Flexconnect Roaming

Good Afternoon,
I had a quick question about romaing with Flex Connect AP's. Looking at this article:
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b3690b.shtml
As far as mobility/roaming is concerned. What do they mean by Fast Roam and Full Auth. Does Full Auth indicate that the clients do not essentially roam and that they will reauthenticate to the new AP?
Also looking at the Client Roaming setting in the WLC 5508 (running 7.2.111.3) does it only pertain to CCX enabled devices, or are these settings to configure roaming for non CCX devices as well?
I just noticed we have high density on one our of AP's in an office and it does not seem like clients are moving over to other AP's with stronger signal, etc.

Stephen Rodriguez wrote:Fast Roam would be the 4-way handshake with the PMKID.* Does this mean that the clients would see little if any interruptions when roaming to another AP?Full Auth would be that credentials get passed back to the AAA server.* Does this entail that the users would see interruptions in communication?Most of the 'Client Roaming' is CCX, the device has to understand what is being passed between the WLC and itself.  And I can't think of a time that I"ve actually had to change those parameters.*  Without modifying these at what threshold does the client roam to another AP within the same mobility group (controller).These are currently in FlexConnect mode for us too.HTH,
Steve
Please remember to rate useful posts, and mark questions as answered

Similar Messages

  • Best Practice for FlexConnect Wireless roaming in MediaNet environment?

    Hello!
    Current Cisco best practice recommendations for enterprise MediaNet design, specify that VLANs be local to a switch / switch stack (i.e., to limit the scope of spanning-tree). 
    In the wireless world, this causes problems if you want users while roaming to keep real-time applications up and running.  Every time they connect to a new AP on a different VLAN, then they will need to get a new IP address, which interrupts real-time apps. 
    So...best practice for LAN users causes real problems for wireless users.
    I thought I'd post here in case there's a best practice for implementing wireless roaming in a routed environment that we might have missed so far!
    We have a failover pair of FlexConnect 7510s, btw, configured for local switching for Internal users, and central switching with an anchor controller on the DMZ for Guest users.
    Thanks,
    Deb

    Thanks for your replies, Stephen and JSnyder.
    The situation here is that the original design engineer is no longer here, and the original design was not MediaNet-friendly, in that it had a very few /20 subnets bridged over entire large sites. 
    These several large sites (with a few hundred wireless users per site), are connected to an HQ location (where the 7510s in failover mode are installed) via 1G ethernet hand-offs (MPLS at the WAN provider).  The 7510s are new, and are replacing older contollers at the HQ location. 
    The internal employee wireless users use resources both local to their site, as well as centralized resources.  There are at least as many Guest wireless users per site as there are internal employee users, and the service to them consists of Internet traffic only.  (When moved to the 7510s, their traffic will continue to be centrally switched and carried to an anchor controller in the DMZ.) 
    (1) So, going local mode seems impractical due to the sheer number of users whose traffic bound for their local site would be traversing the WAN twice.  Too much bandwidth would be used.  So, that implies the need to use Flex / HREAP mode instead.
    (2) However, re-designing each site's IP environment for MediaNet would suggest to go routed to the closet.  However, this breaks seamless roaming for users....
    So, this conundrum is why I thought I'd post here, and see if there was some other cool / nifty solution I wasn't yet aware of. 
    The only other (possibly friendly to both needs) solution I'd thought of was to GRE tunnel a subnet from each closet to the collapsed Core / Disti switch at each site.  Unfortunately, GRE tunnels are not supported in the rev of IOS on the present equipment, and so it isn't possible to try this idea.
    Another "blue sky" idea I had (not for this customer, but possibly elsewhere in the future), is to use LAN switches such as 3850s that have WLC functionality built-in.  I haven't yet worked with the WLC s/w available on those, but I was thinking it looks like they could be put into a mobility group, and L3 user roaming between them might then work.  Do you happen to know if this might be a workable solution to the overall big-picture problem? 
    Thanks again for taking the time and trouble to reply!
    Deb

  • EAP-FAST - WLC 7.4 Roaming between different FlexConnect (FC) Group

    Dear all,
    WLC 7.4 Release Notes states that with both Local/Central Switching:
    - Mobility in the same Flex Group with CCKM is Fast Roaming if WLAN is mapped to same VLAN
    - Mobility between different Flex Group with CCKM cause a Full Auth
    Using CCK with EAP-Fast during a call with Cisco IP Phone 7921G and 7925G we notice a gap when roaming from an AP belonging to FC GroupA to an AP belonging to FC Group B...so the only solution to do Fast Romaing is to use PMK(OKC) since CCKM will do a complete authentication each time moving from FC Group.
    Where do we enable OKC for a specific WLAN? In the FlexConnect Group Menu?
    Thanks a lot for sharing answer and suggestion
    BR
    O.G.

    Hello Scott,
    thanks for the explanation...
    So if in 7.4.121 OKC is enabled by default I don't understand why I'm having a full Authentication when roaming from AP of FC Group A to AP to FC Group B instead of Fast-Roaming...and this is happening in all FC Group configured (6x).
    Should I disable CCKM flag in the WLAN definition?!?!
    FC Groups and Mobility
    http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html#anc13
    O.G

  • WLC L3 Roaming Using FlexConnect

    Hi everyone.
    A customer has a network with several buildings (each with a different VLAN/subnet), and a single WLC.
    The Access Points are grouped by AP groups, and on each building the clients are assigned to different VLANs.
    There is one single SSID with the users connect to on the entire campus, and it assigns (as expected) different ip address segments depending on which building the users are connecting into.
    The problem comes whenever a user is in a building and walks to another, since the buildings are not that far from each other, and the client machine is still connected to the network, it tries to roam but it doesn't know that it has to refresh its IP address.
    I know there's something that is not working here, but I can't find documentation about this. Is this a supported configuration? Is this an expected behaviour? How can I fix this?
    Thanks in advance for your help

    If you are using FlexConnect Local switching, then L3 roaming is unsupported feature.
    Here is some reference in the 7.6 configuration guide (see configuring FlexConnect section or page 926)
    http://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/7-6/configuration/guide/b_cg76.pdf
    Here is another good reference about FlexConnect Design from a CiscoLive presentation.
    BRKEWN-2016 - Architecting Network for Branch Offices with CUWN
    As you can see on page 9, these are the advantages you get if you have a local WLC at your branch. L3 roaming is one
    * Cookie cutter configuration for every branch site 
    * Layer-3 roaming within the branch 
    * WGB support 
    * Reliable Multicast (filtering) 
    * IPv6 L3 Mobility 
    HTH
    Rasika
    **** Pls rate all useful responses. Each time you rate a response Cisco will donate $1 to Kiva ****

  • Roaming between Flexconnect groups for scaling

    I have a customer that needs flexconnect at each of his 10 locations to access local servers and printers. The customer has a pair of 5508 WLCs running 7.6.130.0.
    While the customer currently has 25 and under AP count per site, they are considering an expansion to 50 - 60 per site.
    We are considering the mobility agent on 3650/3850/4500 switches, but the multi-hop restriction will drive the cost too high.
    What is the downside for defining multiple flexconnect groups per site?
    The customer is also considering Unified Communications. For example, would the voice RTP stream on a wireless IP phone roaming between APs on different flexconnect groups appear to be seamless?

    If you plan on utilizing any real-time applications such as voice, you would not want these devices to be roaming between FlexConnect Groups.  There will be a full re-authentication of the client; with the exception of OKC capable machines, which "may" roam more cleanly.  This means some standard data clients may perform a fast roam, or at least not notice much of a hiccup even with a full re-auth. 
    In either scenario, you would want to make sure this is NOT a L3 mobility roam (ie. FlexConnect WLAN/VLAN mapping to different networks).  This will cause major problems for all your clients as they will most likely end up talking on the new VLAN with their old IP address.
    Mobility / Roaming Scenarios
    WLAN Configuration
    Local Switching
    Central Switching
    CCKM
    PMK (OKC)
    Others
    CCKM
    PMK (OKC)
    Others
    Mobility Between Same Flex Group
    Fast Roam(1)
    Fast Roam(1)
    Full Auth(1)
    Fast Roam
    Fast Roam
    Full Auth
    Mobility Between Different Flex Group
    Full Auth(1)
    Fast Roam(1)
    Full Auth(1)
    Full Auth
    Fast Roam
    Full Auth
    Inter Controller Mobility
    N/A
    N/A
    N/A
    Full Auth
    Fast Roam
    Full Auth
    (1) Provided WLAN is mapped to the same VLAN (same subnet).

  • What is the advantages of using Flexconnect groups

    what is the advantages of using Flexconnect groups in WLC?
    Reg,
    Ezra.

    Pls refer this document for more detail about these features
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1091114
    FlexConnect is one mode an AP can operate, typically deployed in Branch setup where you do not have a controller at branch site. Those AP can register to a controller at your HQ or main site. So traffic will terminate at your branch switch instead of tunnel back to HQ-WLC.
    If you want roaming within your branch FlexConnect AP then you have to put those AP into a FlexConnect Group. Then only key information shared among those AP to facilitate fast roaming.
    Pls do not forget to rate our responses if you find them useful.
    HTH
    Rasika

  • Local vs flexconnect which is better for throughput

    We have 190 APs in two buildings on the same campus connected to 2 5508 controllers.  Would it be better to put these APs in flexconnect mode with local switching?  My thought is that traffic would be better to have traffic switched at either the access switches on each floor or the main switches for each building rather than traveling back to the core, through the controllers and then to its destination.

    I understand that's what the documentation says (and keep hearing repeated without any clarification) but surely it all depends on your situation.
    Take this example for instance:
    - A 500-seat campus broken into 4 buildings
    - AP's managed by a HA-pair of 5508's in two DC's (10Gbps ring < 5ms), one DC on the main campus, connected by 6 x 1Gpbs EtherChannel
    - Less than 25 AP's per building
    Surely the only issue then if we used FlexConnect local switching for a WLAN for Corporate PC's would be roaming. That isn't really much of a problem for PC's - who really wanders around a campus with their laptop open wanting persistent connection between sitting down?
    If you have multiple 802.11ac clients connecting to 3702 AP's that 6Gbps bottleneck is going to be saturated fairly quickly.
    As far as I can see FlexConnect groups are limited to 25 AP's but again that's not a huge issue given the usage case.
    For mobile devices (tablets, phones) and guest access then you can still use central switching.

  • FlexConnect, EAP-TLS and dynamic VLAN assignments

    I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
    I have some questions:
    - What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
    - I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
    - I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
    Can someone assist to clear my confusion here? any reference url for layer 2 and layer 3 roaming details is appreciated. Thanks

    I'll give this a shot:)
    For radius vlan attributes, bothe ACS and ISE in the policies have the ability to just enter the vlan id in the profile. You can either do that or use the IETF attributes.
    The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.
    64 (Tunnel-Type) should be set to VLAN (Integer = 13)
    65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
    81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).
    You can find this by searching on Google.... A lot of examples out there
    v7.2 and v7.3 I have had no issues with, with any type of encryption used. With 7.0 and 7.2, I would use the latest due to the Windows 8 fix.
    Layer 3 roaming is what's going to happen if the AP's are in local mode. This means that the client will keep their IP address no matter what ap they are connected to and or WLC as long as the mobility group is the same. So a user who boots up in floor 1 will keep its IP address even if he or she roams to the 12th floor and as long as he or she didn't loose wireless connection.
    FlexConnect you can do that. The AP's are trunked and need to have the vlans. So what your trying to do will be disruptive to clients. When the roam to another floor ap that is FlexConnect locally switched, they will drop and have to re-associate in order to get a new IP address.
    Hope this helps.
    Sent from Cisco Technical Support iPhone App

  • Roaming between WLC and vWLC on different code versions

    Hi,
    I have the following setup in our environment, a HA 5508 pair running 7.4.100 and a vWLC running 7.6.130.  I have mobility setup between the two with the control and data path up and running.  All the access points are setup for FlexConnect.
    When I join an SSID using PSK on an AP associated with the vWLC and then roam to an AP on the 5508, I drop a few pings but stay connected no problem.  However when I join an SSID using PEAP (both WLC's using Radius to Cisco ISE 1.2 for this) and repeat the test, my client actually drops my wireless connection and then rejoins.
    Is this expected behaviour when running controllers on different versions?  This is only temporary until I upgrade the 5508 pair.
    Cheers
    Brian

    Oh... Forgot.  With FlexConnect, you also want to create FlexConnect Groups.  See this link:
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010001111.html
    -Scott

  • Wireless roaming in different networks

    Hello,
    In Wireless networks if we have two different networks with the same SSID when we pass from one network to another network, the client will change the ip network automatically or we need to disconnect and connect again to request another ip?
    I would like to know this information to Flexconnect and local. 
    Thank you.
    Best Regards
    Cristiano Nunes.

    Hello Cristiano,
    You don't need to disconnect and connect again if you have Layer-3 Roaming enabled.
    To configure Layer 3 Mobility, following requisites should be considered.
    SSID and security policies should be same across MAs.
    Client VLAN ID should be different for Layer 3 roaming.
    Either one or both of the bridge domain ID and client VLAN ID should be different for Layer 3 Roaming.
    Please find the attached topology for better understanding.
    Regards,
    Moin Ilyas.

  • 5508 WLC HA pair and layer 3 roaming

    Hey,
    We have a pair of 5508 WLC's configured in HA (primary/standby). We have a single SSID that we're broadcasting across each floor of our head office. The AP's are in flexconnect mode so users pickup an IP address from the DHCP range for that building level and that's all working well. 
    The problem I have is that users cannot roam between floors without losing access to the network. They roam to the AP's on the different floors, and maintain wireless connection throughout the building, but they cannot connect to anything on the network when outside of the floor that contains an IP range that matches the client's IP. I was told by a number of technical consultants that this sort of layer 3 roaming should work in this configuration. When users go to a different floor, they retain their original IP and the traffic is tunneled (EOIP) back to the controller to maintain network connectivity, however this does not appear to be happening. 
    Firstly I'm wondering if this is possible with a HA pair configured in active/standby. All of the documentation around layer 3 roaming seems to involve at least 2 controllers, the foreign and the anchor. In this case as they're a HA pair their is technically only a single controller. 
    If it is possible to do layer 3 roaming on a single controller (intra-controller), if anyone can provide some guidance on things I should be checking or looking out for that would be appreciated. 
    Thanks. 

    Still though, I had a number of technical consultants from a very large system integrator design this setup and despite my asking a number of times how this roaming could work I was simply told it would.
    ROFL!
    We contracted a consulting company/implementors to do a wireless job (back in 2011) for a particular project (politics dictate I keep stay away from it).  They had one "wireless expert".  
    Then one day, I got a call from the "wireless expert" and the phone conversation went like this, "It's me.  I am doing another wireless project for another agency.  But I would like to know how do you convert an autonomous AP to controller-based IOS".   <FACEPALM>
    Long story short:  They won't know.  Not all of them know.  Their main concern is YOUR MONEY in their hands.  That's all.  But I can tell you this:  I am the end user.  I configure stuff.  Roaming works if you get the basics correct.  Roaming works if you know what you want and you get it done right.   Scott Fella and Steve Rodriguez, two regular in this forum, (and works for CDW) and they are good.  There's another "mad Texan" by the name of George Stefanick is another one.    An Aussie by the name of Rasika is also around.  
    The most basic item is roaming is how you space your APs.  Unless you've got wireless antennas coming out of your ears, you need to organize a wireless site survey.  And when you want to do the a "good" wireless site survey, you "future proof" your requirements.  Right now,  my wireless site survey is aimed at "wireless VoIP" requirement. 

  • Multicast client on flexconnect AP

                       Hi !
    Is it possble for a client connected to a flexconnect AP to use multicast ?
    How do I enable that ? Will it be enough to enable Multicast VLAN on the SSID ?
    Apparently it do not work in default settings.
    My controller has no connection to the vlan my customer use for there clients. It is a pure
    flexconnect solution were WLC only handles management to the accesspoints.
    Mats Karlsson

    Hi, Saravanan
    The problem we faced is that Mac unable to discover printer via wireless LAN. Packet capture show that Mac2 sends MDNS query to 224.0.0.251 and printer sends MDNS reply to 224.0.0.251. But reply from printer is not coming to Mac2.
    Yes, all devices are in the same vlan (vlan 199), see topology enclosed. Vlan 199 is also allowed on all trunks from LAP to WLC. Currently IGMP snoping and multicast routing are disabled on all switches.
    WLC also have dynamic interface in vlan 199. AP manager interface is in vlan 101 and LAP BVI in vlan 124. Vlans 101 and 124 are being routed through L3 switch.
    Show wlan from WLC
    (Cisco Controller) >show wlan 3
    WLAN Identifier.................................. 3
    Profile Name..................................... wg-office-lan-201
    Network Name (SSID).............................. wg-office
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Enabled
    Network Admission Control
      Client Profiling Status ....................... Disabled
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 0
    Maximum number of Clients per AP Radio........... 200
    Number of Active Clients......................... 62
    Exclusionlist.................................... Disabled
    Session Timeout.................................. Infinity
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ office-wifi
    --More-- or (q)uit
    Multicast Interface.............................. Not Configured
    WLAN IPv4 ACL.................................... unconfigured
    WLAN IPv6 ACL.................................... unconfigured
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Disabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Disabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... 802.11b and 802.11g only
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
    --More-- or (q)uit
       Authentication................................ 10.128.0.101 1812
       Accounting.................................... 10.128.0.101 1813
          Interim Update............................. Disabled
       Dynamic Interface............................. Enabled
    Local EAP Authentication......................... Disabled
    Security
       802.11 Authentication:........................ Open System
       FT Support.................................... Disabled
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Enabled
          WPA (SSN IE)............................... Disabled
          WPA2 (RSN IE).............................. Enabled
             TKIP Cipher............................. Disabled
             AES Cipher.............................. Enabled
                                                                   Auth Key Management
             802.1x.................................. Enabled
             PSK..................................... Disabled
             CCKM.................................... Disabled
             FT-1X(802.11r).......................... Disabled
             FT-PSK(802.11r)......................... Disabled
          FT Reassociation Timeout................... 20
    --More-- or (q)uit
          FT Over-The-DS mode........................ Enabled
          GTK Randomization.......................... Disabled
          SKC Cache Support.......................... Disabled
          CCKM TSF Tolerance......................... 1000
       Wi-Fi Direct policy configured................ Disabled
       EAP-Passthrough............................... Disabled
       CKIP ......................................... Disabled
       Web Based Authentication...................... Disabled
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       FlexConnect Local Switching................... Enabled
       FlexConnect Local Authentication.............. Enabled
       FlexConnect Learn IP Address.................. Enabled
       Client MFP.................................... Disabled
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    KTS based CAC Policy............................. Disabled
    Band Select...................................... Disabled
    --More-- or (q)uit
    Load Balancing................................... Disabled
    Multicast Buffer................................. Disabled
    Mobility Anchor List
    WLAN ID     IP Address            Status
    802.11u........................................ Disabled
      Access Network type............................ Not configured
      Network Authentication type.................... Not configured
      Internet service............................... Disabled
      HESSID......................................... 00:00:00:00:00:00
    Hotspot 2.0.................................... Disabled
      WAN Metrics configuration
        Link status.................................. 0
        Link symmetry................................ 0
        Downlink speed............................... 0
        Uplink speed................................. 0
    Mobility Services Advertisement Protocol....... Disabled
    Saravanan Lakshmanan wrote:With local swtiching, Multicast traffic are still Multicast when it hits the AP from wired infrastructure, the AP encapsulates it on Unicast directed to that requesting client on that ssid/vlan.
    Do you mean that actually client recieve unicast packet with encapsulated multicast? but does it expect such packet from AP?
    Thanks
    BR, Ruslan

  • Wireless FlexConnect Group

    Hi folks,
    due wifi 802.1x implementation our customer decided to implement CCKM for fast roaming of cisco 7925 wifi phones.
    At the same time customer have an Headquarter, and about 300 remote sites all of them implement FlexConnet tecnology with local switching.
    For every sites he got a 5508 WLC with ver 7.4, and a 5508 in Headquarter as well acting as a backup WLC for remote sites.
    Using FlexConnect and CCKM for remote sites requires FlexConnect Grouping.
    From Release Notes
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_flexconnect.html#wp1241304
    I've noted there is some limit for this configuration that I'd like to be confirmed:
    1) 25 APs for FlexConnect group -> true for 5508 WLC?
    2) 100 FC Group for 5508 -> is still true in ver 7.4 or higher?
    Third question:
    I'd like to implement PMK/OKC instead CCKM. How can I do it? I'm missing configuration in GUI menus.
    Last question: How can I resolve the FlexConnect Group Limit in my Headquarter due the fact I got more than 100 Groups to create? Is really necessary to add new 5508? No other way?
    Thanks a lot

    Hi
    Typically FlexConnect design is for a branch wireless where you DO NOT have a local WLC to terminate CAPWAP.
    If you have a WLC at branch & still you deploy FlexConnect at that branch then it is a waste of WLC resource.
    Here is my feedback for your points
    1) allowing WAN QoS for Voice/Data wifi client. Local switching allows voice packet to follow same routing and QoS of wired IP Phone. Analogue reason for PC data traffic. And is more useful when in backup/centralized auth mode. Encapsulate all traffic in CAPWAP tunnel doesn't allow us QoS implementation.
    I understand Wireless QoS is tricky to implement & you will never get same policy for wired/wireless  (that's where Unified Access or Converged Access design come onto play-by the way I am not telling you have to go for CA ) You need to assess pros & cons of going for FlexConnect design & I am not sure this QoS is purely justifying go for it.
    2) now 5508 are present for 80 sites but could growing. All remaining sites are managed by old 2106 WLC. For this purpose in next plan maybe we'll decide for a Centralized WLC. No plan at this moment.
    My view is
    All sites you have WLC - Deploy local mode AP with primary WLC as branch & back  up as HQ WLC.
    All sites you do not have a WLC - Deploy FlexConnect local switching mode with Central Auth where HQ WLC used.
    3) so, what's the limit for FC Group in 5508 WLC?
    100 (refer the given Ciscolive presentation)
    4) OKC allows PKI AP cache as well CCKM. But OKC release fast roaming between different Flexconnect Groups while CCKM not. For sites with more than 30 APs should be very usuful, expecially considering 7925 phones.
    When it comes to fast roaming CCKM is the best if it is CCX clients, otherwise 802.11r which is IEEE standard & supported by multivendor  clients. OKC is  a way vendors implemented prior to 802.11r ratified  as a way of fast roaming. So you should not look at OKC  over 802.11r or CCKM(if it is for cisco clients)
    I think since you are lock-down to this FlexConnect design, you try to overcome the limitations of that design, rather look at high level to see "flexconnect is the best way to go or not" . In my view if it is fastroaming 802.11r is the way forward (CCKM is must if you are 100% cisco clients)
    Refer this Ciscolive material for FlexConnect design
    BRKEWN-2016 Architecting Network for Branch with Cisco Unified Wireless
    Do not forget to rate our responses if that is useful.
    HTH
    Rasika

  • CCKM/Fast Roaming CCXv3 and CCXv4 Clients

    I am trying to verify for sure if CCXv3 clients can connect to a wlan configured with 802.1X+CCKM, and security WPA2/AES and do fast roaming?
    It appears that CCXv3 clients do not support CCKM with 802.1X/EAP TLS.

    Keep in mind PMK is specific to an ap and client. If a client roams away from the ap and comes back it doesnt have to reauth becuase it uses the PMK. OKC, uses the orginal PMK generated during your first auth and then shares it with other aps to negate auth .. clients need to support OKC to take full advantage
    For flex ..
    FlexConnect Groups and CCKM
    FlexConnect Groups are required for CCKM fast roaming to work with FlexConnect access points. CCKM fast roaming is achieved by caching a derivative of the master key from a full EAP authentication so that a simple and secure key exchange can occur when a wireless client roams to a different access point. This feature prevents the need to perform a full RADIUS EAP authentication as the client roams from one access point to another. The FlexConnect access points need to obtain the CCKM cache information for all the clients that might associate so they can process it quickly instead of sending it back to the controller. If, for example, you have a controller with 300 access points and 100 clients that might associate, sending the CCKM cache for all 100 clients is not practical. If you create a FlexConnect that includes a limited number of access points (for example, you create a group for four access points in a remote office), the clients roam only among those four access points, and the CCKM cache is distributed among those four access points only when the clients associate to one of them.
    Note CCKM fast roaming among FlexConnect and non-FlexConnect access points is not supported. See the "Configuring WPA1 +WPA2" section for information on configuring CCKM.
    FlexConnect Groups and Opportunistic Key Caching
    Starting in the 7.0.116.0 release, FlexConnect groups enable Opportunistic Key Caching (OKC) to enable fast roaming of clients. OKC facilitates fast roaming by using PMK caching in access points that are in the same FlexConnect group.
    This feature prevents the need to perform a full authentication as the client roams from one access point to another. Whenever a client roams from one FlexConnect access point to another, the FlexConnect group access point calculates the PMKID using the cached PMK.
    To see the PMK cache entries at the FlexConnect access point, use the show capwap reap pmk command. This feature is supported on Cisco FlexConnect access points.
    Note The FlexConnect access point must be in connected mode when the PMK is derived during WPA2/802.1x authentication.
    When using FlexConenct groups for OKC or CCKM, the PMK-cache is shared only across the access points that are part of the same FlexConnect group and are associated to the same controller. If the access points are in the same FlexConnect group but are associated to different controllers that are part of the same mobility group, the PMK cache is not updated and CCKM roaming will fail.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • WLC roaming debug assistance

    I'm in a position where I need to prove that a suppliers device doesn't truly roam between APs on a WLC. The device will eventually drop the AP when the signal is low enough and then re-authenticate to a new AP, but it doesn't seamlessly roam.
    As far as proving it, on the WLC Client Detail page, the device doesn't support CCX extensions, which, as far as I understand, is probably evidence enough in itself.
    I've also logged the device and have only ever seen
    xx:xx:xx:xx:xx Association received from mobile on BSSID aa:aa:aa:aa:aa
    I've never seen a
    xx:xx:xx:xx:xx Reassociation received from mobile on BSSID aa:aa:aa:aa:aa
    Is that evidence enough that that device doesn't actually roam?
    Is there a more elegant way, in layman's terms, to prove the point?

    Hi
    I can see multiple time given client authentication failed. So it is look like given client unable to connect to the network.  See the reference time interval & Access-Reject message for this client.
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 Processing Access-Reject for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 apfMsPeapSimReqCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 apfMsPeapSimReqFailureCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 PMK: Sending cache delete
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 Removing PMK cache entry for station 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 1 PMK-remove groupcast messages sent 
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 Removing PMK cache due to EAP-Failure for mobile 00:80:48:78:50:65 (EAP Id 167)
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 Sending EAP-Failure to mobile 00:80:48:78:50:65 (EAP Id 167)
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 Entering Backend Auth Failure state (id=167) for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.537: 00:80:48:78:50:65 Setting quiet timer for 5 seconds for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.537: 00:80:48:78:50:65 dot1x - moving mobile 00:80:48:78:50:65 into Unknown state
    *osapiBsnTimer: Sep 22 10:44:31.404: 00:80:48:78:50:65 802.1x 'timeoutEvt' Timer expired for station 00:80:48:78:50:65 and for message = M0
    *dot1xMsgTask: Sep 22 10:44:31.404: 00:80:48:78:50:65 Retransmit 1 of EAP-Request (length 95) for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.418: 00:80:48:78:50:65 Received EAPOL EAPPKT from mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.419: 00:80:48:78:50:65 Received EAP Response from mobile 00:80:48:78:50:65 (EAP Id 231, EAP Type 25)
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.419: 00:80:48:78:50:65 Resetting reauth count 0 to 0 for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.419: 00:80:48:78:50:65 Entering Backend Auth Response state for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 Processing Access-Reject for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 apfMsPeapSimReqCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 apfMsPeapSimReqFailureCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 1 PMK-remove groupcast messages sent 
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 Removing PMK cache due to EAP-Failure for mobile 00:80:48:78:50:65 (EAP Id 231)
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 Sending EAP-Failure to mobile 00:80:48:78:50:65 (EAP Id 231)
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 Entering Backend Auth Failure state (id=231) for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 Setting quiet timer for 5 seconds for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 dot1x - moving mobile 00:80:48:78:50:65 into Unknown state
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.319: 00:80:48:78:50:65 Resetting reauth count 0 to 0 for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.320: 00:80:48:78:50:65 Entering Backend Auth Response state for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Processing Access-Reject for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 apfMsPeapSimReqCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 apfMsPeapSimReqFailureCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 1 PMK-remove groupcast messages sent 
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Removing PMK cache due to EAP-Failure for mobile 00:80:48:78:50:65 (EAP Id 140)
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Sending EAP-Failure to mobile 00:80:48:78:50:65 (EAP Id 140)
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Entering Backend Auth Failure state (id=140) for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 apfBlacklistMobileStationEntry2 (apf_ms.c:6172) Changing state for mobile 00:80:48:78:50:65 on AP 6c:99:89:77:41:e0 from Associated to Exclusion-list (1)
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Scheduling deletion of Mobile Station:  (callerId: 44) in 10 seconds
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 10.0.45.201 8021X_REQD (3) Change state to START (0) last state 8021X_REQD (3)
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 10.0.45.201 START (0) Reached FAILURE: from line 5620
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Scheduling deletion of Mobile Station:  (callerId: 9) in 10 seconds
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Max AAA failure for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Setting quiet timer for 5 seconds for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 dot1x - moving mobile 00:80:48:78:50:65 into Unknown state
    *osapiBsnTimer: Sep 22 10:47:33.204: 00:80:48:78:50:65 802.1x 'quiteWhile' Timer expired for station 00:80:48:78:50:65 and for message = M0
    *osapiBsnTimer: Sep 22 10:47:38.204: 00:80:48:78:50:65 apfMsExpireCallback (apf_ms.c:632) Expiring Mobile!
    *apfReceiveTask: Sep 22 10:47:38.204: 00:80:48:78:50:65 Freeing EAP Retransmit Bufer for mobile 00:80:48:78:50:65
    *apfReceiveTask: Sep 22 10:47:38.204: 00:80:48:78:50:65 Sent Deauthenticate to mobile on BSSID 6c:99:89:77:41:e0 slot 0(caller apf_ms.c:7065)
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.223: 00:80:48:78:50:65 Sending EAP Request from AAA to mobile 00:80:48:78:50:65 (EAP Id 31)
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.223: 00:80:48:78:50:65 Reusing allocated memory for  EAP Pkt for retransmission to mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.233: 00:80:48:78:50:65 Received EAPOL EAPPKT from mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.233: 00:80:48:78:50:65 Received EAP Response from mobile 00:80:48:78:50:65 (EAP Id 31, EAP Type 25)
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.233: 00:80:48:78:50:65 Resetting reauth count 0 to 0 for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.233: 00:80:48:78:50:65 Entering Backend Auth Response state for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.240: 00:80:48:78:50:65 Processing Access-Reject for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.240: 00:80:48:78:50:65 apfMsPeapSimReqCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.240: 00:80:48:78:50:65 apfMsPeapSimReqFailureCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.241: 00:80:48:78:50:65 1 PMK-remove groupcast messages sent 
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.241: 00:80:48:78:50:65 Removing PMK cache due to EAP-Failure for mobile 00:80:48:78:50:65 (EAP Id 31)
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.241: 00:80:48:78:50:65 Sending EAP-Failure to mobile 00:80:48:78:50:65 (EAP Id 31)
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.241: 00:80:48:78:50:65 Entering Backend Auth Failure state (id=31) for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.241: 00:80:48:78:50:65 Setting quiet timer for 5 seconds for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.241: 00:80:48:78:50:65 dot1x - moving mobile 00:80:48:78:50:65 into Unknown state
    Also few times client forced to go to START status from RUN status with below reasoning. Make sure you disable management frame protection (802.11w) on this WLAN. Also if this is FlexConnect deployment, make sure you use FlexConnect Group if you required to support Opportunistic Key Caching (kind of fast roaming)
    *apfMsConnTask_7: Sep 22 11:02:23.723: 00:80:48:78:50:65 apfValidateDot11wGroupMgmtCipher:1552, Received NULL 11w Group Mgmt Cipher Suite for STA, hence returning
    *apfMsConnTask_7: Sep 22 11:02:23.723: 00:80:48:78:50:65 AID 1 in Assoc Req from flex AP 68:86:a7:29:cf:60 is same as in mscb 00:80:48:78:50:65
    *apfMsConnTask_7: Sep 22 11:02:23.723: 00:80:48:78:50:65 apfMsRunStateDec
    *apfMsConnTask_7: Sep 22 11:02:23.723: 00:80:48:78:50:65 apfMs1xStateDec
    *apfMsConnTask_7: Sep 22 11:02:23.723: 00:80:48:78:50:65 10.0.45.201 RUN (20) Change state to START (0) last state RUN (20)
    HTH
    Rasika
    **** Pls rate all useful responses ****

Maybe you are looking for

  • Why won't my ipod touch let me reinstall apps that ive already gotten, but lost?

    Ok so i lost my apps since i had to restore my ipod to fix a problem, and i tried to get some of my apps(i.e music downloading apps, and urban dictionary and funny pics app) back and it wont let me reinstall them!! PLEASE respond i need to figure out

  • Time Machine backup not visible in Disk Utility, nor accessible through Recovery Assistant

    Hi, I want to recover from a Time Machine backup but the external HD where it was stored now shows empty (1TB available) and the name 'backup' has been replaced by 'untitled'.  It was fine yesterday.  How do I get my backup back?  Is there external s

  • Newbie - Crossfade, how to use it.

    I'm trying to apply a crossfade but am having a little trouble finding in the manual exactly where this function is. Could someone direct a newbie to the right process?

  • MEDIA COMPOSER 8.3.0 CRASHED, HELP!!!

    I HAVE A PROBLEM Process:               AvidMediaComposer [2474] Path:                  /Applications/Avid Media Composer/AvidMediaComposer.app/Contents/MacOS/AvidMediaComposer Identifier:            com.avid.mediacomposer Version:               8.3.

  • UDP Multicast Fix for Labview Runtime?

    Hi All,  I am using the Labveiw Multicast vis and have been generally happy with the way they behave.  Happy to provide any assistance to anyone who would like help with this in general as I think I have a bit of understanding on this now.   My probl