Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4107
Views
5
Helpful
6
Replies

mobility, roaming and web authentication

Go to solution
apasquino
Level 1
Level 1

‎11-28-2011 07:59 AM - edited ‎07-03-2021 09:08 PM

Hello NetPros,

I have two 5508, no anchor, only one SSID with internal web authentication using radius server.

Under "Configuring Mobility Groups", Cisco guide says: "If a client roams in web authentication state, the client is considered as a new client on another controller instead of considering it as a mobile client".

I understand that if a client that has already autheticated via web roams between two LAPs that are associated with different WLCs, it has to reathenticate.

What is yous opinion ?

Thanks a Lot

Andrea

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pcroak
Cisco Employee
Cisco Employee
In response to apasquino

‎11-29-2011 08:19 AM

Hello Andrea,

If a client does in fact change IP address, they will need to perform re-authentication via Web-Auth. However, we have options to protect against this -- namely Layer 3 roaming. If the client roams to a controller that would typically place the client in a different vlan, we implement an anchor tunnel and tunnel the traffic back to the original controller so the client can retain the original IP address and have seamless connectivity.

Regarding DHCP required -- this is inforced upon initial connection. A proper roam will NOT require a new DHCP handshake and the client will NOT need to reauthenticate. Once the client is in the RUN state, with proper mobility configuration, it should remain in the RUN state -- until a session or idle timeout removes the client device.

-Pat

View solution in original post

0 Helpful
6 Replies 6

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎11-28-2011 08:17 AM

This is why I like CSC. For questions like this that make you think and the collaboration that transpires from the community.

Your first WLC you connect to via your AP is no anchored so that client record lives on that WLC. And the WEB auth isnt moved from WLC to WLC like that ...

In this case without a anchor. I would say yes that is correct. You  will need to reauth when you jump to the second ap on the other WLC.

I may be wrong, lets see if one of the cisco guys responds back...

If you had a anchor, the anwser would be no. And this I do know as I tested it. Here is further reading:

You can use auto-anchor mobility (also called  guest tunneling) to improve load balancing and security for roaming  clients on your wireless LANs. Under normal roaming conditions, client  devices join a wireless LAN and are anchored to the first controller  that they contact. If a client roams to a different subnet, the  controller to which the client roamed sets up a foreign session for the  client with the anchor controller. However, when you use the auto-anchor  mobility feature, you can specify a controller or set of controllers as  the anchor points for clients on a wireless LAN.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎11-28-2011 08:18 AM

I normally use webauth for guest access and don't really care if they have to re-auth since this is sort of free access and no supported. For internal users, I really never use webauth and would use 802.1x, especially since you already have radius. It would be nice to have that feature, but until then, roaming for guest is no big deal to me, but roaming for internal users is very important.

From: apasquino >

Reply-To: "cisco-support@sgaur.hosted.jivesoftware.com" >

Date: Mon, 28 Nov 2011 08:59:40 -0700

To: Scott Fella >

Subject: - mobility, roaming and web authentication

Home<>

mobility, roaming and web authentication

created by apasquino<> in Other Wireless - Mobility Subjects - View the full discussion<>

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
pcroak
Cisco Employee
Cisco Employee
In response to Scott Fella

‎11-28-2011 09:13 AM

Hello all,

The note that you are referring to:

"If a client roams in web authentication state, the client is considered  as a new client on another controller instead of considering it as a  mobile client"

This is part of the Layer 3 (inter-subnet) roaming section. Basically, it is mentioning that if the client is currently in the WEB_AUTH_REQUIRED state (meaning they have NOT passed authentication), they will not form a Layer 3 tunnel relationship, and will simply be treated as a new client on the new WLC.

If you have mobility groups configured properly, a client in the RUN state (passed web-authentication) will not need to reauthenticate when roaming between WLCs.

-Pat

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to pcroak

‎11-28-2011 09:46 AM

Make sense ...

+5 Pat

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
apasquino
Level 1
Level 1
In response to pcroak

‎11-29-2011 03:54 AM

Pat,

I go for your response, indeed the sentence was taken from a layer3 mobility paragraph. So if the Client roams in a mobility group and keep its ip address, it does not lose the RUN state.

Let me just focus a little deeper on the Client RUN state (web authentication passed): if the Client changes its IP address, it has to reauthenticate ? (I suppose the answer is yes).

Morever, Cisco says: DHCP Required is an option that can be enabled for a WLAN. It necessitates that all clients that associate to that particular WLAN obtain IP addresses through DHCP. Clients with static IP addresses are not allowed to associate to the WLAN. This option is found under the Advanced tab of a WLAN. WLC allows the traffic to/from a client only if its IP address is present in the MSCB table of the WLC. WLC records the IP address of a client during its DHCP Request or DHCP Renew. This requires that a client renews its IP address every time it re-associates to the WLC because every time the client disassociates as a part of its roam process or session timeout, its entry is erased from the MSCB table. The client must again re-authenticate and reassociate to the WLC, which again makes the client entry in the table.

In my understanding, if the SSID configuration has the flag "DHCP Required" (and this is my case at the moment) every time the Client roams, the Client RUN state is erased, and the Client needs to reathenticate even if it renews the same IP address. Do you agree ?

Andrea

0 Helpful

Go to solution
pcroak
Cisco Employee
Cisco Employee
In response to apasquino

‎11-29-2011 08:19 AM

Hello Andrea,

If a client does in fact change IP address, they will need to perform re-authentication via Web-Auth. However, we have options to protect against this -- namely Layer 3 roaming. If the client roams to a controller that would typically place the client in a different vlan, we implement an anchor tunnel and tunnel the traffic back to the original controller so the client can retain the original IP address and have seamless connectivity.

Regarding DHCP required -- this is inforced upon initial connection. A proper roam will NOT require a new DHCP handshake and the client will NOT need to reauthenticate. Once the client is in the RUN state, with proper mobility configuration, it should remain in the RUN state -- until a session or idle timeout removes the client device.

-Pat

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card