06-06-2022 01:14 AM
Hi Team,
Regarding to the document (section WPA/WPA2-EAP), why we still get a lot of frames in second times tls handshake, even through station already exchanged the certificate with the server earlier. Do we miss any seeting?
Attached legacy roaming test sniffer capture.
AP1 - 0c:11:67:fd:53:00
AP2 - 0c:11:67:fd:24:30
first times: frames 241 ~ 266
second times: frmes 2338 ~ 2363
Router: AIR-CAP3602E-N-K9.
Thank you.
06-06-2022 02:06 AM
Hi
It is difficult to analise like this. Would be easier with a debug client from the wlc but one thing we can afirm is that there was full authenticatio process on this two period. Could be because the device drop from the network or could be because it tried to roaming between AP and does not succeed and had to start the process from the beginning.
06-08-2022 06:54 PM
Hi @Flavio Miranda,
Attached debug client and sniffer capture. No deauthentication and deassociation see in the sniffer capture.
AP1 - 78:72:5d:b7:9e:20
AP2 - f4:db:e6:a9:e3:80
Steps:
Connect to AP1 -> Legacy roaming to AP2 -> Legacy roaming to AP1
Thank you.
06-13-2022 03:04 AM
Hi @Flavio Miranda,
Do you have any idea? Why AP1 still need the full authenticatio process as beginning when station roaming back to AP1?
Thank you.
06-13-2022 03:40 AM - edited 06-13-2022 03:40 AM
Hi @JasonHuang
Logs did not say too much. Roaming between WLC is one thing but roaming between APs in the same WLC and advertising the same SSID, no specific configuretion is required. You can customize a few things but sometimes it does not help much
I must to say: Roaming is a client decision. Not a network decision. The network try to help, but usully client does not hear the network. If you are ok with you WLC config and the Access Points coverage, then, you must turn you attention to the clients.
06-13-2022 04:00 AM
Hi @Flavio Miranda,
I understand what are you talking. But, my problem is related to the EAP handshake in the reasoociation process. Server should send less frames right? However, it looks like the same with beginning. Why?
Thank you.
06-13-2022 04:09 AM
Not sure if I received the right file. I did not see authentication on the logs, only probes. Can you share here what you are looking at? Can be a print
06-13-2022 10:45 PM - edited 06-13-2022 10:45 PM
Hi @Flavio Miranda,
Could you share the debug command that we should enable?
As the earlier log, we use below command:
(Cisco Controller) >debug client 78:72:5d:b7:9e:20 f4:db:e6:a9:e3:80
(Cisco Controller) >debug hotspot packets enable
(Cisco Controller) >debug dot1x all enable
(Cisco Controller) >debug aaa all enable
(Cisco Controller) >show debug
MAC Addr 1.................................. 78:72:5D:B7:9E:20
MAC Addr 2.................................. F4:DB:E6:A9:E3:80
Flex-AP Client Debugging ................... disabled
Flex-Group Client Debugging ................ disabled
Debug Flags Enabled:
aaa detail enabled.
aaa events enabled.
aaa packet enabled.
aaa packet enabled.
aaa ldap enabled.
aaa local-auth db enabled.
aaa local-auth eap framework errors enabled.
aaa local-auth eap framework events enabled.
aaa local-auth eap framework packets enabled.
aaa local-auth eap framework state machine enabled.
aaa local-auth eap method errors enabled.
aaa local-auth eap method events enabled.
aaa local-auth eap method packets enabled.
aaa local-auth eap method state machine enabled.
1. Below is our observed, we can see Cisco AP still send mutiple request after client hello, even through STA already change the cert. with server earlier. However, Netgear AP send less frames, after second times client hello
Cisco AP:
Netgear AP:
2. In the Cisco document, it alos mention that sometimes the exchange show less frames, if the station already exchanged the certificate with the server.
How do we dump the AP and RADIUS server configuration for you to confirm?
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide