01-30-2013 10:29 AM - edited 07-03-2021 11:27 PM
We are having an issue that is apparently only affecting Apple Ipads. These are user devices that we are allowing connections to "Guest" SSID through an anchor to our DMZ. They are authenticating over 802.1x to our internal Radius server. Below is the debug of one of the Ipads disconnecting while roaming. After about 10 seconds the connection will resume. This is occuring on a 5508 WLC running 7.0.98.218 code and 1142 APs. Ipad is running 6.0.2 firmware. Any help is greatly appreciated!
Jan 30 08:59:05.036: b4:f0:ab:d6:c7:a3 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Jan 30 08:59:05.036: b4:f0:ab:d6:c7:a3 DHCP server id: 1.1.1.1 rcvd server id: 1.1.1.1
*DHCP Socket Task: Jan 30 08:59:05.036: b4:f0:ab:d6:c7:a3 DHCP successfully bridged packet to STA
*mmListen: Jan 30 08:59:06.417: CCKM: Creating CCKM cache entry(version 2) on receiving message from mobility
*spamReceiveTask: Jan 30 08:59:06.417: CCKM: Send CCKM cache entry
*Dot1x_NW_MsgTask_5: Jan 30 08:59:49.661: CCKM: Sending CCKM PMK (Version_2) information to mobility group
*spamReceiveTask: Jan 30 08:59:49.662: CCKM: Send CCKM cache entry
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 192.168.149.93 RUN (20) State Update from Mobility-Complete to Mobility-Incomplete
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 Clearing Address 192.168.149.93 on mobile
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 apfMsRunStateDec
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 192.168.149.93 RUN (20) Change state to DHCP_REQD (7) last state RUN (20)
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 apfMmProcessDeleteMobile (apf_mm.c:532) Expiring Mobile!
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 apfMsExpireMobileStation (apf_ms.c:4897) Changing state for mobile b4:f0:ab:d6:c7:a3 on AP b4:14:89:15:b9:90 from Associated to Disassociated
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 apfMsAssoStateDec
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 apfMsExpireMobileStation (apf_ms.c:5018) Changing state for mobile b4:f0:ab:d6:c7:a3 on AP b4:14:89:15:b9:90 from Disassociated to Idle
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [b4:14:89:15:b9:90]
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 Username entry deleted for mobile
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 apfMs1xStateDec
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 Deleting mobile on AP b4:14:89:15:b9:90(0)
*pemReceiveTask: Jan 30 09:00:10.388: b4:f0:ab:d6:c7:a3 0.0.0.0 Removed NPU entry.
*mmListen: Jan 30 09:00:16.057: CCKM: Creating CCKM cache entry(version 2) on receiving message from mobility
01-30-2013 10:45 AM
I wish I can share the email I was given. But, the largest healthcare system in the US
"This is purely a device decision problem, not a infrastructure problem, as depicted below. We found that the devices, while roaming, respond incorrectly to the request for identity... creating roaming delays of 30 seconds and more. "
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
01-30-2013 10:49 AM
@George OOH OHH Can I guess?!?!
you can always play with your EAP timers to lessen the impact. Current place I'm working is using these timers
config advanced eap identity-request-timeout 2
config advanced eap identity-request-retries 3
config advanced eap request-timeout 2
config advanced eap request-retries 2
which are lower than my recommendations in the EAP Timers article on support forums, but they fix the issue they/we were seeing
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
01-30-2013 11:56 AM
Thanks for the replies. I will try the new iOS 6.1.0 and see if this resolves anything.
03-06-2013 02:35 PM
Just wanted to update this post in case someone else has this issue. There is a bug with iPads roaming with 802.1x authentication. We upgraded code on our controllers ro 7.0.240 and this resolved the issue.
03-06-2013 05:03 PM
Here is something to look at also regarding 802.11r
http://support.apple.com/kb/HT5535
Sent from Cisco Technical Support iPhone App
03-07-2013 12:02 PM
As @Scott Fella said 802.11r/k will solve that issue. The problem is that only iPhone 4S, iPad 3 with iOS 6.0+ and above support 802.11r/k, the other problem is that 802.11r/k(FT) only work on Apple devices when it's mandatory on that SSID, so you will have to create an SSID only for those Apple devices in which FT is mandatory because other devices that are not FT capable will not be able to join that SSID.
If you want to give 802.11r/k(FT) a try you'll have to upgrade your WLC to version 7.3 or above, I'm currently using 7.4.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: