Wifi seamless mobility and roaming between different AP on same Controller problem

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
HI, we have a v10 WiFi controller and several AP 3805i and SSID defined with a WLAN with 802.1x authentication, topology B@EWC and in the advanced property of the radio setting I've enabled the Probe Suppression as follow (for avoid the problem of sticky clients on one AP):

The problem is that the client when roaming from one AP to another, ask again for the authentication.
The Privacy on the WLAN is defined as WPA-PSK as follow:


I've read in the documentation that for seamless mobility and roaming is necessary to use WPA2 with Opportunistic Keying & Pre-auth as follow:


Is this setting a requirement for seamless mobility?
In my case the customer need to leave the Privacy set to WPA-PSK for other security reason and says that can't adopt OKC&Pre-auth....how to solve the problem in this case?
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Hartmut Sachse

Hartmut Sachse

  • 2,598 Points 2k badge 2x thumb
Hello Antonio, the support of fast roaming mechanismens depends on the client capabilities. OKC have to be support by the clients. Same with Fast Transition (802.11r). This key management option could be used to improve roaming times if 802.1X is in use.

From roaming perspective a pre-shared key has little impact to the roaming time compared with 802.1X authentication. The client should not ask for the psk again. There is sometime wrong.

I would recommend you to disable OKC, Pre-Auth, Management Frames Protection and Fast Transition and check if the issue still exists.


Best Regards
Hartmut
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
HI Hartmut, now the settings are with WPA-PSK as you can see in the previous screenshot image and there is no OKC and Pre-auth set except that there is Management Frames Protection enabled (FT is not present on WPA-PSK page).

We can try to disable MFP to see if the re-authentication problem is still present.
(Edited)
Photo of Hartmut Sachse

Hartmut Sachse

  • 2,598 Points 2k badge 2x thumb
Thats right, for PSK you can't enable fast roaming, because this is for WPA-Enterprise SSIDs (802.1X) only.

What I didn't understand is on which SSID the client ask for authentication credentials again? PSK SSID or the 802.1X?
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
Hi Hartmut, I use under security tab the WPA-PSK, but the autentication tab is setted to 802.11x (is a sort of double authentication)
Photo of Hartmut Sachse

Hartmut Sachse

  • 2,598 Points 2k badge 2x thumb
"WPA" is for usage with 802.1X (WPA-Enterprise) and "WPA - PSK" is for setup of a SSID with WPA1/WPA2 Pre Shared Key. You can use 802.1X with MAC Authentication, but I wouldn't recommend this.

I think your goal is to create a WPA-Enterprise SSID, right?
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
Yes, I use a WPA-Enterprise, but the customer like to use WPA-PSK and the only problem that has got now with this setting is that client roaming is not seamless. If the seamless functinality is possible only with WPA and not WPA-PSK I'll tell this to the customer.
Reading the Wireless Controller User Guide v10, seams that for seamless roaming 802.11i is necessary Pre-auth...(see pag 255)
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,132 Points 20k badge 2x thumb
Do tests show that is not seamless or is that a assumption after reading the paragraph in the user manual?

I'm not sure whether there is a definition for "seamless roaming"
http://muniwireless.com/2007/01/31/what-is-seamless-roaming/

But back to the topic, with WPA-PSK the PSK is stored on the AP and on the device so there is no delay in asking a 802.1X RADIUS server for authentication so you shouldn't have any problems to roam from one AP to the other if the APs have overlapping cells and the client adapter/driverĀ is good and supports roaming.

Some years ago that was a little bit different with bad client adapter/drivers were the client didn't roam instad a full disconnect/reconnect was done (client adapter issues not AP/controller).
But I haven't seen that for years so you should be OK
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
Thanks Ronald.

In the customer configuration, there is the PSK key for the privacy and 802.11x for the Authentication.

So do you think that the new authentication request may due to the 802.11x delay?
(Edited)
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,132 Points 20k badge 2x thumb
I don't see how that setup is possible...

I've set WPA-PSKv2 for privacy/encryption on my controller and if I choose 802.1X for authentication I get this error....





Please doublecheck - if the WLAN service is disabled try to enable it and you should get the same error message.
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
You are right Ronald, the customer has an Internal mode with radius authentication of the credentials configured as follow:
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,132 Points 20k badge 2x thumb
OK, the ICP authentication is only done the first time the client connects to the AP and doesn't affect the roaming of the client.

After the cient is idle for 30min (default) the client must authenticate again against the ICP.
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
OK, Ronald, we check if the re-authentication occurs only after the roaming before that the idle timeout expires or after the timeout.
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
Hi Ronald, I confirm you that the problem was due to the client, because with a more deep test with several clients, some of them are able to change the AP in transparent mode (without the need to re-authenticate) and others need to re-authenticate. So Extreme configuration side all is correct, but the problems are on client side.
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,126 Points 2k badge 2x thumb
Hi, the customer has made the tests also with clients that don't support Management Frame Protection, so we have also disabled this option.