08-16-2013 10:45 AM
Our environment consists of (2) master tier controllers, (2) local controllers, and (2) guest (DMZ) controllers which serve as anchor points for GRE. The (2) local controllers each have L2 GREs out to each guest controller. The Guest Vlan resides on each local controller, however it is not trunked between them. Clients hit the Guest ssid and are redirected through the GRE.
The issue is with Guests (who connect via a simple Captive Portal page) are complaining of having to reauthenticate very often. I've set the user-idle timeout setting to 10 min. While investigating this, I realized that they were often switching between the (2) local controllers. I've enabled Vlan mobility, however, we still appear to have the problem. Does the guest Vlan have to be trunked between both locals for this to work? Both locals are trunking our internal Vlans via our Cisco infrastructure; The Guest Vlan is not for obvious reasons. If this is required, could I simply connect the (2) locals via directly connected interfaces? Are there any commands I can run to validate Vlan Mobility?
Thanks in advance for your help.
08-18-2013 11:53 PM
Please disable VLAN mobility on VAP profile as user`s are not moving or roaming from one local to another local controller.
As VLAN-Mobility feature basically helps if users are (L2 roam) roaming between controllers containing identical configuration.
We need to understand why the re-authentication occurs; do we have a clear pass at the back ground?
Enable debugging for user-debug on controller and do we have any airwave to look for the reason to see why the user is doing re-auth?
Make sure there is no re-authentication configured on the user-role or on the server side.
Please open up a TAC case to verify and validate as well. Thanks!
08-19-2013 10:01 AM
Thanks for the reply. Well, thats just it...they are in fact switching between the two local controllers. Some buildings terminate to one local while others terminate on the other. I assume there is some overlap in coverage, therefore causing some guest clients to reauth when they connect to the other local. This is a L2 guest Vlan which is the same on both local controllers, however we are not trunking this Vlan between the two locals as the only trunks configured currently are going down to our internal network infrastructure.
Just curious what the requirements are for Vlan Mobility and if my assumption of a L2 trunk between locals is a requirment for it to work? Are there any commands that i could use to verify Vlan Mobility?