WDS - Still authenticating at Radius after roaming

Unanswered Question
Apr 8th, 2009
User Badges:

Hi,


Maybe someone can help me this: I installed a WLAN, consisting of three APs (1200), with WDS. The Clients can authenticate with EAP-TLS and valid certificates to a (free)radius-server. The APs authenticate with LEAP at the same radius and are shown as registered at the master WDS, but still every roam leeds to a new authentication at the radius. Did I miss something here? Do I need additional hardware for fast roaming here?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Johannes Luther Wed, 04/08/2009 - 04:03
User Badges:

What kind of encryption are you using?


This is from the wireless design guide from Cisco:


"Wireless LAN clients are always re-authenticated by the system in some way on a roam. This is always

necessary to protect against client spoofing. When wireless clients support Pair-wise Master Key (PMK)

caching as defined in the 802.11i and WPAv2 specifications, Cisco wireless LAN controllers support full,

secure roaming and re-keying without re-authenticating the client with the AAA server in the back-end. This

is true for both Layer 2 and Layer 3 intra- and inter-controller roaming. This feature is called Proactive Key

Caching (PKC). While no special client-side software is required to support roaming, PKC requires client-side

supplicant support. Please refer to the appropriate documentation for a detailed explanation of PKC."

bjoern.reese Wed, 04/08/2009 - 04:21
User Badges:

Hi, and thanks for the reply.

I use TKIP as the APs don't seem to support AES. (they're a bit older). So if I understand this right, I will need some special hard- and software on the clients to get this running? I thought everything is handled by the APs, so I won't have a chance to implement this, as long as we have the clients with mixed hardware, managed by the windows system?


bjoern.reese Wed, 04/08/2009 - 04:48
User Badges:

I'll try this, thank you very much so far for the tip. I'll try some newer APs and post here, if I find the correct solution and if I will ever get through all these acronyms. ;-)

Actions

This Discussion