Wireless Access

Hello, all!

 

Controler 620.

Soft 6.4.2.2

SSID with WPA2-personal auth.

 

Customer complains that few times at day in TV (wi-fi client) dissapear IPTV.

Client debug show strange situation - as if client receive IP, take logon role and that's all, don't receive auth role.

And so ciclyc every 5 minutes (default timer).

In attach #show log user-debug all | include <MAC of TV>

 

Is there any advice?

 

Thank you!

Do you have PEF licenses on your controller ?

No.

 

Thank you!

That's the reason , in order for you to apply another user-role you need PEF license (Enables Firewall Capabilities on the Controller) otherwise you will get the logon-role but everything should be allowed since there's no Firewall capabilities enabled

OK

1. which role take authenticated client?

As I understand client connect, receive IP and take logon role.

After successfull authentication (in my case WPA2-personal) client have to take authenticated role.

or not?

 

And this functional have to work without firewall license. Firewall license only can give me possibility to do new user roles, which I want.(if we taulking about Roles)

2. with other words - you mean that client have before and after authentication the same role - logon?

So what reason for WPA2 security? )))

3. Other clients work fine.

 

Thank you!

First of, WPA2- personal (=WPA2-PSK) isn't realy authentication.. (even after the device has associated you have no idea who has been associated since every device connected uses the the same passphrase)

 

When the user connects using the correct passphrase he ends up in the "initial role" which is defined in the aaa-profile.

You have this initial role set to the logon user-role. This role does indeed have a limited lifetime after which the association process starts again. If you change this initial-role to guest (instead of logon) you get the same rights (no PEF means everything is allowed) but without the reconnect every 10 minutes.

 

With WPA2-PSK this initial role is the only role ever applied to a client. If a user tries to connect without having the correct passphrase he is denied access alltogether and receives no role or ip address at all.

 

WPA2 (WPA2-enterprise) is different from this as it requires username and password instead of a passphrase and does end up in the "802.1X Authentication Default Role" after authenticating (with a basic config not enforcing machine authentication). If authentication fails he doesn't receive any role or ip address.

 

All the above is possible without PEF license installed on the system.

 

Without PEF license any and all user-roles allow everything.

With a PEF license installed you can create new rules and configure any rule to allow or disallow whatever you like.

 

 

So if I'll change authenticated role to GUEST (in AAA profiles) - I'll be happy, without any issues?

 

Thank you!

 

No, if you are using WPA2-personal you need to change the initial role to guest.

Thank you for your help!

Put initial role in GUEST.

Waitching the behavior.

 

Main question is Why we need to do some workaround if Customer is bying complete solution (firewall license it is simply an extension of functional capabilities). So without firewall license this solution have to work normally. But have some issues, like 5-minutes reconnect...

You do not need a workarround. You need the correct configuration. That you have or haven't got a PEF license doesn't change that.

 

The logon role is intended for logons. And for logons it is a good idea to have users reassociate. A user shouldn't be stuck in a logon role for a long time. Hence, if he is, force a re-association to see if that fixes the (possible) issue.

OK.

Maybe we have some misunderstanding.

I mean that simple Customer solution is:

1. Customer create VLAN, create SSID with WPA2 authentication and all work fine.

Client connect to SSID, type password and work in this WLAN long time.

We can have this simple solution with Wizard.

With Wizard we done WLAN, but faced with an incomplete solution, which should be further configured.

 

Thank you!

ok, I didn't realize the wizard sets the logon role per default as I never use the wizards. This could use a little tweaking indeed then.

Then again, we haven't confirmed this is actualy your problem as the reassociation should be nearly invisible from the enduser perspective so lets wait for your clients confirmation.