Am just getting ready to plunge into 802.1x, with Cisco ACS and mostly Windows users and we have to accomodate lots of different cards, etc. PEAP looks best for us- but I'm seeing conflicting stories on PEAP and roaming- Cisco doc on FAst Secure Roaming says PEAP isn't supported- but what does that mean to the user- reauthenticate every time you change APs? Yikes! Or am I reading it all wrong?
If you are using the Intel client, depending which authentication type you select the client software will gray out the option for Cisco fast roaming (under the Cisco options button). If I use TTLS, it is grayed out, but EAP-FAST works and PEAP is one of the ones which is not grayed out. Whether or not it works I can't tell you, but I would not be surprised if it works because it does not talk to the radius server after the initial authentication. The good thing is that when it is working, you will get a message in the AP logs that the device fast roamed so it is easy to verify when it is working.
I have not had any complaints about normal radius authenticated roaming. It is fast enough for email and web surfing, though some apps might break their connection. I have some devices which don't support CCKM, and they work OK.
Well from my understanding/experience. I have Cisco 1200 AP's and Cisco ACS 3.3 autenicating against a Windows Active Directory database. The client cards are intel 2200 and 1300/1400 B/G on Windows XP sp2. Windows is managing the network connection with WPA --> PEAP with MsChap v2. The clients authenicate based on username and seem to work fine. Roaming is definitely an issue. I lose about 5 -7 ping responses between AP's. I have tried the peap fast connect and it does not seem to make a difference. The only thing I have not tried is getting the "Microsoft peap patch" (MS is still tring to get it to me ;( ) If anyone has any tips please let me know. Thanks.
I use Microsoft IAS as the Radius Server in my Windows environment. With Windows Server 2003 there is the option to enable PEAP Fast Reconnect (silent session resume). This is available in the XP 802.1x supplicant from SP1.
[quote]Fast reconnect minimizes the connection delay in wireless environments when a wireless client roams from one wireless AP to another.[/quote]
I am not sure about ACS support for this though. If your users are mostly Windows & you are running AD then IAS is much simpler than ACS and integrates better (plus its included in the OS so effectively free).
Richard, I don't have any firm figures since I didn't capture anything when we tested it (it did work though). We have now moved to WPA2/AES (with EAP-TLS) and this has some built-in re-authentication stuff - PMK caching & pre-authentication (part of the WPA2 standard) that gets around the fast roaming issue.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...