Re: Why AP still send multiple frames in second times tls handshake

JasonHuang · ‎06-06-2022

Hi Team,

Regarding to the document (section WPA/WPA2-EAP), why we still get a lot of frames in second times tls handshake, even through station already exchanged the certificate with the server earlier. Do we miss any seeting?

Attached legacy roaming test sniffer capture.

AP1 - 0c:11:67:fd:53:00
AP2 - 0c:11:67:fd:24:30

first times: frames 241 ~ 266

second times: frmes 2338 ~ 2363

Router: AIR-CAP3602E-N-K9.

Thank you.

Flavio Miranda · ‎06-06-2022

Hi

It is difficult to analise like this. Would be easier with a debug client from the wlc but one thing we can afirm is that there was full authenticatio process on this two period. Could be because the device drop from the network or could be because it tried to roaming between AP and does not succeed and had to start the process from the beginning.

JasonHuang · ‎06-08-2022

Hi @Flavio Miranda,

Attached debug client and sniffer capture. No deauthentication and deassociation see in the sniffer capture.

AP1 - 78:72:5d:b7:9e:20
AP2 - f4:db:e6:a9:e3:80

Steps:

Connect to AP1 -> Legacy roaming to AP2 -> Legacy roaming to AP1

Thank you.

JasonHuang · ‎06-13-2022

Hi @Flavio Miranda,

Do you have any idea? Why AP1 still need the full authenticatio process as beginning when station roaming back to AP1?

Thank you.

Flavio Miranda · ‎06-13-2022

Hi @JasonHuang

Logs did not say too much. Roaming between WLC is one thing but roaming between APs in the same WLC and advertising the same SSID, no specific configuretion is required. You can customize a few things but sometimes it does not help much

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/client_roaming.html

I must to say: Roaming is a client decision. Not a network decision. The network try to help, but usully client does not hear the network. If you are ok with you WLC config and the Access Points coverage, then, you must turn you attention to the clients.

JasonHuang · ‎06-13-2022

Hi @Flavio Miranda,

I understand what are you talking. But, my problem is related to the EAP handshake in the reasoociation process. Server should send less frames right? However, it looks like the same with beginning. Why?

Thank you.

Flavio Miranda · ‎06-13-2022

Not sure if I received the right file. I did not see authentication on the logs, only probes. Can you share here what you are looking at? Can be a print

JasonHuang · ‎06-13-2022

Hi @Flavio Miranda,

Could you share the debug command that we should enable?

As the earlier log, we use below command:

(Cisco Controller) >debug client 78:72:5d:b7:9e:20 f4:db:e6:a9:e3:80

(Cisco Controller) >debug hotspot packets enable

(Cisco Controller) >debug dot1x all enable

(Cisco Controller) >debug aaa all enable

(Cisco Controller) >show debug

MAC Addr 1.................................. 78:72:5D:B7:9E:20
MAC Addr 2.................................. F4:DB:E6:A9:E3:80

Flex-AP Client Debugging ................... disabled
Flex-Group Client Debugging ................ disabled

Debug Flags Enabled:
aaa detail enabled.
aaa events enabled.
aaa packet enabled.
aaa packet enabled.
aaa ldap enabled.
aaa local-auth db enabled.
aaa local-auth eap framework errors enabled.
aaa local-auth eap framework events enabled.
aaa local-auth eap framework packets enabled.
aaa local-auth eap framework state machine enabled.
aaa local-auth eap method errors enabled.
aaa local-auth eap method events enabled.
aaa local-auth eap method packets enabled.
aaa local-auth eap method state machine enabled.

1. Below is our observed, we can see Cisco AP still send mutiple request after client hello, even through STA already change the cert. with server earlier. However, Netgear AP send less frames, after second times client hello

Cisco AP:

Netgear AP:

2. In the Cisco document, it alos mention that sometimes the exchange show less frames, if the station already exchanged the certificate with the server.

How do we dump the AP and RADIUS server configuration for you to confirm?

Thank you.