Introduction
PEAP authentication takes approximately 30 seconds to re-authenticate when roaming between APs
Resolution
Protected EAP (PEAP) is a draft EAP authentication type that is designed to allow hybrid authentication. PEAP employs server-side Public Key Infrastructure (PKI) authentication. For client-side authentication, PEAP can use any other EAP authentication type. Because PEAP establishes a secure tunnel through server-side authentication, non-mutually authenticating EAP types can be used for client-side authentication (such as EAP Generic Token Card (GTC) for one-time passwords (OTP), and EAP MD5 for password-based authentication).
When PEAP authentication is used, there is a delay when users roam between Cisco Access Points (APs). PEAP takes a long time to authenticate because it must re-authenticate user credentials to the RADUIS server every time the user roams.
- Do not use WPA/TKIP with PEAP to avoid delays.
- Refer the article 826942 to obtain the patch which fixes the authentication delays.
- Using Fast reconnect is another option to decrease the re-authentication delays. This should be enabled on the client and the authentication server. Refer URL configuring ACS for PEAP
- AS an alternative use LEAP authentication instead of PEAP. LEAP has the fast roaming feature. For more information on how to configure LEAP, refer to Configuring EAP authentication with RADIUS Server.
- You can also use EAP-FAST instead of PEAP. For more information on EAP-FAST, refer to Cisco EAP-FAST.
Problem Type
Roams between access points continuously
Security Options
PEAP
Reference
For more information on the fast roaming feature and how to configure fast roaming,
Configuring WDS and Fast Secure Roaming section of Configuring WDS, Fast Secure Roaming, and Radio Management.