Does PEAP Break Roaming?

Unanswered Question
Feb 28th, 2006
User Badges:

Am just getting ready to plunge into 802.1x, with Cisco ACS and mostly Windows users and we have to accomodate lots of different cards, etc. PEAP looks best for us- but I'm seeing conflicting stories on PEAP and roaming- Cisco doc on FAst Secure Roaming says PEAP isn't supported- but what does that mean to the user- reauthenticate every time you change APs? Yikes! Or am I reading it all wrong?


Thanks-


Lee

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rduke Wed, 03/01/2006 - 11:49
User Badges:

If you are using the Intel client, depending which authentication type you select the client software will gray out the option for Cisco fast roaming (under the Cisco options button). If I use TTLS, it is grayed out, but EAP-FAST works and PEAP is one of the ones which is not grayed out. Whether or not it works I can't tell you, but I would not be surprised if it works because it does not talk to the radius server after the initial authentication. The good thing is that when it is working, you will get a message in the AP logs that the device fast roamed so it is easy to verify when it is working.


I have not had any complaints about normal radius authenticated roaming. It is fast enough for email and web surfing, though some apps might break their connection. I have some devices which don't support CCKM, and they work OK.


R Duke

jhoude660 Wed, 03/01/2006 - 16:19
User Badges:

Well from my understanding/experience. I have Cisco 1200 AP's and Cisco ACS 3.3 autenicating against a Windows Active Directory database. The client cards are intel 2200 and 1300/1400 B/G on Windows XP sp2. Windows is managing the network connection with WPA --> PEAP with MsChap v2. The clients authenicate based on username and seem to work fine. Roaming is definitely an issue. I lose about 5 -7 ping responses between AP's. I have tried the peap fast connect and it does not seem to make a difference. The only thing I have not tried is getting the "Microsoft peap patch" (MS is still tring to get it to me ;( ) If anyone has any tips please let me know. Thanks.


andrew.butterworth Sat, 03/11/2006 - 10:57
User Badges:
  • Gold, 750 points or more

I use Microsoft IAS as the Radius Server in my Windows environment. With Windows Server 2003 there is the option to enable PEAP Fast Reconnect (silent session resume). This is available in the XP 802.1x supplicant from SP1.


http://www.microsoft.com/technet/community/columns/cableguy/cg0702.mspx


[quote]Fast reconnect minimizes the connection delay in wireless environments when a wireless client roams from one wireless AP to another.[/quote]



I am not sure about ACS support for this though. If your users are mostly Windows & you are running AD then IAS is much simpler than ACS and integrates better (plus its included in the OS so effectively free).


HTH


Andy

jvr775 Wed, 08/16/2006 - 19:16
User Badges:

jhoude660 -

Thanks for the link - looks like it resolved the issue on intial testing.. will post back if any thing pops up

richardwhit Thu, 03/22/2007 - 02:42
User Badges:

Hi Andy,


Hopefully you have this marked for notification!


Does the use of fast reconnect in IAS remove the need for using WDS and CCKM on the access points? If so how effective fast roaming when done through IAS as compared to through CCKM?


Regards,

Richard

andrew.butterworth Thu, 03/22/2007 - 02:51
User Badges:
  • Gold, 750 points or more

Richard, I don't have any firm figures since I didn't capture anything when we tested it (it did work though). We have now moved to WPA2/AES (with EAP-TLS) and this has some built-in re-authentication stuff - PMK caching & pre-authentication (part of the WPA2 standard) that gets around the fast roaming issue.


Some info here:


http://blogs.zdnet.com/Ou/?p=67


HTH


Andy

Actions

This Discussion

 

 

Trending Topics - Security & Network