Re: Ipads Disconnecting While Roaming (WPA2, 802.1x, Radius)

mustsummit · ‎01-30-2013

We are having an issue that is apparently only affecting Apple Ipads. These are user devices that we are allowing connections to "Guest" SSID through an anchor to our DMZ. They are authenticating over 802.1x to our internal Radius server. Below is the debug of one of the Ipads disconnecting while roaming. After about 10 seconds the connection will resume. This is occuring on a 5508 WLC running 7.0.98.218 code and 1142 APs. Ipad is running 6.0.2 firmware. Any help is greatly appreciated!

Jan 30 08:59:05.036: b4:f0:ab:d6:c7:a3 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Jan 30 08:59:05.036: b4:f0:ab:d6:c7:a3 DHCP server id: 1.1.1.1 rcvd server id: 1.1.1.1
*DHCP Socket Task: Jan 30 08:59:05.036: b4:f0:ab:d6:c7:a3 DHCP successfully bridged packet to STA
*mmListen: Jan 30 08:59:06.417: CCKM: Creating CCKM cache entry(version 2) on receiving message from mobility
*spamReceiveTask: Jan 30 08:59:06.417: CCKM: Send CCKM cache entry
*Dot1x_NW_MsgTask_5: Jan 30 08:59:49.661: CCKM: Sending CCKM PMK (Version_2) information to mobility group
*spamReceiveTask: Jan 30 08:59:49.662: CCKM: Send CCKM cache entry
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 192.168.149.93 RUN (20) State Update from Mobility-Complete to Mobility-Incomplete
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 Clearing Address 192.168.149.93 on mobile
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 apfMsRunStateDec
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 192.168.149.93 RUN (20) Change state to DHCP_REQD (7) last state RUN (20)

*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 apfMmProcessDeleteMobile (apf_mm.c:532) Expiring Mobile!
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 apfMsExpireMobileStation (apf_ms.c:4897) Changing state for mobile b4:f0:ab:d6:c7:a3 on AP b4:14:89:15:b9:90 from Associated to Disassociated

*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 apfMsAssoStateDec
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 apfMsExpireMobileStation (apf_ms.c:5018) Changing state for mobile b4:f0:ab:d6:c7:a3 on AP b4:14:89:15:b9:90 from Disassociated to Idle

*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [b4:14:89:15:b9:90]
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 Username entry deleted for mobile
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 apfMs1xStateDec
*apfReceiveTask: Jan 30 09:00:10.386: b4:f0:ab:d6:c7:a3 Deleting mobile on AP b4:14:89:15:b9:90(0)
*pemReceiveTask: Jan 30 09:00:10.388: b4:f0:ab:d6:c7:a3 0.0.0.0 Removed NPU entry.
*mmListen: Jan 30 09:00:16.057: CCKM: Creating CCKM cache entry(version 2) on receiving message from mobility

George Stefanick · ‎01-30-2013

I wish I can share the email I was given. But, the largest healthcare system in the US discovered a roaming issue with iOS devices on 6.0.1 and 6.0.2.

"This is purely a device decision problem, not a infrastructure problem, as depicted below. We found that the devices, while roaming, respond incorrectly to the request for identity... creating roaming delays of 30 seconds and more. "

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Stephen Rodriguez · ‎01-30-2013

@George OOH OHH Can I guess?!?!

you can always play with your EAP timers to lessen the impact. Current place I'm working is using these timers

config advanced eap identity-request-timeout 2

config advanced eap identity-request-retries 3

config advanced eap request-timeout 2

config advanced eap request-retries 2

which are lower than my recommendations in the EAP Timers article on support forums, but they fix the issue they/we were seeing

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

mustsummit · ‎01-30-2013

Thanks for the replies. I will try the new iOS 6.1.0 and see if this resolves anything.

mustsummit · ‎03-06-2013

Just wanted to update this post in case someone else has this issue. There is a bug with iPads roaming with 802.1x authentication. We upgraded code on our controllers ro 7.0.240 and this resolved the issue.

Scott Fella · ‎03-06-2013

Here is something to look at also regarding 802.11r

http://support.apple.com/kb/HT5535

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

juanestebanmrpo · ‎03-07-2013

As @Scott Fella said 802.11r/k will solve that issue. The problem is that only iPhone 4S, iPad 3 with iOS 6.0+ and above support 802.11r/k, the other problem is that 802.11r/k(FT) only work on Apple devices when it's mandatory on that SSID, so you will have to create an SSID only for those Apple devices in which FT is mandatory because other devices that are not FT capable will not be able to join that SSID.

If you want to give 802.11r/k(FT) a try you'll have to upgrade your WLC to version 7.3 or above, I'm currently using 7.4.