CCKM, WPA, fast roaming issues

I have a 4404 LAN controller with 1131a/g light AP's. Clients are Cisco a/b/g cards using WPA2, PEAP MSCHAPv2 and the Odyssey supplicant.
Sometimes my clients roam between access points without losing a single packet, but other times they lose connectivity for up to 15 seconds while the client reauthenticates. Obviously, I would like to improve roaming time.
On the WLAN controller I have WPA2 configured with AES and "auth key managment" set to 802.1x. I just upgraded to the latest (4.0) code on the controller and noticed there is a new "auth key management" setting called 802.1x + cckm.
After much research on cckm tonight, I seem to have more questions than answers.
Can/should cckm be used WITH WPA2?
If not, can both WPA2 and cckm be supported on the same WLAN?
Which auth key management setting should I be using, 802.1x or 802.1x + cckm?
Does cckm require support of both supplicant and NIC?
Is there anything else I can do to make roaming more seamless?

Is it possible to use
WPA1 + TKIP + Auth Key Mgmt="CCKM"
or
WPA1 + TKIP + Auth Key Mgmt="802.1x + CCKM"
My WLC have Software Version 4.0.179.8.
With this configuration I will need client card CCX v4 ??
Thanks

Similar Messages

  • CCKM/Fast Roaming CCXv3 and CCXv4 Clients

    I am trying to verify for sure if CCXv3 clients can connect to a wlan configured with 802.1X+CCKM, and security WPA2/AES and do fast roaming?
    It appears that CCXv3 clients do not support CCKM with 802.1X/EAP TLS.

    Keep in mind PMK is specific to an ap and client. If a client roams away from the ap and comes back it doesnt have to reauth becuase it uses the PMK. OKC, uses the orginal PMK generated during your first auth and then shares it with other aps to negate auth .. clients need to support OKC to take full advantage
    For flex ..
    FlexConnect Groups and CCKM
    FlexConnect Groups are required for CCKM fast roaming to work with FlexConnect access points. CCKM fast roaming is achieved by caching a derivative of the master key from a full EAP authentication so that a simple and secure key exchange can occur when a wireless client roams to a different access point. This feature prevents the need to perform a full RADIUS EAP authentication as the client roams from one access point to another. The FlexConnect access points need to obtain the CCKM cache information for all the clients that might associate so they can process it quickly instead of sending it back to the controller. If, for example, you have a controller with 300 access points and 100 clients that might associate, sending the CCKM cache for all 100 clients is not practical. If you create a FlexConnect that includes a limited number of access points (for example, you create a group for four access points in a remote office), the clients roam only among those four access points, and the CCKM cache is distributed among those four access points only when the clients associate to one of them.
    Note CCKM fast roaming among FlexConnect and non-FlexConnect access points is not supported. See the "Configuring WPA1 +WPA2" section for information on configuring CCKM.
    FlexConnect Groups and Opportunistic Key Caching
    Starting in the 7.0.116.0 release, FlexConnect groups enable Opportunistic Key Caching (OKC) to enable fast roaming of clients. OKC facilitates fast roaming by using PMK caching in access points that are in the same FlexConnect group.
    This feature prevents the need to perform a full authentication as the client roams from one access point to another. Whenever a client roams from one FlexConnect access point to another, the FlexConnect group access point calculates the PMKID using the cached PMK.
    To see the PMK cache entries at the FlexConnect access point, use the show capwap reap pmk command. This feature is supported on Cisco FlexConnect access points.
    Note The FlexConnect access point must be in connected mode when the PMK is derived during WPA2/802.1x authentication.
    When using FlexConenct groups for OKC or CCKM, the PMK-cache is shared only across the access points that are part of the same FlexConnect group and are associated to the same controller. If the access points are in the same FlexConnect group but are associated to different controllers that are part of the same mobility group, the PMK cache is not updated and CCKM roaming will fail.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • WPA2+CCKM fast roaming not happening

    Hello,
    I'm trying to test fast roaming using a Cisco 2100 Series controller and 2 1140 APs. The initial authentication succeeds fine and the wireless
    connection works ok using WPA2+CCKM and LEAP with a Cisco ACS radius server.
    The problem is that the client does not attempt to preauthenticate with the other AP because the RSN Capabilities IE in the AP beacons and probe responses do not set the RSN Preauthentication capable bit. I can't figure out what it takes to get the APs to indicate to clients that it can do preauthentication. I'm been crawling through all the documentation I can find, to no avail. Any ideas?
    Thanks
    - Bill

    Preauthentication has nothing to do with WPA2 Proactive key caching nor with CCKM.
    If you enable CCKM on the SSID you would expect the clients to use CCKM for roaming, no ?
    Most clients don't support WPA2 with CCKM combined as they have overlapping roaming mechanism. What are your test clients exactly ? Did you verify if they support WPA2 with cckm ?

  • L2 Roaming issue with Avaya wireless phone on WISM -V6.0.196.0

    Hello Friends,
    I am facing Layer2 roaming issue with Avaya Wirless phone 3620 which are configured WPA / Pre-shared key auth with a SSID1 and face a cut or delay in the voice.
    But when i use Cisco Wireless phones and try to roam between one LWAP to other i dont face a cut or delay in the vocie which are
    Configured with 802.1x +CCKM auth .
    Then i configured new SSID 3 with 802.1x+CCKM settings for  the new Avaya wireless module 3631 , but still face cut and delay while doing Layer 2 roaming.
    While i was using these AP in WDS mode i never faced this Layer 2 roaming issue with Avaya wireless phones.
    In  current WISM all the LWAPs are supporting properly to the Cisco phone and Wirelss laptop clients.
    I request you to please let me know how do i proceed further to solve the issue and please let me know if anybugs or incompatibilty for WISM with Avaya wireless phones.
    Appreciate your response.
    Regards,
    KA.

    Hello ,
    Can any body please respond to my above Query.
    Thanks,
    KA.

  • Intel 3945 roaming issues

    I have some 1242 AP's set up with Cisco Fast roaming. My 3945 clients roam fine, but after a few seconds, they lose their IP address. If I have a constant ping going, my ping will drop for about 3 seconds, then replys will go for about 4 seconds. It will continue to do this about three times until stabilizing and then it works great until roaming again. Anyone have any ideas? TAC blames Intel. Intel says to work with Dell. Dell has no clue. Any help would be appreciated.

    Hi Allan,
    Have you tried tweaking Roaming Aggressiveness in the Intel PROSet client utility? You may also want to try turning off Auto-RF just to see if it makes any difference.
    I had costumers which had problems with the ProSet Utility. We deinstlled ad used the Windows XP Wireless Zero configuration.
    The Intel Wireless NIC have actual some issues with the Cisco environment.
    Some examples from the forum:
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd73e2f
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.ee95e05
    Please check if the wireless clients you use are specified in the "Cisco Compatible Client Devices" list:
    http://www.cisco.com/web/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html
    The mentioned versions can be found here:
    http://www.cisco.com/warp/public/765/ccx/versions_and_features.shtml
    Best regards,
    Frank

  • Client roaming issue

    I am trying to track down some performance issues on my wireless network, and hope someone out there will help educate me!  My environment:
    Access Points are all 1231, 1242, and 1252
    The 802.11g radios are active
    All APs are configured to use Channel 4
    WEP security (I know, I know ...)
    Clients are either laptop users (mostly Dells) or Intermec vehicle-mounted terminals with Prism NICs
    Clients are VERY active as far as moving around the building
    Here is what I *think* is happening:
    The clients don't "roam" as quickly as I think they should - in other words, they remain associated to the active AP too long.  Their signal gets too low before they pick up another AP.
    I wonder if I need to adjust the data rates on the APs (like maybe disable the lowest ones).  For example, if I disable the 1.0, 2, and 5.5 Mb/sec rates, does that mean that a client will look for another AP when the "speed" drops below 6 Mb/sec?  If so, then by disabling the lowest data rates, the client would be forced to find another AP before the data rates drops to nothing, right?
    I also don't understand the power ratings - I've just left them at the default settings - does this affect performance as well?
    Thanks in advance ...

    Hi Susan,
    How are you doing today ... Sounds like you have a little mess on your hands. Lets sort through some of these issues. It also sounds like you are open to feedback, that is always great to hear!
    First. I need to point out your channel selection and this could be a the likly cause for your roaming issue. Follow along and let me explain why.. There is a BIG miss understanding when doing wifi that folks think that all the AP needs to be on the same channel. In fact, you should only use channels 1,6 and 11. When you use the same channel off channels like 4 you cause interference.
    Let me explain why with a real world example. Think back to the late 80s when cordless phones were hitting the market. Do you remember when you would pick up the phone and you would hear your neighbor's conversation? Well that is becuase you were on the same channel you shared the same freq. Now what happens when 4 people (on 2 calls) try to all talk at the same time!? It becomes a mess, right. "Can you say that again", "I didnt hear you", "What was that !?".
    Well the same holds true with WiFi. If all the aps are on the same channel you have one big cordless phone call going, for exmaple.So the first thing we need to do is correct the channel issue before you do anything else. It WiFi channel uses 22 MHz of RF. Thus what you can only use 1,6,11. You also want to make sure you dont put like channels close together. For example, don't line up a hallway with all channel 1... here is some reading
    http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html

  • Fast Roaming and CCKM

    We have a WISM blade with two controllers enabled. Single mobility group and no AP groups. We keep having random disconects when our users are in Citrix. Some sugestions I read say that I should enable CCKM. We turned on 802.1x+CCKM on one controller and it seems to work. When we turned on only CCKM mode we can no longer associate clients to any APs on that controller. When would you use CCKM only and when 802.1x+CCKM mode of key mgmt is preffered?

    if you select 802.1x + CCKM, both 802.1x and CCKM compatible clients will be able to associate and authenticate. This is the preferred option if you are in a mixed environment (devices supporting and not supporting CCKM).
    If you devices cannot associate to the WLAN network when only CCKM is selected, this means that these devices are not CCKM capable.
    Another way to verify this is by using the following command on the controller (via telnet):
    show pmk-cache summary
    Please note that both the driver and the supplicant used need to support CCKM. the windows supplicant for example (Wireless Zero Config) does not support CCKM.
    Also, there are a lot of issues with the Intel Pro Set cards. Best it to use a Cisco card with the Cisco utility, at least for the tests.
    I hope that it helps.
    Rgds
    Gaetan

  • 7925g phones static/hissing and roaming issues

    Hello,
    We've been having an issue for several months now with our over 200 7925g phones.  Nurses are complaining that the phones have static and will drop the voice of the other caller and several times need to repeat the conversation.  We have confirmed several scenario's.  It occurs when both callers are on 7925g inside the coverage areas in the hospital; between 7925g and 7940 desk phone; 7925g and Nortel desk phone.  We've tested on 802.11a and 802.11b/g.  I do see a difference when on 802.11b/g however still get a hissing when connecting to a different AP.
    4 - 4400 controllers,  6.0.202 firmware
    1 - 5508 controller, 6.0.202 firmware
    234 - LAP1131AG AP's
    6 - AP1131AG AP's
    7 - LAP1142N AP's
    3 - LAP1310G AP's
    AP's are on 6.0.202.0 firmware
    7925g's all are on 1.3.3 firmware but we have a select few that we are testing at both hospitals with the newest firmware 1.4.1 and still same results.
    235  - 7925g phones.
    We have followed the 7925g setup & deployment guide, WLC Config Analyzer and made sure all checks were made.  The only setting we plan on testing this week is changing the CCKM authentication change which was recommended.  Currently we are WPA TKIP
    We have disabled the higher rates (36-54) on the 802.11a.
    We also have AirMagnet VoFi analyzer which is showing issues when roaming from AP.  The alarms indicate a one-way audio issue and points to the AP's and phones power not matching.  We have our Tx power level on the controller to automatic, Max Power Level at 30 dBm, Min. at -10 dBm, power Threshold at -70 (WLC Config Analyzer recommendation).  The phone TX Power is set at 8 dBm.  Call Power Save Mode has been tested with both None and U-APDS/PS-Poll.
    We have a case open with Cisco TAC and she has requested debugs from our controllers.  I have sent over 7 and she is not coming back with anything solid and not much help so far.
    Our tests between 802.11a and 802.11b/g (RSSI setting on phone Auto-a and Auto-bg) have shown better with the bg mode but still static and/or hissing.
    Any help would be greatly appreciated!  Thanks.

    Thanks!
    We finally had an awesome Cisco Engineer on our SR.  We straightened out the code and now have the correct 1.4.1.1.1.7 ES image and also configured CCKM.
    We are currently testing with about 20 phones before we deploy it to over 200 phones. 
    Below are the steps we took and so far the tests have resolved the issue.
    1. Downloaded & installed the 1.4.1.1.1.7 code on the 7925g's.
    2. Changed the Scan Mode on the device in Call Manager to 'continuous'
    3. On the Controllers, configured & implemented CCKM on the voice WLAN only.
    4.  Set the Radio Policy for the Voice WLAN to 802.11a only.
    5.  Only using channels 36, 40, 44, 48, 149, 153, 157, 161 on 802.11a
    6.  Disabled the 6,9,36,48 & 54 Mbps rates for 802.11a only
    7. Configured the phone with the new voice SSID with CCKM, Security Mode as EAP-Fast, & 802.11 Mode = Auto-a.
    We are following up with these test users next week so I will post if this fixes our issue.
    Thanks for all the assistance everyone!

  • Roaming issue - Layer 2 switch CAM table updates

    Hi,
    We have a setup with 2 WLC2500  and 10 1041 LAP distributed on various sites (3 or 2 per site), using HREAP (local switching, central auth) and AP Groups, for grouping the APs on each site.
    On one site everything works fine, roaming was correctly done, and client could communicate inmediatly after the roaming process, but on other site we found that if we roam between the 2 APs found out that even the client get conected to the AP it takes about 300 second (5 minutes) for the client to get traffic forwarding.
    Here i´m attaching the debug session for client and l2roam:
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d Association received from mobile on AP 50:06:04:2a:4a:10
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d Applying site-specific IPv6 override for station 9c:02:98:8e:c6:5d - vapId 3, site 'PRUVIA', interface 'management'
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d Applying IPv6 Interface Policy for station 9c:02:98:8e:c6:5d - vlan 0, interface id 0, interface 'management'
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d Applying site-specific override for station 9c:02:98:8e:c6:5d - vapId 3, site 'PRUVIA', interface 'management'
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d STA - rates (8): 2 4 11 22 164 48 72 108 12 18 24 96 0 0 0 0
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d STA - rates (12): 2 4 11 22 164 48 72 108 12 18 24 96 0 0 0 0
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d Processing WPA IE type 221, length 22 for mobile 9c:02:98:8e:c6:5d
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d apfMsRunStateDec
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d apfMs1xStateDec
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Change state to START (0) last state RUN (20)
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 START (0) Initializing policy
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 START (0) Change state to AUTHCHECK (2) last state RUN (20)
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 AUTHCHECK (2) Change state to 8021X_REQD (3) last state RUN (20)
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 8021X_REQD (3) DHCP required on AP 50:06:04:2a:4a:10 vapId 3 apVapId 1for this client
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 50:06:04:2a:4a:10 vapId 3 apVapId 1
    *apfMsConnTask_2: Jun 13 11:27:59.199: 9c:02:98:8e:c6:5d apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 9c:02:98:8e:c6:5d on AP 50:06:04:2a:4a:10 from Associated to Associated
    *apfMsConnTask_2: Jun 13 11:27:59.199: 9c:02:98:8e:c6:5d Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
    *apfMsConnTask_2: Jun 13 11:27:59.199: 9c:02:98:8e:c6:5d Sending Assoc Response to station on BSSID 50:06:04:2a:4a:10 (status 0) ApVapId 1 Slot 0
    *apfMsConnTask_2: Jun 13 11:27:59.199: 9c:02:98:8e:c6:5d apfProcessAssocReq (apf_80211.c:5237) Changing state for mobile 9c:02:98:8e:c6:5d on AP 50:06:04:2a:4a:10 from Associated to Associated
    *dot1xMsgTask: Jun 13 11:27:59.247: 9c:02:98:8e:c6:5d Creating a PKC PMKID Cache entry for station 9c:02:98:8e:c6:5d (RSN 0)
    *dot1xMsgTask: Jun 13 11:27:59.247: 9c:02:98:8e:c6:5d Initiating WPA PSK to mobile 9c:02:98:8e:c6:5d
    *dot1xMsgTask: Jun 13 11:27:59.247: 9c:02:98:8e:c6:5d dot1x - moving mobile 9c:02:98:8e:c6:5d into Force Auth state
    *dot1xMsgTask: Jun 13 11:27:59.247: 9c:02:98:8e:c6:5d Skipping EAP-Success to mobile 9c:02:98:8e:c6:5d
    *dot1xMsgTask: Jun 13 11:27:59.247: 9c:02:98:8e:c6:5d Starting key exchange to mobile 9c:02:98:8e:c6:5d, data packets will be dropped
    *dot1xMsgTask: Jun 13 11:27:59.247: 9c:02:98:8e:c6:5d Sending EAPOL-Key Message to mobile 9c:02:98:8e:c6:5d
       state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.316: 9c:02:98:8e:c6:5d Received EAPOL-Key from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.316: 9c:02:98:8e:c6:5d Received EAPOL-key in PTK_START state (message 2) from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.316: 9c:02:98:8e:c6:5d Stopping retransmission timer for mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.317: 9c:02:98:8e:c6:5d Sending EAPOL-Key Message to mobile 9c:02:98:8e:c6:5d
       state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d Received EAPOL-Key from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d apfMs1xStateInc
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d 192.33.1.251 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state RUN (20)
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d 192.33.1.251 L2AUTHCOMPLETE (4) DHCP required on AP 50:06:04:2a:4a:10 vapId 3 apVapId 1for this client
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d Not Using WMM Compliance code qosCap 00
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d 192.33.1.251 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 50:06:04:2a:4a:10 vapId 3 apVapId 1
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d apfMsRunStateInc
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d 192.33.1.251 L2AUTHCOMPLETE (4) Change state to RUN (20) last state RUN (20)
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d Mobile 9c:02:98:8e:c6:5d associated
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Reached PLUMBFASTPATH: from line 4918
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d Stopping retransmission timer for mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d Key exchange done, data packets from mobile 9c:02:98:8e:c6:5d should be forwarded shortly
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d Sending EAPOL-Key Message to mobile 9c:02:98:8e:c6:5d
       state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
    *ccxL2RoamTask: Jun 13 11:27:59.376: 9c:02:98:8e:c6:5d Mobile 9c:02:98:8e:c6:5d has unsupported CCX version 0 in [l2roamProcessClientAssociation]
    *spamApTask1: Jun 13 11:27:59.418: 9c:02:98:8e:c6:5d Sent EAPOL-Key M5 for mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.486: 9c:02:98:8e:c6:5d Received EAPOL-Key from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.486: 9c:02:98:8e:c6:5d Received EAPOL-key in REKEYNEGOTIATING state (message 6) from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.486: 9c:02:98:8e:c6:5d Stopping retransmission timer for mobile 9c:02:98:8e:c6:5d
    *ccxL2RoamTask: Jun 13 11:28:16.823: Neighbor List for LRAD 50:06:04:2a:db:80,  Slot 1 not found in [l2roamGetNeighborListForSlot].
    *ccxL2RoamTask: Jun 13 11:28:16.823: 00000000: 00 36 33 81 84 a6 c8 ac  d7 71 50 06 04 2a db 80  .63......qP..*..
    *ccxL2RoamTask: Jun 13 11:28:16.823: 00000010: 28 11 50 06 04 2a db 80  0b 00 06 01 06 ab 11 11  (.P..*..........
    *ccxL2RoamTask: Jun 13 11:28:16.823: 00000020: 03 b8 02 28 11 50 06 04  2a 4a 10 01 00 07 01 06  ...(.P..*J......
    *ccxL2RoamTask: Jun 13 11:28:16.823: 00000030: ab 10 11 03 b8 02                                 ......
    *ccxL2RoamTask: Jun 13 11:28:47.441: Neighbor List for LRAD 50:06:04:2a:e0:40,  Slot 1 not found in [l2roamGetNeighborListForSlot].
    *ccxL2RoamTask: Jun 13 11:28:47.442: 00000000: 00 49 33 81 00 23 14 84  0d 64 50 06 04 2a e0 40  .I3..#...dP..*.@
    *ccxL2RoamTask: Jun 13 11:28:47.442: 00000010: 28 11 50 06 04 2a e0 40  0b 00 06 01 06 ab 11 11  (.P..*.@........
    *ccxL2RoamTask: Jun 13 11:28:47.442: 00000020: 03 b8 02 28 11 50 06 04  2a de 70 01 00 07 01 06  ...(.P..*.p.....
    *ccxL2RoamTask: Jun 13 11:28:47.442: 00000030: ab 10 11 03 b8 02 28 11  50 06 04 2a 47 20 06 00  ......(.P..*G...
    *ccxL2RoamTask: Jun 13 11:28:47.442: 00000040: 07 01 06 ab 10 11 03 b8  02                       .........
    *ccxL2RoamTask: Jun 13 11:29:27.832: Neighbor List for LRAD 50:06:04:2a:db:80,  Slot 1 not found in [l2roamGetNeighborListForSlot].
    *ccxL2RoamTask: Jun 13 11:29:27.832: 00000000: 00 36 33 81 84 a6 c8 ac  d7 71 50 06 04 2a db 80  .63......qP..*..
    *ccxL2RoamTask: Jun 13 11:29:27.832: 00000010: 28 11 50 06 04 2a db 80  0b 00 06 01 06 ab 11 11  (.P..*..........
    *ccxL2RoamTask: Jun 13 11:29:27.832: 00000020: 03 b8 02 28 11 50 06 04  2a 4a 10 01 00 07 01 06  ...(.P..*J......
    *ccxL2RoamTask: Jun 13 11:29:27.832: 00000030: ab 10 11 03 b8 02                                 ......
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Reassociation received from mobile on AP 50:06:04:2a:db:80
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Applying site-specific IPv6 override for station 9c:02:98:8e:c6:5d - vapId 3, site 'PRUVIA', interface 'management'
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Applying IPv6 Interface Policy for station 9c:02:98:8e:c6:5d - vlan 0, interface id 0, interface 'management'
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Applying site-specific override for station 9c:02:98:8e:c6:5d - vapId 3, site 'PRUVIA', interface 'management'
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d STA - rates (8): 2 4 11 22 164 48 72 108 12 18 24 96 0 0 0 0
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d STA - rates (12): 2 4 11 22 164 48 72 108 12 18 24 96 0 0 0 0
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Processing WPA IE type 221, length 22 for mobile 9c:02:98:8e:c6:5d
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Deleted mobile LWAPP rule on AP [50:06:04:2a:4a:10]
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Updated location for station old AP 50:06:04:2a:4a:10-0, new AP 50:06:04:2a:db:80-0
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d apfMsRunStateDec
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d apfMs1xStateDec
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Change state to START (0) last state RUN (20)
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 START (0) Initializing policy
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 START (0) Change state to AUTHCHECK (2) last state RUN (20)
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 AUTHCHECK (2) Change state to 8021X_REQD (3) last state RUN (20)
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 8021X_REQD (3) DHCP required on AP 50:06:04:2a:db:80 vapId 3 apVapId 1for this client
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 50:06:04:2a:db:80 vapId 3 apVapId 1
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 9c:02:98:8e:c6:5d on AP 50:06:04:2a:db:80 from Associated to Associated
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
    *apfMsConnTask_3: Jun 13 11:29:32.376: 9c:02:98:8e:c6:5d Sending Assoc Response to station on BSSID 50:06:04:2a:db:80 (status 0) ApVapId 1 Slot 0
    *apfMsConnTask_3: Jun 13 11:29:32.376: 9c:02:98:8e:c6:5d apfProcessAssocReq (apf_80211.c:5237) Changing state for mobile 9c:02:98:8e:c6:5d on AP 50:06:04:2a:db:80 from Associated to Associated
    *apfMsConnTask_3: Jun 13 11:29:32.409: 9c:02:98:8e:c6:5d Updating AID for REAP AP Client 50:06:04:2a:db:80 - AID ===> 2
    *dot1xMsgTask: Jun 13 11:29:32.418: 9c:02:98:8e:c6:5d Creating a PKC PMKID Cache entry for station 9c:02:98:8e:c6:5d (RSN 0)
    *dot1xMsgTask: Jun 13 11:29:32.418: 9c:02:98:8e:c6:5d Initiating WPA PSK to mobile 9c:02:98:8e:c6:5d
    *dot1xMsgTask: Jun 13 11:29:32.418: 9c:02:98:8e:c6:5d dot1x - moving mobile 9c:02:98:8e:c6:5d into Force Auth state
    *dot1xMsgTask: Jun 13 11:29:32.419: 9c:02:98:8e:c6:5d Skipping EAP-Success to mobile 9c:02:98:8e:c6:5d
    *dot1xMsgTask: Jun 13 11:29:32.419: 9c:02:98:8e:c6:5d Starting key exchange to mobile 9c:02:98:8e:c6:5d, data packets will be dropped
    *dot1xMsgTask: Jun 13 11:29:32.419: 9c:02:98:8e:c6:5d Sending EAPOL-Key Message to mobile 9c:02:98:8e:c6:5d
       state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.475: 9c:02:98:8e:c6:5d Received EAPOL-Key from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.475: 9c:02:98:8e:c6:5d Received EAPOL-key in PTK_START state (message 2) from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.475: 9c:02:98:8e:c6:5d Stopping retransmission timer for mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.475: 9c:02:98:8e:c6:5d Sending EAPOL-Key Message to mobile 9c:02:98:8e:c6:5d
       state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.514: 9c:02:98:8e:c6:5d Received EAPOL-Key from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.514: 9c:02:98:8e:c6:5d Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.514: 9c:02:98:8e:c6:5d apfMs1xStateInc
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.514: 9c:02:98:8e:c6:5d 192.33.1.251 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state RUN (20)
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d 192.33.1.251 L2AUTHCOMPLETE (4) DHCP required on AP 50:06:04:2a:db:80 vapId 3 apVapId 1for this client
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d Not Using WMM Compliance code qosCap 00
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d 192.33.1.251 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 50:06:04:2a:db:80 vapId 3 apVapId 1
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d apfMsRunStateInc
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d 192.33.1.251 L2AUTHCOMPLETE (4) Change state to RUN (20) last state RUN (20)
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d Mobile 9c:02:98:8e:c6:5d associated
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Reached PLUMBFASTPATH: from line 4918
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d Stopping retransmission timer for mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d Key exchange done, data packets from mobile 9c:02:98:8e:c6:5d should be forwarded shortly
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d Sending EAPOL-Key Message to mobile 9c:02:98:8e:c6:5d
       state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
    *ccxL2RoamTask: Jun 13 11:29:32.516: 9c:02:98:8e:c6:5d Mobile 9c:02:98:8e:c6:5d has unsupported CCX version 0 in [l2roamProcessClientAssociation]
    *spamApTask5: Jun 13 11:29:32.558: 9c:02:98:8e:c6:5d Sent EAPOL-Key M5 for mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.601: 9c:02:98:8e:c6:5d Received EAPOL-Key from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.601: 9c:02:98:8e:c6:5d Received EAPOL-key in REKEYNEGOTIATING state (message 6) from mo

    Already check everything you said, but no luck. Also check on another site and found out that could be a mac learning/updating issue with HP procurve 2510 switches. When a client roams from AP1 to AP2, on the switch the mac table entry for the client does not update to the port where AP2 is. After the mac-aging-time on the HP Procurve switch ends, the mac updates correctly and the traffic start going fine. Any ideas on how can i deal with this issue? Any configuration help for the WLC controller or APs? HP switches are configured as default (out-of-the-box).

  • 1242ag and fast roaming. Possible?

    Equipment/Configuration:
    Controller 4402-25 (4.0.179.8)
    1242AG AP (3 currently operating)
    LWAPP Transfer Mode is Layer 3
    WPA2 Security
    -Warehouse/Manufacturing Environment-
    -Testing Phase-
    We have several mobile laptop users that need to access a SQL database and it is critical that a network connection is maintained when switching between access points.
    The problems we are currently having is that when roaming, connection is briefly broken and some data packets are being lost.
    We have tried different config and threshold changes but still same results.
    Any ideas would be appreciated.
    Thanks!
    Gary

    Ok, that means MFP globally disabled for the controller. That's good.
    I think at this point you have 2 options that may help, but neither is very pretty. We had almost identical issues, and after a lot of work with Intel and Cisco this is what it came down to:
    - Use Windows to manage the connection (or a third party supplicant such as Meetinghouse/Cisco client). This is ok for you since you are using PEAP, but it is not ideal if you like the Proset functionality.
    - Work with Intel (this may take weeks of pressuring your hardware vendor to get Intel engaged depending on your company size) and try to get some of their pre-release driver/proset bundles.
    We opted for using Windows to manage the wireless, and we have been pretty much rock solid. I cannot speak for the beta drivers, except to say we did still see some odd behavior for the few days we tried them.
    I think it is worth you testing one with windows managing it to see if your problem goes away.
    As a side note, if you do that I suggest adding the WPA2 hotfix so you get the latest WPA support. The link is below:
    http://support.microsoft.com/kb/893357
    -Eric

  • Layer 3 roaming issue

    Hi all,
    i have two wireless networks with two subnet (see the attached drawing) , all controllers run v4.2 access points type is 1020 .
    the first network in hall 1 have 4 wlc in subnet 172.16.40.X  , the security is WEP key for wireless phone
    the second network in hall two have one WiSM in subnet 172.26.40.Y the security is WEP key for wireless phone also
    all controllers and WiSM in same Mobility group .
    the issue is  ,when   wireless phone roaming from hall one to hall two or from hall two to one it dropped the connection and not working
    please advice

    Examples :
    WLC1 has management as 192.168.1.2
    WLC2 has management as 192.168.1.3
    WLC1 has the SSID "employees" linked to interface "emp_int" which has ip 192.168.50.2
    WLC2 has the SSID "employees" linked to interface "employee_int" which has ip 192.168.80.2
    In this case, we have layer 3 roaming. Meaning that normally the client would need to change its ip from 192.168.50.x to 192.168.80.x but thanks to mobility anchoring mechanism, the WLC2 forwards all traffic back to WLC1 so that the client can keep its ip address in 192.168.50.x
    If the situation was that both employee interfaces were in the 192.168.50.x on both WLCs, then we would have layer 2 roaming. Meaning the client entry is simply moved to WLC2 and WLC2 handles all the traffic. WLC1 has nothing to do anymore with this client.
    conclusion : the ip addresses of the management interfaces don't matter to decide if it's layer 2 or 3 roaming, it's the ip of the dynamic interface of SSID which matters
    Nicolas
    ===
    Don't forget to rate anwers that you find useful

  • IP Phone 7921 / 7925 roaming issues after WLC upgrade from Version 7.2 to 7.3 and / or 7.4

    Hi,
    We have a customer which is using a Cisco WLC 5508 and 3502I APs. As he used the 7.2.103 release, There were no issues with VoWLAN. Now he needed new APs and ordered the 2602I. To use them he needed to upgrade the WLC to a 7.3 or later release. After the upgrade, he now encounters problems while roaming with the phones. The phones were tested with FW 1.4.1, 1.4.2 and 1.4.3.
    Configuration is set according to wireless voice design guides (VoWLAN DG 4.1, 7921 Deployment Guide). A Cisco TAC is also in progress, but they seem to be uncertain whether it is a wireless or CUCM issue, but I don't see a reason why it should be the CUCM when the only thing changed is the WLC Software Version.
    Is there anybody who is aware of such issues and can offer help?
    Thank you in advance.
    Best regards,
    Patrick

    Hi,
    we had a TAC ticket open with this customer and after some time, the TAC gave us the advise to use this release and the problems are now solved.
    So for others having the same issue: If you only need to support the 2600 APs, stay with the latest 7.2 release as there are some issues with the 7.3 and 7.4 release. If the customer requires HA, AVC or any of the new features + wireless voice, be very careful as it seems that the newer releases are having problems with that. I hope that Cisco will fix this very soon.
    regards,
    Patrick

  • 802.1X authentication and roaming issues

    Hi there,
    I have installed about 2 days ago one Cisco WCS 2504 and 11 APs. Everything is doing well regarding to WEP authentication. But I have a Radius Server that is alson running with some issues on wireless:
    - Unless I open network settings and click connect on that config I cannot obtain a valid IP Address;
    - Roaming is not working also;
    FYI the certificate (on radius) has expired
    TY

    Not all these are radius issues
    - WPA2 Wlan still ok (144Mbit), but dont know when roaming works (how can I know/change these settings?);
    Look at the client adapter as there is usually a roaming aggressiveness option on these devices. Play around with that.
    - Radius autenticated with 802.11 Data Encryption on 40 bits Key size connects always at 54Mbps (g) and auto authenticate but dont know when roaming works (how can I know/change these settings?);
    802.11n only supports open authentication or WPA2/AES. WEP is not supported so that why you get up to 54mbps.
    - Radius with 802.11 Data Encryption with none key size, doesnt authenticate connects 144Mbit but doesnt acquire IP Address
    You have a configuration issue either in the WLC or the switch.
    Sent from Cisco Technical Support iPhone App

  • Windows 8 fast startup issues on X220

    Hi everyone - having some troubles with my X220 and windows 8.1 and fast startup.
    It has been working flawlessly for a few months now with Windows 8 and an SSD but has recently decided it does not want to fast startup - every time I try and boot with the feature enabled the laptop immediately shuts off completely after the boot animation. On pressing the power button again the laptop boots 'normally' i.e. at 'normal' startup speed.
    I've tried disabling the feature, using the 'powercfg -h off' and 'powercfg -h on' commands to recreate hiberfil.sys and enabling it again, which worked at first but now it has started having the problem again and this no longer works.
    Anyone have any suggestions?
    ThinkPad X220i - first ThinkPad and won't be the last
    Solved!
    Go to Solution.

    I may have found a 'solution' to this - I found the 'solution' posted by the OP here which was to re-enable the page file and bizarrely it seems to have worked. I am now having a new issue with fingerprint logon not logging me in when I use the reader to power the laptop on - I have to scan it again on the logon screen. Different issue though and I haven't tried any troubleshooting steps yet.
    I'm still not 100% sure this is working so if anyone has any input in the meantime it would be valued!
    ThinkPad X220i - first ThinkPad and won't be the last

  • What version of code will prevent Roaming Issues?

    I have three 1230G AP's in an Emergency Room environment and have wireless carts that move throughout the area. The Three APs are running 12.3(2)JA2, are on channels 1, 6, & 11, and the clients are using the Cisco 350 cards. Only WEP is enabled.
    We setup a constant ping to a device in the same subnet and our problem occurs as we move the cart and it roams to a new AP, we get four "Destination not Found" errors everytime, with each cart.
    We have enabled WDS and have even taken WEP off to ensure a trouble-free connection and it still occurs. Is this a result of the version of code they have on the AP's or the clients? Has anyone else had this experience?
    Thanks in advance for any insight.

    With Normal roaming what you are seeing is the expected behaviour. Try out fast secure roaming. For more information on this have a look at the following document, which explains what Fast Secure Roaming is and how it can be configured.
    http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080341d2d.html#wp1052156

Maybe you are looking for

  • Reg: Top Level Navigation

    Hello SAP Guru's, Is it possible to have more than 2 levels in TLN ? Is there a way to do it programmatically? Please guide me doing the same. I want to show 3 levels in TLN. Thanks & Regards, Pramod

  • 1.86 vs 2.13

    hey guys I've been reading the reviews and it seems the 1.86ghz model isn't that much faster than the 2.13ghz but I'm now wondering what the real difference between the two is... is it the HD vs SSD? does the SSD mean the MBA is cooler perhaps?

  • IWeb Not Finding My Site After Re-Install

    Hi guys, I've had to re-install OSX on my Macbook. I backed up my iWeb website before I did this and put it back where I found it. When I open iWeb now it just prompts me to start a new site. How do I get the old iweb site back into iweb?? Thanks Ste

  • Dynamic flash text in Dreamweaver...

    I made a flash file which load dynamic text for external .txt file into a scroll box. Now, when I add the swf file into my .aspx page in dreamweaver there is a problem. The scroller load alright but the text is not shown up. ( i saved the txt folder

  • Serial-ATA DVD Burners

    Does any body know if there are any serial-ata DVD burners for Mac?