EAP-TLS with WLC 5.2.178 Improve Performance and Roams?

Unanswered Question
Jul 10th, 2009

Good Morning...

I've been working on moving our clients over to EAP-TLS with Machine Auth for sometime. I had moved the IT Department over a couple of months ago as a test with no issues reported and have tested on a few of our Medical Carts (CoWs) as well with no issues reported. However, upon deploying to a larger population of Carts (Specifically using Atheros 5006x 7.x Driver {No Client}) I've been getting some client drop complaints. If I look at the client history I do see a lot of "Client Associations" or Roams that occure anywhere from ever 2minutes, to every 10minutes to every 5 hours. These carts do move around ALOT as they are pushed from one Patient Room to another so I'm guessing the drops are occuring during a re-authentication phase as the device roams. Looking at the device you might not be able to tell it's dropping but the software we use (Meditech) is very connection sensitive in doing a simple ping you may see a couple of dropped packets until the client is fully connected again. So I'm guessing the roaming is the issue. What can we do to fight this or make it more effecient? It was mentioned to me by a colleague (who doesn't know where he saw it) that he thought it was possible to configure the WLC's to not reauthenticate on the roam? I'm guessing something must be able to be tweaked if the 7921's and 25's support EAP-TLS as this type of latency would never work. By the way I'm using an ACS 4.2 as my authentication platform mapped back to AD.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dancampb Fri, 07/10/2009 - 05:14

You will always reauth with a roam. That is part of the 802.11 spec. How you reauth will depend on the type of security you have setup. If you are using WPA2/AES or CCKM the reauths can be done with a PMK instead of needing to go through the entire reauthentication process. Try running "debug client " for a client having the issue and see if it gives you an idea of where the authentication is failing.

raun.williams Fri, 07/10/2009 - 05:23

My clients are currently set to WPA/TKIP and CCKM is enabled. Is PMK only with WPA2 and an automatic function? I'm working on the client debugs

dancampb Fri, 07/10/2009 - 08:12

PMK is part of the 802.11i spec. It is not required but most clients and AP's that are WPA2 certified support it. There isn't anything you have to configure to enable it. I assume that your clients support CCKM? If so then you should be getting the fast roaming already. The debugs should tell you.


This Discussion



Trending Topics - Security & Network