Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC agent on Wireless runs everytime we switch controllers

      Hello all, we are seeing an issue in our enviroment and wanted inquire about it. We have a Cisco wireless infrastructure in place here - 2 5508 controllers and approx 200 3502 AP's. We have the AP's split evenly between the 2 controllers. We backend this system with an in-band NAC Applaince Clean Access Server for poster assesment. What we are noticing is that when a user "roams" from one AP to another, and if the AP's are connected to 2 seperate controllers, the NAC agent will run again. The Logs in the CAM support this, as we see the user being logged out and then logged back in. We have the 2 controllers configured in a mobility group that should allow roaming. So would this be expected behavior? Does the controller still send the RADIUS Accounting Stop packets to the CAS when it hands off a wireless session to another controller even if they are in a mobility group?  Any help or thoughts would be appreciated.

Thanks,

Jeff      

1 ACCEPTED SOLUTION

Accepted Solutions

Re: NAC agent on Wireless runs everytime we switch controllers

Jeff,

Since you are using dot1x I found the following note in the mobility configuration guide:

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_mobility.html

All  clients configured with 802.1X/Wi-Fi Protected Access (WPA) security  complete a full authentication in order to comply with the IEEE  standard.

From your radius server do you see a second authentication attempt come in from the second controller? If so then most likely this is due to the radius accounting stop and start messages during the roaming.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
2 REPLIES

Re: NAC agent on Wireless runs everytime we switch controllers

Jeff,

Since you are using dot1x I found the following note in the mobility configuration guide:

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_mobility.html

All  clients configured with 802.1X/Wi-Fi Protected Access (WPA) security  complete a full authentication in order to comply with the IEEE  standard.

From your radius server do you see a second authentication attempt come in from the second controller? If so then most likely this is due to the radius accounting stop and start messages during the roaming.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC agent on Wireless runs everytime we switch controllers

Tarik, that is exacly what we have confirmed via logs is happening. Thank you for your help in getting this resolved and answered!

Jeff

404
Views
0
Helpful
2
Replies
CreatePlease login to create content