EAP-FAST - WLC 7.4 Roaming between different FlexConnect (FC) Gr

oguarisco · ‎02-13-2014

Dear all,

WLC 7.4 Release Notes states that with both Local/Central Switching:

- Mobility in the same Flex Group with CCKM is Fast Roaming if WLAN is mapped to same VLAN

- Mobility between different Flex Group with CCKM cause a Full Auth

Using CCK with EAP-Fast during a call with Cisco IP Phone 7921G and 7925G we notice a gap when roaming from an AP belonging to FC GroupA to an AP belonging to FC Group B...so the only solution to do Fast Romaing is to use PMK(OKC) since CCKM will do a complete authentication each time moving from FC Group.

Where do we enable OKC for a specific WLAN? In the FlexConnect Group Menu?

Thanks a lot for sharing answer and suggestion

BR

O.G.

Scott Fella · ‎02-13-2014

Might want to reference this link

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_wlan.html#wp1702871

By default, Sticky PMKID Caching (SKC) is disabled and Opportunistic PMKID caching (OKC) is enabled.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

oguarisco · ‎02-13-2014

Hello Scott,

thanks for the explanation...

So if in 7.4.121 OKC is enabled by default I don't understand why I'm having a full Authentication when roaming from AP of FC Group A to AP to FC Group B instead of Fast-Roaming...and this is happening in all FC Group configured (6x).

Should I disable CCKM flag in the WLAN definition?!?!

FC Groups and Mobility

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html#anc13

O.G

Scott Fella · ‎02-13-2014

Cisco phones require CCKM for fast roaming. The issue is the FlexConnect Group max at 25 AP's on the 5508 and there is no roaming support between FlexConnect groups. That's the limitation. Why it's like that, maybe because of the CPU and memory on an Access point. This is a limit however and don't know if there will be a workaround.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

oguarisco · ‎02-13-2014

Yes Cisco phones require CCKM for fast Roaming..checking the document "FC Groups and Mobility" it states that Roaming can be done with different FC Group but CCKM will perform a full-auth creating the gap which during a call is very annoying but it seems that OKC will do a Fast Roaming solving that.

You're right with 5508 the max number of AP in an FC Group are 25... so if you have it 100 you have to create at least 4 FC Groups and I can't believe that the only solution is to do a full-auth when roaming from a group to another creating the problem during a user call.

No chance to use OKC? or should I not configure FC Group and leave the AP without this setting?!?!

Scott Fella · ‎02-13-2014

It's something you need to try. Remove the FlexConnect Group and see if it helps. The thing is, Cisco never really wanted have that many AP's in FlexConnect at a site, but through the years, it started happening. Back when it was called h-reap, there were no h-reap groups and you relied in the phones roaming well. You just have to test and see what works well for you. There are others who rely on just PSK or using 802.1x with cckm. Have you also looked at this guide?

https://supportforums.cisco.com/docs/DOC-26863

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

EAP-FAST - WLC 7.4 Roaming between different FlexConnect (FC) Group