roaming issue

Unanswered Question
May 3rd, 2010

Hi,

I have a WLC4402 with version 4.1.185. Layer 2 security is WPA+WPA2 with AES+TKIP.

One of the SSID configured this way works fine, but in the other one, when clients roaming, they have to re-enter the username and password. This happens with Laptops working with XP and the option fast reconnect enabled. I checked the logs but none appears related with authentication. How can I solve this?
I am thinking to make an upgrade but there is also ToIP and works fine...

Regards!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dancampb Mon, 05/03/2010 - 09:50

Are the laptops running XP SP2?  There is a MS issue (KB885453) with fast reconnect that could cause this issue.  The patch is available from MS and is also part of SP3.

mdcole Wed, 05/05/2010 - 11:39

I've always heard that Windows Fast Reconnect and Cisco APs do not work well together.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

  • If you do PEAP, for example certificates with XP, SP2 where the cards are managed by the Microsoft wireless-0 utility, you need to get the KB885453 patch from Microsoft.

  • If you use Windows Zero Config/client supplicant, disable Enable Fast Reconnect. You can do this if you choose Wireless Network Connection Properties > Wireless Networks > Preferred networks. Then choose SSID > Properties > Open > WEP > Authentication > EAP type > PEAP > Properties > Enable Fast Reconnect . You can then find the option to enable or disable at the end of the window.

    slandeira Thu, 05/20/2010 - 09:53

    Hi!

    I  disabled the option fast-reconnect and did not solve the problem: it  seems that the Wireless client does not store the username and password  to access the SSID ... however when I gain access to another SSID in  which the user and password match the user /password of the domain, it saved user data and I haven't  to re-enter it each time I connect to the Wireless.

    I've been read  that the user / password for Connection to Wireless are stored by default in  Windows XP, it may be that in this case not happens because it does not match the  domain?

    mdcole Thu, 05/20/2010 - 11:44

    I may have a possible misunderstanding of your problem.

    I am not aware of the Windows utility being able to store any username and passwords, only to pass the Windows username and password.

    Are you requiring your users to authenticate using credentials other than domain credentials?  Are the computers members of the domain?

    If the computers are not domain members, or the users are logging in with credentials other than their Windows accounts (possibly logging into a local computer account?) they will be prompted for their information any time they associate to a different AP.

    With the WLC I believe there may be a way to allow cached credentials - once associated and authenticated, it will allow a user to roam and reassociate within a certain time without having to re-enter credentials.  Unfortunately, I do not use a WLC and it has been a long time since I've looked into their functionality, so I can't point you to those settings.

    Hope that helps a little.

    mdcole Thu, 05/20/2010 - 11:57

    I suppose it also depends on whether the APs are on the same controller and also the same subnet.

    From here:   http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml

    Q. What is the roaming process that occurs when a client decides to roam to a new access point (AP) or controller?Configuring Mobility Groups section of the Cisco Wireless LAN Controller Configuration Guide, Release 5.1.

    A. This is the sequence of events that occurs when a client roams to a new AP:

    1. The client sends a reassociation request to the WLC through the LAP.

    2. WLC sends the mobility message to other WLCs in the mobility group in order to find out with which WLC the client was previously associated.

    3. The original WLC responds with information, such as the MAC address, IP address, QoS, Security context, etc. about the client through the mobility message.

    4. The WLC updates its database with the provided client details; the client then goes through the reauthentication process, if necessary. The new LAP with which the client is currently associated is also updated along with other details in the database of the WLC. This way, the client IP address is retained across roams between WLCs, which helps to provide seamless roaming.

    For more information on roaming in a unified environment, refer to the

    Note: The wireless client does not send out an (802.11) authentication request during reassociation. The wireless client just sends out the reassociation right away. Then, it will go through 802.1x authentication.

    Pointing to here:

    http://www.cisco.com/en/US/docs/wireless/controller/5.1/configuration/guide/c51mobil.html

    Also from the first link, perhaps this is helpful?

    Q. What is PKC and how does it work with the Wireless LAN Controller (WLC)?

    A. PKC stands for Proactive Key Caching. It was designed as an extension to the 802.11i IEEE standard.

    PKC is a feature enabled in Cisco 2006/410x/440x Series Controllers which permits properly equipped wireless clients to roam without full re-authentication with an AAA server. In order to understand PKC, you first need to understand Key Caching.

    Key Caching is a feature that was added to WPA2. This allows a mobile station to cache the master keys (Pairwise Master Key [PMK]) it gains through a successful authentication with an access point (AP), and re-use it in a future association with the same AP. This means that a given mobile device needs to authenticate once with a specific AP, and cache the key for future use. Key Caching is handled via a mechanism known as the PMK Identifier (PMKID), which is a hash of the PMK, a string, the station and the MAC addresses of the AP. The PMKID uniquely identifies the PMK.

    Even with Key Caching, a wireless station must authenticate with each AP it wishes to get service from. This introduces significant latency and overheads, which delay the hand-off process and can inhibit the ability to support real-time applications. In order to resolve this issue, PKC was introduced with WPA2.

    PKC allows a station to re-use a PMK it had previously gained through a successful authentication process. This eliminates the need for the station to authenticate against new APs when roaming.

    Therefore, in an intra-controller roaming, when a mobile device moves from one AP to another on the same controller, the client re-computes a PMKID using the previously used PMK and presents it during the association process. The WLC searches its PMK cache to determine if it has such an entry. If it does, it bypasses the 802.1x authentication process and immediately initiates the WPA2 key exchange. If it does not, it goes through the standard 802.1X authentication process.

    PKC is enabled by default with WPA2. Therefore, when you enable WPA2 as Layer 2 security under the WLAN configuration of the WLC, PKC is enabled on the WLC. Also, configure the AAA server and the wireless client for appropriate EAP authentication.

    The supplicant used at the client side should also support WPA2 in order for PKC to work. PKC can also be implemented in an inter-controller roaming environment.

    Note: PKC does not work with Aironet Desktop Utility (ADU) as the client supplicant.

    sdurn Fri, 05/21/2010 - 02:21

    Thanks for the answers.

    The problem is the following:
    to connect to a SSID1 in wich Layer 2 security is WPA+WPA2 with AES+TKIP, I have different credentials from the domain and every so often asks me to reinsert these credentials. why not save them?

    when I connect to a SSID2 in wich Layer2 security is WPA+WPA2 with AES+TKIP and the credentials are the same that the domain credentials, i don't have to reinsert, only the first time.

    Working with Windows Vista, when you configure a wireless connection with WPA is possible to make a choice: cache user information for subsequent connections to this network, but Windows XP there is not this option?

    mubeeshalivm Fri, 05/21/2010 - 04:43

    what is the EAP in use ? If it is PEAP key caching should help if it  is TTLS  you need to au

    thenticatde on each roam . Also on the WZC ,in your case we need to uncheck the option when connecting "automatically use my windows domain name and password "

    sdurn Fri, 05/21/2010 - 05:03

    hi,

    the EAP in use is: PEAP, what do you mean with "key caching"? how can I enable that option?

    the option that you refers (automatically use my windows domain name and password) is unchek when I connect with the SSID1

    mubeeshalivm Fri, 05/21/2010 - 05:33

    key caching is the mechanism where in the controller centrally manages & send the PMK to AP's so that a client does not have to do a full EAP on roam  & is enabled by default.(Xperts  please correct me if iam wrong   )  have you tried using a different supplicant like Intel utility or odyssey client software to isolate this issue to WZC ?  If you are facing the same issues on  different supplicants as well  a client debug would be helpful.

    ciscosecurity Fri, 09/24/2010 - 05:28

    Time to bump this topic, since its not solved.

    We are experiencing the same problem, well tbh, I think its the same.

    In Windows XP SP3 we use WPA2 with AES and PEAP MSCHAP v2. We cannot save the user credentials in the authentication popup. Everytime these windows XP clients roam, they lose connection and cannot reconnect until we disable the wireless network card a few times.

    In windows 7, we are able to set a 802.1x setting to "user authentication" and then fill in credentials. This setup works fine and roams perfectly.

    Kayle Miller Fri, 09/24/2010 - 05:37

    Not sure if anyone has gone down this road, but in Windows XP3 check these steps..

    Select “Authentication” tab

    Select “Enable IEEE 802.1x authentication for this network”

    Select “Protected EAP (PEAP)” for EAP Type.

    Select “Authenticate as computer when computer information is available” to enable Machine Authentication. (This allows the machine to connect to the wireless before a user logs in so that you can execute login scripts.)

    Click “Properties”

    Select “Secured Password (EAP-MSCHAP v2)” as “Authentication Method”.

    Click “Configure”

    Select “Automatically use my Windows logon name and password (and domain if any).” Note: For security reasons this is not a best practice; although it is generally enabled because it is easier from the user point of view. If this is not selected it requires the User to enter their credentials each time it attempts to connect.

    Click “OK”

    Click “Enable Fast Reconnect”

    Click “OK”

    This is how I have set it up on numerous clients without issue.

    Hope this helps... Please rate useful posts.

    Thanks,

    Kayle

    ciscosecurity Fri, 09/24/2010 - 06:49

    Hello kayle,

    I have all these settings. But it does not work. I get connection on a XP client but soon as I roam, it loses connection. It seems to fail to hand the credentials to the next accesspoint. I start to think that this is a wireless infra problem. There must be settings in the WLC's that prevent this to work. Any idea for me where to look in WLC?

    Actions

    This Discussion