Wireless Access

Hi gurus,

I have to implement a network which consists of three buildings, each one in a different VLAN. I will go for Instant, with three Instant clusters, managed by AirWave and authentication with ClearPass captive portal. There will be the same guest SSID in the three buildings.

I understand I could implement L3 mobility between the clusters and the clients could roam between the buildings without the need for authenticating again. But the problem is there is no coverage between the buildings, so if a client moves from one building to another it will loose the connection for a few minutes. Because of this, I think if one client is already authenticated in one building, and moves to another one, because the connection will drop there will not be L3 roaming, and then when the client try to connect to the same guest SSID it will get a new IP address, and then will need to authenticate again.
Am I correct on this? Will MAC caching in ClearPass solve this?

Regards,
Julián

Julián,

 

Because your clients will drop connection as they move between buildings, I agree that mac caching with ClearPass will be your better option in this case.

Hi Charlie,

 

Then won't the clients need to authenticate again with ClearPass MAC chaching even when their IP addresses change? Then does ClearPass MAC caching only check if the device MAC address was already authenticated in the network?

 

Regards,

Julián

If the client has disconnected, it will be a new association/authentication regardless. Since they don't have an active association, the client device isn't truly roaming.

 

Mac caching provides a mechanism to check if the client device has successfully authenticated within a certain time period, and if so, to authenticate them directly to the post-auth role so that they bypass the captive portal. 

Hi Charlie,

 

I agree the client device isn't truly roaming since it doesn't have an active session. Then to be clear, and in my case, the process will be:

 

1. Client is within a building, will go to a new building and will drop the connection due to the gap of coverage between them.

2. Client will connect to the same guest SSID and a new association/authentication process will kick in.

3. Because the device was successfully authenticated within a time period, it will be authenticated directly to the post-auth role so that it will bypass the captive portal.

 

Am I correct?

 

Regards,

Julián

 

 

---

@fjulianom wrote:

Hi Charlie,

 

I agree the client device isn't truly roaming since it doesn't have an active session. Then to be clear, and in my case, the process will be:

 

1. Client is within a building, will go to a new building and will drop the connection due to the gap of coverage between them.

2. Client will connect to the same guest SSID and a new association/authentication process will kick in.

3. Because the device was successfully authenticated within a time period, it will be authenticated directly to the post-auth role so that it will bypass the captive portal.

 

Am I correct?

 

Regards,

Julián

 

 

---

Yes, correct. The only clarification I would add is that ClearPass is doing the mac caching for step 3 to function.

Hi Charlie,

 

Yes, sure, I forgot it. Thanks very much for your help.

 

Regards,

Julián