Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
653
Views
2
Helpful
2
Replies

Re-authentication problem after office change c9800-cl

sigcerder
Level 1
Level 1

‎08-23-2023 04:13 AM

Hello everyone.

I am using a Cisco Catalyst 9800-CL controller version 17.9.4 hosted in a cloud data center. In our ten offices, the default configuration includes a Cisco 1111 gateway, a 9200 switch, and 3 to 5 9130 access points. Each office is configured with an SSID called "Prod_Corp".

When an employee enters the office and connects to "Prod_Corp," they enter their credentials from Active Directory. The request is then sent to a Radius server deployed on Windows Server 2019. Once verified, the employee is authenticated and granted access to Wi-Fi.

However, if an employee connects to Wi-Fi in one office and then moves to another office, the employee cannot automatically connect to Wi-Fi. The problem is resolved only after the employee selects "Forget this network" for the SSID "Prod_Corp" and then reconnects and authenticates.

I suspect this is related to the PMKID. Has anyone had similar issues? How can they be resolved?

Configuration: I have about 30 wireless profiles as you can see in the screenshot provided. I create a new profile for each new object. Maybe I should rethink this approach and create one unified profile for all SSIDs with the same name?

profile.png

Labels:
0 Helpful
2 Replies 2

Rasika Nayanajith
VIP
VIP

‎08-23-2023 04:27 AM

If client moving between different policy profile (even though they are in same WLAN profile) it could be expected behavior. Is it possible to two different office AP to get same policy profile and test it ?

Below from the 9800 Best Practices guide
https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#Roamingbetweenpolicytags 

"Currently, a client roaming between two APs configured with the same SSID but different associated policies will result in a slow roam. In other words, roaming across two different policy tags (same SSID, but different policy profile name) will force client to go through a full authentication and DHCP process to renew its IP address. This is true even if doing intra-controller roaming, and it is meant to prevent clients from jumping from one policy to another without a full reauthentication.

If the policy profile associated to the SSID is the same (same name and content) in different policy tags, then roaming for that SSID is seamless. The slow roam happens if there is a change in the policy profile associated to the SSID"

HTH
Rasika
*** Pls rate all useful responses ****

sigcerder
Level 1
Level 1
In response to Rasika Nayanajith

‎08-23-2023 06:22 AM

Rasika, hi.
Thanks for the explanation, I am more than sure after reading the best practices that it is about different profiles.
I will definitely do an experiment in the coming days and let you know about the improvement, I just have two buildings 100 meters away from each other, a perfect place to test will be.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card