Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WDS - Still authenticating at Radius after roaming

Hi,

Maybe someone can help me this: I installed a WLAN, consisting of three APs (1200), with WDS. The Clients can authenticate with EAP-TLS and valid certificates to a (free)radius-server. The APs authenticate with LEAP at the same radius and are shown as registered at the master WDS, but still every roam leeds to a new authentication at the radius. Did I miss something here? Do I need additional hardware for fast roaming here?

4 REPLIES
New Member

Re: WDS - Still authenticating at Radius after roaming

What kind of encryption are you using?

This is from the wireless design guide from Cisco:

"Wireless LAN clients are always re-authenticated by the system in some way on a roam. This is always

necessary to protect against client spoofing. When wireless clients support Pair-wise Master Key (PMK)

caching as defined in the 802.11i and WPAv2 specifications, Cisco wireless LAN controllers support full,

secure roaming and re-keying without re-authenticating the client with the AAA server in the back-end. This

is true for both Layer 2 and Layer 3 intra- and inter-controller roaming. This feature is called Proactive Key

Caching (PKC). While no special client-side software is required to support roaming, PKC requires client-side

supplicant support. Please refer to the appropriate documentation for a detailed explanation of PKC."

New Member

Re: WDS - Still authenticating at Radius after roaming

Hi, and thanks for the reply.

I use TKIP as the APs don't seem to support AES. (they're a bit older). So if I understand this right, I will need some special hard- and software on the clients to get this running? I thought everything is handled by the APs, so I won't have a chance to implement this, as long as we have the clients with mixed hardware, managed by the windows system?

New Member

Re: WDS - Still authenticating at Radius after roaming

I may be wrong, but I guess you'll need to use WPA2 to do PMK-caching.

See also: http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch4_Secu.html

Search for "Proactive Key Caching and CCKM" in the document.

I'm not that good in WDS with IOS AP's (never did that), but I guess it's pretty much the same as with WLC's

So... try using WPA2

New Member

Re: WDS - Still authenticating at Radius after roaming

I'll try this, thank you very much so far for the tip. I'll try some newer APs and post here, if I find the correct solution and if I will ever get through all these acronyms. ;-)

193
Views
4
Helpful
4
Replies