Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2712
Views
20
Helpful
4
Replies

Question about Roaming

Go to solution
xZamalek
Level 1
Level 1

‎03-10-2021 08:54 AM - edited ‎07-05-2021 01:21 PM

Hello All,

 

I have some question regarding roaming which confuses me.

 

-Is the Roaming decision is decided by the client ? or the WLC ? what the threshold value on the client roaming section in the wireless tab refers to?

 

-I was performing some debugs while client is performing L2 Roaming (another AP on the same WLC ) and i could see that the client sent a reassociation he was reauthenticated and sent another Bootrequst for DHCP , is that means everytime client roam either it's a layer 2 or L3 he will re authenticate and request an IP from the DHCP ? how the roaming is seamless then?

 

-The client is supposed to authenticate first when he try to join to the BSS , is the first authentication is where the AP will send the identity of the client to WLC then the WLC send it to the Radius server ? also when i was performing debugs i was seeing an association request comes 1st before authentication so what is the order of client joining ? will he associate 1st then authenticate or authenticate 1st ? lastly after authentication the client will go to DHCP process.

 

-In L3 Roaming , will the client re authenticate when he associates with the foreign controller ?

 

-Is that normal that everytime the user roams to re authenticate ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rasika Nayanajith
VIP
VIP

‎03-10-2021 11:34 AM

-Is the Roaming decision is decided by the client ? or the WLC ? 

It is purely client decision.

 

is that means everytime client roam either it's a layer 2 or L3 he will re authenticate and request an IP from the DHCP ? how the roaming is seamless then?

That is not normal, Did you see client change its IP address or just only DHCP request msg? 

 

-The client is supposed to authenticate first when he try to join to the BSS , is the first authentication is where the AP will send the identity of the client to WLC then the WLC send it to the Radius server ? also when i was performing debugs i was seeing an association request comes 1st before authentication so what is the order of client joining ? will he associate 1st then authenticate or authenticate 1st ? lastly after authentication the client will go to DHCP process.

 

Initial association, you would see two authentication frames, those are "Open Authentication" frame prior to Assocation Request/Response. That is exchanged between STA & AP and those frame never go to RADIUS. Once associated depend on the security method configured, client has to prove its identity. That is called EAP exahnge process in 802.1X, that traffic has to go to RADIUS server.

 

Here is a 802.1X frame exchange during initial association & subsequent roaming (without any fast roaming or key caching)

802.1X-FrameEx.png

 

-Is that normal that everytime the user roams to re authenticate ?

If no fast roaming mechanism (PMK caching, Opportunistic Key Caching or 802.11r/FT - Fast Trasnistion) implmented, then it is normal to fully authenciate. With those fast roaming mechanisms you can bypass full authentication in subsequent roaming within the same mobility group.

 

Here is what happen with PMK caching, only client roam back to previously associated AP can by pass full authentication.

PMK-Cachig.png

Here is what happens with OKC

OKC.png

 

 

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

4 Replies 4

Go to solution
Rasika Nayanajith
VIP
VIP

‎03-10-2021 11:34 AM

-Is the Roaming decision is decided by the client ? or the WLC ? 

It is purely client decision.

 

is that means everytime client roam either it's a layer 2 or L3 he will re authenticate and request an IP from the DHCP ? how the roaming is seamless then?

That is not normal, Did you see client change its IP address or just only DHCP request msg? 

 

-The client is supposed to authenticate first when he try to join to the BSS , is the first authentication is where the AP will send the identity of the client to WLC then the WLC send it to the Radius server ? also when i was performing debugs i was seeing an association request comes 1st before authentication so what is the order of client joining ? will he associate 1st then authenticate or authenticate 1st ? lastly after authentication the client will go to DHCP process.

 

Initial association, you would see two authentication frames, those are "Open Authentication" frame prior to Assocation Request/Response. That is exchanged between STA & AP and those frame never go to RADIUS. Once associated depend on the security method configured, client has to prove its identity. That is called EAP exahnge process in 802.1X, that traffic has to go to RADIUS server.

 

Here is a 802.1X frame exchange during initial association & subsequent roaming (without any fast roaming or key caching)

802.1X-FrameEx.png

 

-Is that normal that everytime the user roams to re authenticate ?

If no fast roaming mechanism (PMK caching, Opportunistic Key Caching or 802.11r/FT - Fast Trasnistion) implmented, then it is normal to fully authenciate. With those fast roaming mechanisms you can bypass full authentication in subsequent roaming within the same mobility group.

 

Here is what happen with PMK caching, only client roam back to previously associated AP can by pass full authentication.

PMK-Cachig.png

Here is what happens with OKC

OKC.png

 

 

HTH

Rasika

*** Pls rate all useful responses ***

Go to solution
xZamalek
Level 1
Level 1
In response to Rasika Nayanajith

‎03-11-2021 01:50 PM

Hello Rasika,

 

Thank you very much for detailed clarifications i really appreciate it.

 

-That is not normal, Did you see client change its IP address or just only DHCP request msg? 

 

Thats what i have received , i have read about it in the CCNA OCG and it might be that the device is asking to renew his IP address not to request a new one because he requested a specific IP in the logs , if it's correct then the user i believe is doing full authentication but doesn't request a new IP address , but need to confirm.

 

DHCP received op BOOTREQUEST

processing DHCP REQUEST (3)
op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
chaddr: X.X.X.X >> mac of client
ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
siaddr: 0.0.0.0, giaddr: 0.0.0.0
requested ip: 10.X.X.X

 

=======================

-I have another question came to my mind during troubleshooting an issue where there is a huge interference in the 2.4 Ghz band between multiple APs in the same floor , do the client also choose which band he connect ? or there is a way to force him connect to the 5Ghz ? and is disabling the 2.4Ghz on some APs in a good idea ? the symptoms is users in floor getting disconnected from the wireless while the signal is very strong.

 

 

0 Helpful

Go to solution
Rasika Nayanajith
VIP
VIP
In response to xZamalek

‎03-11-2021 05:37 PM - edited ‎03-11-2021 05:39 PM

"i have read about it in the CCNA OCG and it might be that the device is asking to renew his IP address not to request a new one because he requested a specific IP in the logs , if it's correct then the user i believe is doing full authentication but doesn't request a new IP address , but need to confirm"

 

When you do fast roaming you should only see 4 frames (two authentication frames, re-association request, and re-association response) at the time of roaming and the EAP process is completely bypassed (as that is the most time-consuming part).

 

DHCP process should not be required in either cases (full auth or fast roam) and interesting to see if that comes from all different clients or a certain type of clients.

 

" I have another question came to my mind during troubleshooting an issue where there is a huge interference in the 2.4 Ghz band between multiple APs in the same floor, do the client also choose which band he connect ? or there is a way to force him connect to the 5Ghz ? and is disabling the 2.4Ghz on some APs in a good idea ? the symptoms is users in floor getting disconnected from the wireless while the signal is very strong."

 

Client decides which band they connect. In Cisco WLC, given SSID you can enable "band select" feature. In that way, Cisco AP will delay response for "probe request" in 2.4GHz. If a dual-band client may send probe request on both bands and still may wait for 2.4GHz and if he thinks the signal is better on 2.4GHz, still may connect to that band. Sometimes those criteria depend on how client device WiFI driver program as well, see below how Apple & Samsung devices do that. (most vendors do not disclose those details as well)

https://support.apple.com/en-au/HT203068 

https://docs.samsungknox.com/admin/knox-platform-for-enterprise/kbas/kba-115013403768.htm 

 

If you can disable 2.4GHz on that SSID, that is the best solution, but make sure all your clients support 5GHz, before making that change.

 

HTH

Rasika

*** Pls rate all useful responses ***

Go to solution
xZamalek
Level 1
Level 1
In response to Rasika Nayanajith

‎03-13-2021 02:12 AM

Thank you a lot.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card