I am fighting major roaming issues. I have around 300 3502i LAP's and 2 WiSM v1 controllers. The major roaming issues are seen on a production WLAN that is WPA2/AES dot1x&CCKM.
Non-CCX clients roaming is 20% worse than a CCX client.
My question is how important is it to buy a wireless client that is CCX compliant? Also, I have dot1x and CCKM enabled on this WLAN but all the clients show "authentication type......dot1x" when I issue "show client detail xxxx.xxxx.xxxx" on the WLC's. Why are the CCX clients not using CCKM??
Also I have "Aironet IE" unchecked on this WLAN. Do I need to enable this to take full advantage of CCX?
I know I should have probably posted on support forum, but I figured this could make a good discussion/learning experience for myself and hopefully others.
The issue we are seeing is when the client roams the connection completely drops and goes through the whole authentication process before associationing to the new LAP. This process takes 30-45 seconds, and is causing major issues with citrix etc..
CCX are a set of features that I believe 90% of silicon manufacturers suppports or implement. Cisco licensed these and many of them are incorporated into or precursers to the 802.11 ammendments. CCKM I see as ultimately a prelude to 802.11r which is fast base station transition and Cisco implemented CCKM for 802.1x in various staages from CCX v2 to CCX v4. CCX v2 supported CCKM in LEAP, CCX v3 supported CCKM in EAP-FAst then CCX v4 for the other EAP types such as PEAP and EAP-TLS.
Assuming Intel cards then certainly from the 3945 I think CCX v4 has been supported so you should be able to support CCKM.
CCX cannot be disabled but turning off aironet ie will remove some features. Typically aironet ie can cause issues with some clients and I have seen this in the past but things are a lot better now.
Can you verify that the clients are performing a full authentication back to RADIUS every time they roam as even with CCKM you will get a 4way handshake, however 35 seconds is a long time even for a full autentication.
I have gathered packet captures and checked ACS logs and it is indeed doing full authentication between roams.
I am using PEAP MSCHAPv2.
An old network enginner (no longer with the company) disabled Aironet IE. I talked to him and he told me cisco TAC had him turn it off a few years ago. I have since then upgraded to 7.x code. Do you think it be safe/beneficial to turn this back on?
I still can not explain why I am seeing dot1x as authentication type instead of CCKM on the CCXv5 clients. When I issue "show client details xxxx.xxxx.xxx they all show dot1x as authentication type.
Also note that all my clients are win7 using WZC. Not sure if WZC supports CCKM or not.
Thanks for the response.
I would turn it back on just to see if it affects performance. It sounds like fast roaming is not working if you are having to re-authenticate. CCX roaming features are indeed Cisco's proprietary answer to what is now 802.11r.
WZC it appearsnever used support CCKM, nor all CCX! References below.
Now typically say a laptop would not need fast roaming where a voice hanset would!
Can you test with another supplicant tat supprts CCKM?
This may however be different with Windows 7 as I am sure tere ave been some improvements, see this technet article, someting I will need to test. However CCKM may not be supported still if the implementation is significantly for 802.11r http://technet.microsoft.com/en-us/library/dd759176.aspx
Are the two APs involved in a roam on the same WLC? Even without CCKM the WLC should just label the client move internally and continue allowing the Client to communicate. The speed of this is generally in the milliseconds. Are the neighbor APs on separate WLCs?Are all of your WLCs that support APs that may roam to each other in the same mobility group? Altough, if it was me, I'd place neighboring APs on the same controller just to simplify the topology.
The AP's are on the same WLC. I am using 3500's LAP's. Currently I only have 2.4Ghz enabled. I am also running 2.4ghz N support.
My fluke is telling me 40mhz channel widths are not recommended on 2.4ghz.Could this also be a problem? I do not see anywhere on 7.098 code where you can adjust channel width on 2.4ghz.
I am not able to turn on 5ghz until properly tested and alot of my wireless clients are not dual band anyways, so not much to gain just yet when I enable 5ghz.
the 2.4GHz spectrum has 3 non overlapping channels 1, 6 and 11. If you bond 2 of these channels together lets say 1 and 6 what do you do next to provide the next adjacent cell. Simply there are not enough channels for channel bonding 2.4GHz in the enterprise thats why we can do it in the 5.oGHz spectrum where you have upto 23 non overlapping channels.
In reference to Phils reply my understanding is that with CCKM fast roaming is possible, with clients with the correct CCX version.
Without CCKM (or proactive key caching) when a client roams to another ap it undergoes full reauthentication via RADIUS etc. With CCKM only the four way handshake takes place, typically this is below 50ms but without CCKM can be considerably longer.
I understand there to be four different versions to roaming. From fastest to slowest:
CCKM: which is nearly instant because the client preauthenticates to all APs within hearing distance.
Intra-controller roaming: less then 10ms because the WLC just moves the authenticated client's location from one AP to another AP in the WLC's internal list.
Inter-Controller in the same mobility group roaming: same as above but the communication is between two WLCs and the original WLC usually ends up being an anchor if its a L3 roam Doesn't require Radius because they share the initial authentication.
Inter-Controller roaming w/o a mobility relationship between the two WLCs. This is a full authentication because the WLCs do not talk to each other and therefore are unable to share the client's PMK.
I agree generally Phil however we are discussing 802.1x specifically here therefore as I understand the reauthentication would be, with CCKM the 4way handshake. Without CCKM full reauthentication would take place.
Was this not the key issue behind 802.1xs roaming with VoWLAN? ie the firrmware v1.3.4 allowed fast secure roaming with 802.1x as the 4 way handshake is an acceptable delay?
Okay. Here goes;
To the best of my knowledge, I don't believe any Cisco code allows you to enable 40MHz channels in the 2.4 GHz band. I also concur with your Fluke device, as well as others in this thread. 40MHz should never be used in the 2.4 GHz band. (Nope... doesn't matter.... Never... shhhssh.)
Also, and I think this is one of the most complicated things I've ever had to go through with 802.11 roaming; I think your issue may actually be related to a technicallity with using AES-CCMP (WPA2) and CCKM with any clients /below/ CCX ver.5
While this wouldn't explain your assertion that you have a CCXv5 client that isn't roaming properly, I'd check your controller logs for evidence of the following:
"could not process the RSN and WARP IEs. error processing CCKM IE"
Let me know... I'm curious.
Message was edited by: Skinneh - "AES-CCMP (WPA2) and CCKM with any clients /below/ CCX ver.5" ... originally stated CCXv4, which was just a mistake on my part.