My issue is that, that i have a running network with wireless clients authenticating through the ACS server using the PEAP MSchap stuff... The issue which is arrising is that the wireless clients disconnects after some time and then get stuck with the authentication. this is not the issue with one or 2 clients, all the wifi ppl are getting this sudden disconnection issue after some random period of time. can any one tell me what is the reason of dissassociation
is this due to the ACS session timeout value in the ACS config?
is it the radio channels issue?
or is it due to Radio power settings or something else....also mentioning that i have a perfect roaming scenario and i dont have issues with the roaming. plz help me in this regard as my clients are running buisness critical applications and sudden disconnection freaks them out..:)
I am using "Steel-Belted-Radius" and i am using TTLS with PAP instead of PEAP with MSchap but i have the same phenomena as you!
Session Timeout on the WLC 120 sec.
then starting a bigger download with a client. if i look in the radius Log i see, that the client gets disconnected after some authentication. Maybe not at the first 120 sec. but maybe after 5 minutes.
The terrible thing is, that if i use a session-timeout with 20000 sec. the problem still persitst because i see in the radius Logs much more authentication processes than every 20000 sec. even though i does not move my notebook to another place! Maybe i see an authentication after 30min. or maybe after 10 min. and sometimes every minute!
Have you the same phenomena?
I have also experimented with the "session resumption (quick connect)" feature which i have activated on client and radius side. But the Problem still persitst!
The problem you describe CAN occur if theres interference going on.
Essentially the client looses connection for whatever reason. Roaming, closes his laptop lid, puts on his tin foil hat, or possibly to many users on a single AP. Remember wireless is half duplex.
I would turn informational logging on, push the logs to a syslog server. If you cant do this, monitor your AP for a few minutes straight. Take a look to see if your seeing a lot of max retries. While a few are not the end of the world, a screen scrolling with them isnt exactly a good sign.
My abridged version of what this error (MAX RETRIES) means... Your AP goes out and says 'Yo dvr0 i need your password'... It waits a bit, then states again.. 'Yo dvr0 i need your password!' until it hits a counter which results in max retries and the client is disassociated.
If this is true.. You may want to take a look at doing another site survey, or obtaining a spectrum analyzer to see if you can locate the offending signal. Gather signal strength and SNR values.
Then again you may not have an interference problem at all..
Take a look at your failed and successful attempt logs on your ACS server(s) and see if the ACS server is showing anything. You may end up having to do a sniff on your AP and or your ACS box to ensure the traffic is even getting there. I had a case where once some users from other parts of my Org were in town, and they were stuck at 'Waiting to auth' because the ACS server did not have the proper DNS suffix in its TCPIP settings.
This sounds a little similar to what we are experiencing...are you running WAP and WPA2 on the SSID?
We have been doing this and after doing some serious Wiresharking found issues with the clients having loads of LLC packets and wierd EAP ones as well...we then ran the WiSM config analyser tool and discovered that it is not best practice to deploy both on the same SSID
"Although the controller and access points do support WLAN with SSID using Wi-Fi Protected Access (WPA) and WPA2 simultaneously, it is very common that some wireless client drivers cannot handle complex SSID settings. In general, it is a good idea to keep the security policies simple for any SSID, for example, using one WLAN/SSID with WPA and Temporal Key Integrity Protocol (TKIP), plus a separated one with WPA2 and Advanced Encryption Standard (AES)."
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...