPA2 + AES + 802.1x with Domain authentication. 

 

While looking into client debug logs (attached) it seems that client is going through whole 802.1x process when it roams from one to another AP.

I had gone through with few of relevant articles and found that 802.1x full authentication takes place when client associates wireless network there after only PMKID get exchanged while roaming from one to another AP.

I suspect that due to this clients are getting fluctuation while roaming hence lag is visible in real-time applications. 

===============

Client associates to wireless network

*apfMsConnTask_1: Jul 09 15:32:11.670: 44:91:db:05:c3:c1 Association received from mobile on BSSID 1c:de:a7:4e:fa:60

<<output omitted>>

<<full 802.1x authentication process attached in log file>>

*Dot1x_NW_MsgTask_1: Jul 09 15:32:11.715: 44:91:db:05:c3:c1 Processing Access-Accept for mobile 44:91:db:05:c3:c1

Client roam to another AP

*apfMsConnTask_4: Jul 09 15:35:37.010: 44:91:db:05:c3:c1 Association received from mobile on BSSID 1c:1d:86:b7:f4:40

<<output omitted>>

<<full 802.1x authentication process attached in log file>>

*Dot1x_NW_MsgTask_1: Jul 09 15:35:37.178: 44:91:db:05:c3:c1 Processing Access-Accept for mobile 44:91:db:05:c3:c1

Client roam to another AP and so on .....

===============

Please share your views/suggestion, Is there something missing or wrong configuration which is causing full authentication each time ?

Labels:
Preview file
122 KB
0 Helpful
4 Replies 4

Rasika Nayanajith
VIP
VIP

‎07-13-2015 04:07 PM

Have you enabled any fast roaming mechanisms (CCKM, 802.11r, OKC,ect)

If not, client has to go through full authentication while roaming.

HTH

Rasika

*** Pls rate all useful responses ***

vinod rathore
Level 1
Level 1
In response to Rasika Nayanajith

‎07-13-2015 10:28 PM

Thanks Rasika, 

I can see few options under "Authentication Key Management"

802.1x

CCKM

PSK

FT 802.1x

FT PSK

Should i enable both 802.1x and FT 802.1x or only FT 802.1x to achieve fast roaming ? 

while enabling FT802.1x its showing "warnning!! non-802.11r client may not join on this WLAN"

My question is - Can we enable both and achieve fast roaming for supported client and for non-802.11r client they can associate through 802.1x and get each time authenticated while roaming ? is it not the way ?

Please suggest !!

0 Helpful

Rasika Nayanajith
VIP
VIP
In response to vinod rathore

‎07-13-2015 10:36 PM

If all your end devices support 802.11r then you can do that (802.1X+ FT 802.1X). Refer below thread for 802.11r supported devices

https://supportforums.cisco.com/discussion/12314591/8021r-and-fast-roaming

If not, enabling 11r could impact non 802.11r capable client connections.(they may not able to join that SSID)

If all your clients are CCX compatible, then you can try 802.1X+CCKM option.

HTH

Rasika

*** Pls rate all useful responses ***

0 Helpful

Rasika Nayanajith
VIP
VIP

‎07-13-2015 10:23 PM

Refer this document as it describes each fast roaming mechanisms with relevant packet captures/debug output

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116493-technote-technology-00.html

HTH

Rasika

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card