Thanks Dixon.

From the text it looks to me like the most significant benefit of FAST over PEAP is fast secure roaming, and perhaps the fact that it doesn't require a certificate server. Unfortunatley, my client is standardized on Toshiba laptops, so CCXv3 is too high a price to pay.

What roaming solution is available for clients using PEAP? I don't need layer 3 roaming, but roaming between APs in the same subnet is a requirement. Is there a way to do this without using LEAP or FAST?

Thanks Jeremy.

So just to clarify, most of the SWAN documentation I've seen indicates that using either LEAP or FAST is a requirement for Fast Secure Roaming. Are you saying that I can use PEAP and still get the benefits of FSR?

Thanks!

I would like to explain the difference between roaming and fast secured roaming.

All AP supports roaming, no matter what encryption and authentication used. When a wireless client determines that there is a better AP than the current AP, it roams to another AP.

Roaming does not work for all applications, especially IP phone or Citrix. The romaing time is around 200ms. If you use fast secured roaming, it reduces the roaming time to around 50ms. However, you need to configure WDS and CCKM.

I hope that the above clear any mis-understanding.

Thanks for the reply Dixon. Unfortunatley it's still not quite clear.

I understand that wireless devices can roam in the manner you described, by jumping to an AP with a stronger signal. But as I understand it, this is handled by the client alone, and works with any sort of AP including a $20 Netgear purchased from the local computer store. Per my understanding, this method would require a user to re-authenticate (and perhaps re-address IP), causing an unknown delay.

My Goal is to have a more intelligent solution than the roaming described above. I don't want users to be prompted to re-authenticate when roaming. I don't need layer 3 mobilitiy, but we may be using applications that would have problems if connectivity was halted while re-asociation / re-authentication occurs.

So the question remains, can this (layer 2 roaming without re-authentication) be done with PEAP? Based on the info I've seen, a more intelligent roaming solution (FSR) in the Cisco world would require LEAP or EAP-FAST. Correct?

I've seen, a more intelligent roaming solution (FSR) in the Cisco world would require LEAP or EAP-FAST. Correct?

Answer: that's correct.

CB21AG will support EAP-FAST with CCKM soon. If you want a solution now, I think that the supplicant from Funk or Meeting House should support EAP-FAST with fast secured roaming. Funk's Odyssey Client v3.10 does support EAP-FAST now. I think that it should support CCKM as well. Meeting House's Aegis client should also support EAP-FAST 4Q 2004.

I admit that you may save money to use third party supplicant. However, we have to run compatibility tests for different laptops and different wireless NICs. If you support a lot of laptop models, it will be a nightmare for you.

The problem of CB21AG is that it only supports Windows 2000 and XP. If you have Windows CE, LINUX, or Apple clients, you need to find a solution for these clients.

I am wondering about the deployment part.

I read this article and would like your comment:

http://www.lanarchitect.net/Articles/Wireless/EAP-FAST/index.htm

A fairly accurate article overall. EAP-FAST is probably going to see some benefits from moving off the desktop. Having said that, I do know that some newer architectures at Cisco, such as those for the Network Admission Control initiative, are also looking at EAP-FAST for some optimizations available in that protocol not available in PEAP. Meaning, there may come both some improvements to provisioning EAP-FAST, and some more custom catered solutions that take better advantage of it in the future.

thanks,

jeremy