Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Client reauthenticating flip-floping APs

Here is my situation.

I have two AP1232s.

AP-a and AP-b

There is a conference room where AP-a is closer, but AP-b is still within range.

Clients associate with WPA and authenticate with Radius secure ID. Everything is great. Signal strengh is about -70db.

Then after a while (time is never the same), with the user still sitting in the same seat, AP-b prompts the client for authentication via secure ID. Of course this drops the connection. The signal strengh is -90db to -95db so it doesn't stay connected long. When it drops the user has to auth back to AP-a.

This cycle just repeats itself.

Any ideas out there?

8 REPLIES
Gold

Re: Client reauthenticating flip-floping APs

Per the specs the client decides when and where to roam. There are a couple things you can try to do to help. First thing is depending on the supplicant you are using you may be able to adjust how sensitive its roaming is. The other is to adjust the power levels on the AP's so that the other AP isn't as good of a roam candidate.

Bronze

Re: Client reauthenticating flip-floping APs

By all means always regulate your power settings as stated before, but if you are using any radius authentication you need something to act as the go between between the radius and the client. Otherwise, no matter how well you get your infrastructure tweaked, any roam at all will present the same way.

If you are using autonomous AP's you need WDS.

http://www.cisco.com/en/US/products/hw/routers/ps272/products_configuration_guide_chapter09186a008022b1eb.html

If you are LWAPP, there is a tick box that must be checked to allow roaming.

Understanding WDS

The following sections describe WDS even though the Cisco wireless mobile interface card (WMIC) cannot be configured as a WDS server even when it is configured as an access point. However, when configured as an access point, the WMIC can use a WDS server and can act as a WDS authenticator (client).

When you configure an access point to provide WDS, other access points (such as your WMIC, if it is configured as an access point) on your wireless LAN use the WDS access point to provide fast, secure roaming for client devices and to participate in radio management.

Fast, secure roaming provides rapid reauthentication when a client device roams from one access point to another, preventing delays in voice and other time-sensitive applications.

Access points participating in radio management forward information about the radio environment (such as possible rogue access points and client associations and disassociations) to the WDS access point. The WDS access point aggregates the information and forwards it to a wireless LAN solution engine (WLSE) device on your network.

New Member

Re: Client reauthenticating flip-floping APs

Hi John,

I have one site that has a mix of AP1200s with B radios and 1242s with G radios.

One particular area of the site has users experiencing authentication breaks and causes loss of connectivity. The two APs in their area are 1242s, but directly above them on the 2nd floor is a 1200. I have seen a log this morning on one of the 1242s showing the 1200 above them as a rogue (this is the first time i have seen it):

Mar 27 09:07:13: %DOT11-6-ROGUE_AP: Rogue AP 000f.f858.889f reported. Reason: Authentication timed out.

I have checked configurations and firmware and we are standard, but the users still are having issues. I adjusted the power settings and verified that there is no channel interference within this area last week and the users said that it worked great for two days, then this week has been poor.

I am stumped a bit, and wonder if it is a user configuration(but they use a standard client config with a standard wireless utility) or an authentication issue with our ACS. I did see this log this morning as well...

Mar 27 08:55:39: %RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not responding.

We swapped ACS servers a couple weeks ago so the new ones should be working correctly as the network team worked with Cisco to get it right.

Do you have any ideas? Should i attempt a WDS scenario? We have not implemented the LAN controller yet as we are still in testing phases

Thanks in advance.

Matt

Bronze

Re: Client reauthenticating flip-floping APs

Hmmm...the very first thing I see that you either are or will have issues with is the mix of B only and BG AP's. The client wants to go as fast as it can, which means a G client will look for the ability to transmit and recieve at the faster data rates...even though the B only AP is closer. This will cause much pain and I have spent the night upgrading AP's before so please take this into consideration.

You need WDS (autonomous)or something that will cache the client credentials during roaming. Cisco should be bringing that up...If these are going to be converted to LWAPP there's a whole other process - much less painless then autonomous

Dead radius sounds like a whole other problem that I wouldn't know enough about.

New Member

Re: Client reauthenticating flip-floping APs

Thanks John.

Yes, eventually we are going to be changing over to LWAPP, but that may take a little time.

Can you provide a good link for the WDS configuration process?

I don't think we are going to be swapping out the B radios any time soon either, so it looks like until we get the LWAPP/WLAN Controller setup in place, the WDS solution sounds like our best more.

thanks again

Matt

Hall of Fame Super Red

Re: Client reauthenticating flip-floping APs

Hey Matt,

Hope all is well with you :) Just to add a note to the great info from John and Dan. Here are the WDS docs you may need.

Configuring WDS, Fast Secure Roaming, and Radio Management

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080341d2d.html#wp1035881

Wireless Domain Services Configuration

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml

Wireless Domain Services FAQ

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00804d4421.shtml

Like John also noted, the change to LWAPP, allthough not without issues will be a great help here :) Keep that project moving along (you will be happy you did!)

Hope this helps!

Rob

New Member

Re: Client reauthenticating flip-floping APs

Hey Rob!

Yes, life is going well....bought my first house this week, and the Louisville Cardinals are in the Elite 8 of the NCAA. :)

I hope life is grand with you as well.

Slowly but surely on the LWAPPs. We have a few in testing in the office, but the deployment is at a standstill until the controllers are fully tested.

Thanks for the info as always, and I'll keep you posted.

Hall of Fame Super Red

Re: Client reauthenticating flip-floping APs

Hi Matt,

Congrats on the new home purchase!! Knowing that you must love the Cards, I will now cheer for them as well in their quest for the Championship :)

Go Cardinals Go!

Rob

244
Views
10
Helpful
8
Replies
CreatePlease to create content