Controllerless Networks

last person joined: 15 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

IAP Roaming with 802.1x cert and OKC

This thread has been viewed 0 times

  • 1.  IAP Roaming with 802.1x cert and OKC

    Posted Apr 15, 2015 02:23 PM

    Hi Folks,

    I'm having some wierd issues with my IAP cluster.

    CASE: 16 IAP's version 6.4.2.0-4.1.2 in one cluster on same broadcast domain (natvie vlan in trunks to AP, but management vlan for the network.) Differents SSID tagged to different VLAN, on same switch (cabled clients is also in this VLAN no problems when clients is on cable.)
    I have 2 SSID-Profiles and 2 laptops.

    Corp laptop; HP win8.1 with intel 7260 AC nic
    Corp laptop; HP win7 with intel xxxx N nic


    The issue:
    HP win8.1; When assoiated to "Some-WiFi" the computer is getting right IP address and low ping and good SnR, everything is good. But when I'm trying to move around in the office, the PC suddenly gets a APIPA address (169.254.x.x) but still assoitated to the SSID. - If the PC has a static IP address assigned to the NIC, and roaming, no problems.

     

    HP win7 have no problems roaming in the building, however often low bandwith, but never APIPA IP.

     

     

    Bonus: NPS server always replay audit success when clients validating with valid certificate.


    Log from IAP cluster on win8.1:
    PMK Cache Table
    ---------------
    Client MAC Key OKC/11r Expiry Name Role VLAN ESSID
    ---------- --- ------- ------ ---- ---- ---- -----
    5c:c5:d4:53:e0:d5 0711D168BD3A... okc 7h:55m:11s host/WIN8B.somenet.dk SOME-WiFI 326 SOME-WiFI
    show auth-survivability cached-info
    UserName Remaining Cache-Time
    -------- --------------------
    host/WIN8B.somenet.dk 23h:55m:10s
    Total no of cached username : 1

    show log l3-mobility

    Apr 15 14:25:00: Foreign Sta Info from Home Virtual Controller: mac 5c:c5:d4:53:e0:d5 rcvd from 172.18.249.35 vlan 0, 0 tid 255 oldapip 0.0.0.0 fapip 0.0.0.0 hapip 0.0.0.0 vcip 172.18.249.35 info client-not-foreign
    Apr 15 14:25:00: Foreign Sta Info from Home Virtual Controller: mac 5c:c5:d4:53:e0:d5 rcvd from 172.18.249.35 vlan 0, 0 tid 255 oldapip 0.0.0.0 fapip 0.0.0.0 hapip 0.0.0.0 vcip 172.18.249.35 info client-not-foreign
    Apr 15 14:25:00: Foreign Sta Info from Home Virtual Controller: mac 5c:c5:d4:53:e0:d5 sent to self vlan 0, 0 tid 255 oldapip 0.0.0.0 fapip 0.0.0.0 hapip 172.18.249.100 vcip 0.0.0.0 info name=WIN8B,ip=172.17.1.52,o
    Apr 15 14:25:00: Foreign Sta Info from Home Virtual Controller: mac 5c:c5:d4:53:e0:d5 sent to self vlan 0, 0 tid 255 oldapip 0.0.0.0 fapip 0.0.0.0 hapip 172.18.249.100 vcip 0.0.0.0 info name=WIN8B,ip=172.17.1.52,o
    Apr 15 14:25:00: Foreign Sta Info from Home Virtual Controller: mac 5c:c5:d4:53:e0:d5 rcvd from 172.18.249.35 vlan 0, 0 tid 255 oldapip 0.0.0.0 fapip 0.0.0.0 hapip 0.0.0.0 vcip 172.18.249.35 info client-not-foreign
    Apr 15 14:25:00: Foreign Sta Info from Home Virtual Controller: mac 5c:c5:d4:53:e0:d5 sent to self vlan 0, 0 tid 255 oldapip 0.0.0.0 fapip 0.0.0.0 hapip 172.18.249.100 vcip 0.0.0.0 info name=WIN8B,ip=172.17.1.52,o
    Apr 15 14:25:00: Foreign Sta Info from Home Virtual Controller: mac 5c:c5:d4:53:e0:d5 rcvd from 172.18.249.35 vlan 0, 0 tid 255 oldapip 0.0.0.0 fapip 0.0.0.0 hapip 0.0.0.0 vcip 172.18.249.35 info client-not-foreign
    Apr 15 14:25:00: Foreign Sta Info from Home Virtual Controller: mac 5c:c5:d4:53:e0:d5 sent to self vlan 0, 0 tid 255 oldapip 0.0.0.0 fapip 0.0.0.0 hapip 172.18.249.100 vcip 0.0.0.0 info name=WIN8B,ip=172.17.1.52,o


    show log kernel
    00 00 00 00
    [ 6011.992208] txretry:
    [ 6011.992221] 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 6011.992236] 0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 6011.992251] 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 6011.992266] 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 6011.992272] retry_seq:
    [ 6011.992285] 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 6011.992300] 0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 6011.992315] 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 6011.992330] 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 6011.992345] 0064: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 6011.992360] 0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 6011.992375] 0096: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 6011.992390] 0112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 6018.121888] wl0: wlc_apps_ps_flush_prec(3468): freed 0 packets precbmp : c prec : 0
    [ 6018.121901] wl0: wlc_ampdu_tx_recv_delba(12193) 5c:c5:d4:53:e0:d5 tid 1 initiator 0 reason 39
    [ 6018.991738] wl0: wlc_ampdu_watchdog: cleaning up ini tid 0 due to no progress for 30 secs dest : 50:1a:c5:e6:f0:99 transit : 0
    [ 6018.991757] wl0: wlc_ampdu_tx_send_delba: tid 0 initiator 1 reason 39 dest 50:1a:c5:e6:f0:99
    [ 6018.991838] ba_state 219 ba_wsize 225 tx_in_transit 0 tid 78 rem_window 32
    [ 6018.991848] start_seq 0x18f max_seq 0x18f tx_exp_seq 0x190 bar_ackpending_seq 0x15b
    [ 6018.991856] bar_ackpending 0 free_me 0 alive 0 retry_bar 0
    [ 6018.991862] retry_head 0 retry_tail 0 retry_cnt 0
    [ 6018.991868] ackpending:
    [ 6018.991878] 0000: 00 00 00 00 00 00 00 00
    [ 6018.991882] barpending:
    [ 6018.991892] 0000: 00 00 00 00 00 00 00 00

    show log driver

    [ 5919.986047] 0064: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 5919.986062] 0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 5919.986077] 0096: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 5919.986092] 0112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    [ 5943.253703] wl0: wlc_apps_ps_flush_prec(3468): freed 0 packets precbmp : c prec : 0
    [ 5943.253719] wl0: wlc_ampdu_tx_recv_delba(12193) 5c:c5:d4:53:e0:d5 tid 1 initiator 0 reason 39
    [ 5956.985734] wl0: wlc_ampdu_watchdog: cleaning up ini tid 0 due to no progress for 30 secs dest : 28:5a:eb:d6:14:76 transit : 0
    [ 5956.985753] wl0: wlc_ampdu_tx_send_delba: tid 0 initiator 1 reason 39 dest 28:5a:eb:d6:14:76
    [ 5956.985834] ba_state 219 ba_wsize 221 tx_in_transit 0 tid 148 rem_window 32
    [ 5956.985843] start_seq 0x1bf max_seq 0x1bf tx_exp_seq 0x1c0 bar_ackpending_seq 0x191
    [ 5956.985851] bar_ackpending 0 free_me 0 alive 0 retry_bar 0
    [ 5956.985858] retry_head 0 retry_tail 0 retry_cnt 0
    [ 5956.985864] ackpending:
    [ 5956.985873] 0000: 00 00 00 00 00 00 00 00
    [ 5956.985878] barpending:
    [ 5956.985887] 0000: 00 00 00 00 00 00 00 00

    I'am on the newest driver from Intel on the wireless NIC.

    When I'm on the other SSID with wpa2aes-psk, no problems have been reported.

    Profile0 :
    wlan ssid-profile SOME-WiFI
    enable
    index 0
    type employee
    essid SOME-WiFI
    opmode wpa2-aes
    max-authentication-failures 0
    vlan 326
    auth-server SRV-NPS01
    auth-survivability
    rf-band all
    captive-portal disable
    hide-ssid
    dtim-period 1
    inactivity-timeout 1000
    broadcast-filter all
    radius-reauth-interval 720
    g-min-tx-rate 24
    a-min-tx-rate 24
    dmo-channel-utilization-threshold 90
    local-probe-req-thresh 0
    max-clients-threshold 64
    okc
    dot11r
    ---------------------------------------------------
    Profile1:
    wlan ssid-profile SomeOther-WiFi
    enable
    index 1
    type employee
    essid SomeOther-WiFi
    wpa-passphrase RandomPassword
    opmode wpa2-psk-aes
    max-authentication-failures 0
    vlan 329
    auth-server InternalServer
    rf-band all
    captive-portal disable
    hide-ssid
    dtim-period 1
    inactivity-timeout 1000
    broadcast-filter arp
    dmo-channel-utilization-threshold 90
    local-probe-req-thresh 0
    max-clients-threshold 64

    Any ideas why my Win8.1 cant roam with 802.1x but my Win7 can?

     

    /KP-Niklas


    #AP225