Hello,
First post here... I would appreciate any help with a problem that has stumped me for over a week now...
I have a 5-AP cluster in Manhattan on a 10,000 sf single floor facility (200ft by 50ft) . 3 APs provide adequate coverage, but 5 work better due to difficult materials (concrete columns, wire mesh in some walls etc). Very noisy environment (hundreds of interfering APs and many hundreds of clients), but with 5 APs I get strong signal througout.
Simple network setup: Watchguard XTM 330 firewall interfaces to Internet and provides DHCP service for LAN. To keep things simple, no VLANs, everything the default/native VLAN of 1. About 30 wifi clients (10 corporate ipad Airs running iOS 8.1, about 20 guest devices, which includes employee iphones, visitors etc).
Mission critical app requires keeping the ipads seamlessly connected to a server on site (same subnet) as they roam around the facility. Guest devices should not be allowed to access any resource in main network. I have two ssids, one for ipads (employee) and one for guest. Design goal is to avoid ipads sticking to distant AP as user roans and thus lose connectivity. Low latency/good connectivity much more important than bandwidth.
Employee network is Enterprise Authentication using default VC certificates, guest network has no captive portal and WAP-2 password.
Until about a month ago I was running 6.3.1.1-4.0 2 IAP-135s (one as the master), one IAP-105 and two IAP-93s. Clientmatch enabled. Guest network with IPs assigned by VC on a dedicated range (9.9.9.x). Employee network originally with IPs assigned by network, but ipads would occasionally disconnect and fail to reconnect for several minutes, so I switched to IPs assigned by controller in same 9.9.9.x range, and this was working much better. Guest devices prevented from accessing internal network via network-specific rules.
Things were running acceptably, but ipads would not always hop and occasionally disconnect, so I decided to upgrade to 6.4.2.0-4.1.1.0. This was a disaster and everything stopped working, so downgraded back. I assumed 6.4.2.0-4.1.1.0 failed because IAP-93s are not supported in VC-based authorization, so I ordered 3 IAP-205s to replace the IAP-93s and the IAP-105. New network is the two IAP-135s and the 3 IAP-205s running 6.4.2.0-4.1.1.0.
Things have been very rough with new network. First, I can't downgrade the firmware as anything less won't support the IAP-205s. Second, when the IAP-135s are in Access mode, once a client connects to the 135, it sticks and thus loses signal and gets disconnected. I was forced to use the 135s as spectrum monitors to make things work. I finally disconnected the 135s, figuring that once I get the network working with the 205s, I will find a way to add back the 135s.
So now I am running just 3 IAP-205s, but still having a lot of problems. I use network-assigned IPs, as the VC-assigned don't seem to work well. I am using the minimum DHCP configuration on the VC, providing an IP range and the DNS servers. The guest devices are still VC-assigned, and that works reasonably well, but these devices don't roam much. For employee network I have turned on 801.11k/r/v but not OKC as I don't think ipads support OKC.
I am having multiple issues with the ipads on the employee network. I will reset all settings on ipad, and then try to connect to network with excellent signal strength. Sometimes I get the user name and password rejected. Usually I get to the "accept certificate" point, but sometimes the ipad will freeze there, and I can see on the top left corner of the ipad rapid flashing between wifi-connected and disconnected states. About half the times the ipad will eventually connect and show checkmark. Other times, the certificate will be accepted immediately. A couple of times something weird happened: after accepting a certificate, when I moved to a different AP, I was asked to accept the certificate again. Also, the ipads with no connectivity usually show on the device list of the VC with the correct IP address, but sometimes with a 0.0.0.0 address and correct MAC.
Once connected, things work well, at least as long as the ipad doesn't go back to sleep or the user doesn't roam. Sometimes the pad loses wifi connectivity (and there seem to be locations near edges of facility most prone to that, where you would expect to hop from a distant AP to a nearer one). No wifi icon for minutes, even though signal is good. Sometimes, wifi icon is displayed, but there is no network connectivity, e.g. Safari will say "you are not connected to the Internet" and internal apps won't connect to server. Sometimes there is no DHCP information when connectivity is lost as above, so I tried static assignment of IP and DNS, but that didn't help. When moved back to center of facility, the ipads will eventually reconnect. I scanned for rogue DHCP servers, but that doesn't seem to be a problem.
So for now I have to choose between 90% working ipads that naturally disconnect when it is most inconvenient, and going back to my old setup with the 135/105/93 running older firmware. Not a happy choice. I am hoping someone will recognize and help me troubleshoot the above! It shouldn't be that difficult to make the latest ipad, IAP and firmware work together!
Thanks,
John B.
----------------
P.S. I just tried to run just the two AP-135s, and things work fine under 6.3.1.1-4.0 but I get the same disconnect problems with 6.4.2.0-4.1.1.0. Thus the problem seems to be with the 6.4.x VC and the ipads when 135s are used in the network.