Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.


Fast secure roaming in a high school possible?

Hello all

I'm the wireless admin of a high school.

We have around 60 AP1230 b/g here and a WLSE. The APs are splitted into two IP subnet where in each is a WDS.

The network is open and isn't using any authorisation or encryption.

The authorisation is done via VPN, the students have to start their Cisco VPN client and are connected to a Concentrator 3000.

I recently read about fast secure roaming, which could be quite usefull. Currently the VPN connection terminates when a student walks around and roam to the next access point.

Could this fast secure roaming stopp them from loosing the VPN connection?

Would that work with every brand of wireless adapter and operating system?

What would I need to configure where to realise it?




Re: Fast secure roaming in a high school possible?

I suggest you can read below link for the configuration of fast secure roaming & WDS. What I believe the fast secure roaming require the Cisco authentication method,e.g. LEAP or EAP-Fast.

According to your case, the VPN connection is terminated when travel to other AP. Will the wireless connection terminated too ? If not, I beleive it is the VPN Concentrator issue and not related to the fast secure roaming. Please correct me if I am wrong.


Re: Fast secure roaming in a high school possible?

One more issue that please check if the user roam from one AP to another AP. Is the IP Address still the new ? If not, the VPN connection may be broken. Just my two cents.

New Member

Re: Fast secure roaming in a high school possible?

For seamless fast secure roaming at layer 3 (i.e. maintain client ip address even as you roam amongst APs on different subnets), you need a WLSM as your WDS device in a cat6000 chassis with sup720 to do gre in hardware. This is the only way you can maintain ipsec vpn as you roam unless you use a large layer 2 network spanning the school campus (not ideal).

On the client (mobile node) side, you need to support peap with cisco extensions, specifically CCKM.


Re: Fast secure roaming in a high school possible?

All APs are in the same subnet and also the clients have their own subnet.