EAP-FAST - WLC 7.4 Roaming between different FlexConnect (FC) Group

Similar Messages

• Cannot use IP-phone-7921 with EAP-Fast using internal WLC Radius

  Hello,
  I Cannot authenticate IP-phone when I use internal WLC-radius with a profile "eap-fast"
  The eror message I recieved on a debug is:
  *Mar 09 03:15:09.765: Unable to find requested user entry for anonymous
  But of course there is a user configured on my ipphone !
  Note1 : I use a WLC with version : AIR-4400-K9-5-1-163-0 (AES)
  Note2: When I use LEAP it is OK
  Note3: When I try with my PC to autenticate in eap-fast with internal WLC radius, it is OK.
  See attacehement for more detail.
  Many thanks in advance.
  Michel Misonne
  *Mar 09 03:15:09.765: Unable to find requested user entry for anonymous

  ABSOLUTLEY DO NOT DO THIS!
  config advanced eap identity-request-timeout 120
  config advanced eap identity-request-retries 20
  config advanced eap request-timeout 120
  config advanced eap request-retries 20
  This can cause you issues for up to 40 minutes. 20 attempts * 2 minutes apart
  Please take a look at
  https://supportforums.cisco.com/docs/DOC-12110
  config advanced eap identity-request-timeout 5
  config advanced eap identity-request-retries 12
  config advanced eap request-timeout 5
  config advanced eap request-retries 12
  would be much better, as it is only 60 seconds.  No device should take longer than 5 seconds to respond, but sometimes the phones need more than the 1 second default.
  HTH,
  Steve

• Inter-Controller and Inter-Subnet Roaming between WLC 4402 and 5508?

  Hi!
  Will it support roaming between WLC 5508 ver. 7.0 and WLC 4402 ver. 4.2?

  Here is the matrix for support of IRCM, but the answer is yes.
  http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html#wp116668
  Sent from Cisco Technical Support iPhone App

• 7920 roaming between two WLCs

  hi,
  - i have two WLCs 4404 and 4402 in the same mobility group and all connections seem to be ok.
  - one ssid for voip.
  - two 7920 phones
  when i roam between the WLCs i will lose the connection.
  What should i configure on the WLC??
  thx

  Are you doing L3 mobility?
  If so, would configure the voice ssid for the same VLAN on both controllers to see if that works or not.
  Of course for mobility group setup, need the mac and IP configured on each contoller in that mobility group.
  Ensure that 3.02 is loaded on the 7920 phones.
  Would recommend 4.0.217.0 or later for the controller version.
  Refer to WLAN SRND for more info.
  http://www.cisco.com/univercd/cc/td/doc/solution/emblty30.pdf

• ACS 5.2 802.1x EAP-FAST w/MSCHAPv2, Cisco WiSM WLC, AD 2008

  Hi All,
  I'm currently trying to replace an old ACS v3.3 with v5.2.0.26.2.
  Looking to authenticate wireless clients with EAP-FAST, MSCHAPv2 inner method against AD.
  Coming up against a lot of issues to do with the authentication - no problems on the AD side, but getting the EAP-FAST config right on the ACS is proving difficult.
  I found this guide for PEAP-FAST(MSCHAPv2), does anyone know of anything similar for EAP-FAST(MSCHAPv2)?
  http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf
  Any guides for ACS 5.x with EAP-FAST would be very helpful, especially to do with certificates, pac provisioning, etc.
  Thanks,
  Rob

  Hello,
  Did you find a guide for EAP-FAST with AD ?
  I'm facing the same problem, I can't make EAP-FAST working with AD Account,
  Thanks to you
  Regards,
  Gérald

• Roaming between Flexconnect groups for scaling

  I have a customer that needs flexconnect at each of his 10 locations to access local servers and printers. The customer has a pair of 5508 WLCs running 7.6.130.0.
  While the customer currently has 25 and under AP count per site, they are considering an expansion to 50 - 60 per site.
  We are considering the mobility agent on 3650/3850/4500 switches, but the multi-hop restriction will drive the cost too high.
  What is the downside for defining multiple flexconnect groups per site?
  The customer is also considering Unified Communications. For example, would the voice RTP stream on a wireless IP phone roaming between APs on different flexconnect groups appear to be seamless?

  If you plan on utilizing any real-time applications such as voice, you would not want these devices to be roaming between FlexConnect Groups.  There will be a full re-authentication of the client; with the exception of OKC capable machines, which "may" roam more cleanly.  This means some standard data clients may perform a fast roam, or at least not notice much of a hiccup even with a full re-auth. 
  In either scenario, you would want to make sure this is NOT a L3 mobility roam (ie. FlexConnect WLAN/VLAN mapping to different networks).  This will cause major problems for all your clients as they will most likely end up talking on the new VLAN with their old IP address.
  Mobility / Roaming Scenarios
  WLAN Configuration
  Local Switching
  Central Switching
  CCKM
  PMK (OKC)
  Others
  CCKM
  PMK (OKC)
  Others
  Mobility Between Same Flex Group
  Fast Roam(1)
  Fast Roam(1)
  Full Auth(1)
  Fast Roam
  Fast Roam
  Full Auth
  Mobility Between Different Flex Group
  Full Auth(1)
  Fast Roam(1)
  Full Auth(1)
  Full Auth
  Fast Roam
  Full Auth
  Inter Controller Mobility
  N/A
  N/A
  N/A
  Full Auth
  Fast Roam
  Full Auth
  (1) Provided WLAN is mapped to the same VLAN (same subnet).

• EAP-FAST - packets dropped/slow response times

  We currently have WLC's and 1131 LWAP's.  If a client is in one area (no roaming) and we carry out a constant ping, every minute a packet will either be dropped or have a huge response time (2000ms ish).
  This happens when using EAP-FAST.  If I configure the client to another SSID I have with PEAP over MsCHAP then this does not occur.
  Is there something inherrent with EAP-FAST that anyone is aware of or had this problem before?
  Thanks

  Hi Steve,
  I will make some assumptions and you tell me if they are correct
  1. When you see is the loss pings or high MS returns the phone is idle and not is use correct -
       * This is becuase the phone is "sleeping" to conserve battery life
       * If you kick off a call you will see the pings respond as normal (-150ms)
       * There is a mechanism calls PSM (Power save mode). I dont want to make this a long winded response. Simple google PSM or CAM 802.11.
  2. I dont think EAP is your issue and here is why:
       * EAP is an authentication protocol. Once authenticated your set until you need to reauthenicate again.
       * Unless of course you have an issue whereby your client is always reauth one right after another then that a different issue which isnt normal
  3. I suspect you have different DTIM settings perhaps on the different WLANs. Look under the adavnce tab and look for DTIM .. see how that is set ..
  Oh btw --If you find this helpful in anyway. Please, if you won't mind and take a second and rate the post. I would really appreciate it ! Thanks bud!

• How to improve client handover and roaming between AP's

  Improving client Handover and roaming between APs
  There are a few standards and methodologies available to use to improve handover of clients between APs. Most are focused on VOIP technologies, but it must always be remembered that we cannot control the client Handover (especially with legacy clients) we can only encourage them. Some Standards and methods work well for some environments and some do not - test the recommendations extensively before implementing in a live Production environment. It must also be noted that all settings take effect immediately once applied, however from a client perspective it might need to re-associate for the changes to take effect client side.
  As with everything else in IT, if a perfect method/solution existed there would only be one - try them all and keep the best.
  The Standards and Definitions
  802.11k
  IEEE 802.11k allows a device to quickly identify nearby APs that are available for roaming. When the signal strength of the current AP weakens and the device needs to roam to a new AP, it will already know the best candidate AP with which to connect to.
  802.11r
  IEEE 802.11r specifies fast Basic Service Set (BSS) transitions between access points by redefining the security key negotiation protocol, allowing both the negotiation and requests for wireless resources to occur in parallel.
  When a device roams from one AP to another on the same network, 802.11r streamlines the authentication process. BSS allows a devices to associate with APs more quickly. Coupled with 802.11k's ability to quickly identify the target AP, BSS's faster association method may enhance application performance.
  Handoff Assist
  The AP monitors the RSSI for every associated client. If the RSSI for a specific client falls below "low-rssi-threshold" and continues to fall for the "rssi-falloff-wait-time", then the AP will send a de-auth to the client. 
  The de-auth is meant to kick the client away from the current AP and get it to re-authenticate to a nearby AP. This will have the effect of helping a client handover between 2 APs.
  BUT (Big But), if the client gets de-authed and takes a while to re-authenticate (if it even does re-authenticate automatically after a de-auth), then this will have the effect of destroying communication instead of helping it -- mostly found with legacy clients. 
  Remove Lower Transmit Rates
  Removing lower transmit rates is a way to promote better roaming, BUT not all clients respond well, or even respond to it. 
  The practice is that the basic rates are a subset of the transmit rates. If you only want to allow speeds 9 and up, you would select only the transmit rates of 9 and up, and the basic rates of 9 and 11. If a legacy client expects the rates of 1 and 2 it will not connect.
  Local Probe Threshold
  Local probe Threshold prevents a client from connecting to an AP with a too low a signal - helps more with initial connection than roaming.
  The local probe threshold parameter is not supposed to force clients to roam as soon as they pass near an access point with a good signal, but rather to NOT hold on to an access point with a weak signal (avoiding sticky clients).
  PMK Caching
  Defined by 802.11i and is a technique available for authentication between a single AP and a station. If a station has authenticated to an AP, roams away from that AP, and comes back, it does not need to perform a full authentication exchange. Only the 802.11i 4-way handshake is performed to establish transient encryption keys.
  Opportunistic Key Caching (OKC)
  Is a similar technique to PMK, but not defined by 802.11i, for authentication between multiple APs in a network where those APs are under common administrative control. An Aruba deployment with multiple APs under the control of a single controller is one such example. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys
  Implementation and Configuration
  802.11k
  802.11k is configured in your VAP profile. Tick the option to “Advertise 802.11k”. There after set the Handover Trigger Feature Settings.
  Tick the “Enable Handover Trigger feature” and then set RSSI threshold by specifying the -dBm level at what the hand over trigger should be sent to the client
  802.11r
  802.11r is configured under SSID of your VAP profile. Tick the option to “Advertise 802.11r”
  HandofF Assist
  Station Handoff Assist is enabled in RF Optimization under the RF Management section of AP configuration.
  Tick the “Station Handoff Assist” option to enable it, next set the Low RSSI Threshold – the threshold determines above what level no deauth gets sent
  Lower Transmit Rates
  Transmit rates can be adjusted in the Advanced tab of SSID under your VAP profile.
  Remember that the basic rates are a subset of the transmit rates. If you only want to allow speeds 9 and up, you would select only the transmit rates of 9 and up, and the basic rates of 9 and 11
  Local Probe threshold
  Local Probe threshold can be adjusted in the advanced tab of SSID under your VAP profile.
  Depending on the density of your APs consider values between 20 and 40 -- 40 being aggressive in an AP dense area.
  Deny Broadcast Probes
  Denying Broadcast Probes can cause problems with Roaming especially if the SSID is hidden – leave option disabled.

  Hi, thank you for the helpful guidance.  I have a basic question, if the device roam from one AP to another AP with the same SSID.  Is there a need of re-authentication given a) the network uses EAP based authentication; b) the network uses MAC address authentication.   If there is no need of EAP re-authentication, how the 802.11 keys are moved to the new AP.  Thank you very much if you could help me clarify my thought. 

• Roaming Between AP Groups?

  We have a site where we're running 7.6.110 WLC code with a mix of APs from 1242s to 3700s. Globally all data rates, including 1 Mbps, are enabled, and we have a number of SSIDs. No bueno.
  To help with channel utilization, we created (as per TAC's guidance) an AP group and RF profile that disabled some of the low rates, then placed some APs into said group. The SSIDs and interfaces are the same between all the AP groups, so there's never any inter-controller or L3 roaming.
  Unfortunately it appears that if a 7925g hears an AP in the group and another AP in the default group with different rate sets, it fails to associate properly to either. Visibly the wireless symbol goes all the way to crossed out, and in the neighbor list you can tell that it's cycling through channels fruitlessly. Controller debugs show association failure due to rates, code 18. TAC now says that all APs that can hear each other must have the same data rate settings (i.e. all APs between which one might ever roam must be in the same RF profile.)
  Is there any documentation or guidance about this? Is it the mandatory rates that are the issue, or does any mismatch cause this? Is there any way to restrict the low data rates of some APs in denser areas while leaving the same rates enabled in less dense areas and still have roaming with 7925s?

  A capture would be nice, we might see about trying to get one. The problem partially is knowing which AP the phone is trying to associate to. We've seen it be well within range of half a dozen APs, and fail to associate to any of them for 15-30 seconds, then associate to one at -71 dBm when there's a -40 dBm one available.
  The Beacon Interval for most APs in the 7925g site survey is listed as 100ms, but for some it's 102ms; the phone specifically points this out as being "not recommended." I've been told that this is in fact expected behavior and not a problem.
  7.6.130.0 suggest a FUS upgrade from what we have and won't pre-load with 1242s, so that upgrade is going to be a bit more challenging.
  This is what we saw from the client debug on the WLC:
  *apfMsConnTask_1: Oct 27 13:11:07.126: 44:2b:03:55:xx:xx STA - rates (0): 140 18 24 36 48 72 96 108 108 72 96 108 0 0 0 0
  *apfMsConnTask_1: Oct 27 13:11:07.126: 44:2b:03:55:xx:xx suppRates  statusCode is 18 and gotSuppRatesElement is 0
  *apfMsConnTask_1: Oct 27 13:11:07.126: 44:2b:03:55:xx:xx STA - rates (4): 152 48 96 108 48 72 96 108 108 72 96 108 0 0 0 0
  *apfMsConnTask_1: Oct 27 13:11:07.126: 44:2b:03:55:xx:xx extSuppRates  statusCode is 18 and gotExtSuppRatesElement is 0
  *apfMsConnTask_1: Oct 27 13:11:07.126: 44:2b:03:55:xx:xx Sending Assoc Response to station on BSSID 44:ad:d9:61:78:25 (status denied rates) ApVapId 6 Slot 0
  *apfMsConnTask_1: Oct 27 13:11:07.126: 44:2b:03:55:xx:xx Scheduling deletion of Mobile Station:  (callerId: 84) in 1 seconds

• EAP-FAST, local Authentication and PAC provisioning

  Hi everybody,
  I have a litte understanding problem with the deployment of EAP-FAST.
  So here's the deal:
  I want to the deploy EAP-FAST with autonomous APs with an ACS as Authentication server. So far so good.
  When the ACS is not reachable, the autonomous AP should act as local Authenticator for the clients as backup. Is this possible when doing manual PAC provisioning? I guess not, because the PAC master key is not synced between ACS and the AP local Authenticator.
  Would automatic PAC provisioning resolve that issue? If the ACS server fails, the local Authenticator AP will create new PACs for the clients, right?
  But - I have doubts regarding automatic provisioning of PACs. From my understanding the Phase-0 is just performed in MS-CHAPv2, which is dictionary attackable. Furthermore a MITM attack could be possible during phase-0.
  Would server sided certificates resolve my concerns here?
  I would prefer PEAP, but the autonomous APs don't support this EAP type as local authenticator method, right?
  Btw. .... is there any good document regarding FAST on CCO? I couldn't find anything. The Q&A page is just scratching the surface. The best document I could find so far is the ACS user configuration page. But I'm not 100% happy with this. Is there some kind of EAP-FAST deployment guide out there? I need best practices regarding PAC provisioning and so on :-)
  Thanks in advance!

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• IPad's Roaming Between Access Points

  A company with 460 Cisco Access Points is using iPad Mini's to control lighting and other things, the iPad Mini's are roaming between access points VERY SLOW, they are dropping 45-50 packets between roams. iPad 2's and iPhone's are roaming just fine, if they drop any packets it's a max of 5.
  Is there any differance in the NIC's that are in iPad 2's and iPad Mini's? Or is there a setting for fast roaming?

  Hi,
  It seems that these APs are not aware of each other, I would suggest you look into a controller based solution, that means you need some sort of controller base AP system to get this seamless roaming feature, I also suggest you check whether there's compatibility
  issue for the device with product vender.
  Yolanda Zhu
  TechNet Community Support

• Roaming between 4400 and 5500 controllers

  Hi, we are planning to do an AP migration, but there is a doubt for this.
  Actually we have a 4402 controller with 1120 APs both of which are marked as EoL products, we want to jump over the new 2600 APs and 5508 Controller for increase signal coverage but we have the following deals:
  Last firmware for 4402 controller is 7.0
  Firmware needed for 5508 to support 2600 APs is 7.3
  Is it possible to configure mobility between 4402 and 5508 even with different firmware branch?

  Inter-Release Controller Mobility (IRCM)
  Table 10 lists the inter-release Controller Mobility (IRCM) compatibility matrix.
  Table 10     Inter-Release Controller Mobility Compatibility Matrix
  CUWN Service
  4.2.x.x
  5.0.x.x
  5.1.x.x
  6.0.x.x
  7.0.x.x
  7.2.x.x
  7.3.x.x
  Layer 2 and Layer 3 Roaming
  X
  X
  X
  X
  X
  Guest Access/Termination
  X
  X
  X
  X
  X
  X
  X
  Rogue Detection
  X
  X
  X
  X
  X
  Fast Roaming (CCKM) in a mobility group
  X
  X
  X
  X
  X
  Location Services
  X
  X
  X
  X
  X
  Radio Resource Management (RRM)
  X
  X
  X
  -1
  Management Frame Protection (MFP)
  X
  X
  X
  X
  X
  AP Failover
  X
  X
  X
  X
  X
  1 In the 7.2.x.x release, RF Groups and Profiles were introduced. RRM for 7.2.x.x and later releases is not compatible with RRM for any previous release.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

• Eap-fast and cckm

  Is it possible to use eap-fast authentication with CCKM on 7920 phone with WLC.
  It is working when configuring 802.1x and wep 104 bits on controller but it does not work with wpa1+wpa2.

  If the client doesn't have a PAC and automatic PAC provisioning is enabled on the ACS, then the first authentication attempt will result in a failure, which is the session where the client will receive the PAC. The 7920 only supports automatic PAC provisioning. The default PAC settings should be ok, but may want to decrease or increase based on company's security policy. Also with CCKM, this will help when roaming with an expired PAC, otherwise there will be a 20 second gap in voice when roaming with an expired PAC, where a new PAC will need to be obtained.

• ISE EAP-FAST chaining EAP-TLS inner method - authorizing against AD

  Just a question surrounding EAP-FAST chaining (EAP-TLS inner)  and the ability to authorize the username in the CN field of the certificate against AD. As an example for standard EAP-TLS I am able to specifiy that the username should be in a specific AD group. WIth EAP-FAST I seem unable to get the same functionality working - I suspect it is using the combined Chained username to poll with. Any advice would be much appreciated as I would like to differentiate users in different groups whilst retaining the EAP-TLS inner method.

  I have found the answer to my own question. In short my issues came down to the way that Microsoft populates the certificate subject fields in particular user certificates and the CN field.
  In my deployment I am using a single SSID with the following protocols:
  EAP-FAST (EAP-TLS inner) - Certs deployed via AD GPO
  EAP-TLS Machine Certs - Certs deploted via AD GPO
  EAP-TLS User Certs - Certs deployed via ISE and SCEP (utilising PEAP to auth the user)
  EAP-PEAP for Guest and onboarding purposes (no guest portal or MAB - not using the guest portal and CWA is awesome in my opinion).
  My certificate profile, created in ISE, utilised the CN field in the subject for principle username. This configuration works fine for machine certs and user certifcates generated via ISE as the CN field is acceptable for matching against AD. The problem however is that the user certs issued by AD GPO etc utilise the AD CN which as I understand cannot be used to ascertain group membership in AD.
  The solution seemed obvious - create a new cert profile that utilises the SAN field of the certifcate which is populated with "other name" attributes that can be matched against AD groups. The problem however is that my authentication policy for EAP protocols only allows the selection of one cert profile.... By using the SAN cert profile my EAP-TLS authentications broke but allowed successful auth of the EAP-FAST clients - not a good result.
  I figured that the a failure to match the first authentication policy (based on not matching allowed protocol) would then carry on to the next authentication policy allowing me to specifiy a different cert profile - again no dice as the first policy is matched on the wireless 802.1x condition but EAP-FAST protocol was not specified as an allowed protocol and it fails.
  The way around this was, lucky in my mind, basically I now match wireless 802.1x condition and Network Access Type:EAP-Chaining which allows me to specify the SAN cert profile for EAP-FAST connections. EAP-TLS obviously does not match the first authentication policy at all as it is not chaining. The subsequent policy is matched for EAP-TLS which specifies the CN cert profile.
  I know this explantion is long winded and perhaps obvious to some so for that I apologise. For those of you who are undertaking this and run into the same drama I hope it helps. Feel free to contact me for more information or clarification as this explanation is a mouthful to say the least.

• Cisco ISE with EAP-FAST and PAC provisioning

  Hi,
  I have search with no result on this topic. So, Does anyone have implemented Cisco ISE authentication with EAP-FAST and PAC provisioning ?
  Since I have an issue with internal proxy, user required to authenticate with an internal proxy before granting access to the internet.
  If you have any documents, it would be appreciated for me.
  Thanks,
  Pongsatorn

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App