Original Message:
Sent: Nov 28, 2024 10:41 AM
From: ajorigenes17
Subject: RANDOM ANDROID DEVICE UNABLE TO RE-AUTHENTICATE TO THE CLEARPASS USING 802.1X WITH VLAN ENFORCEMENT CONFIGURATION
Hello !
This is new for me regarding the mobility ID. how I can configure this one. is this on clearpass or in a controller it self ? by the way we are using a single SSID in the whole universities then we implement dynamic vlan based on user role and AP Groups under cppm.
Original Message:
Sent: Nov 28, 2024 10:13 AM
From: chulcher
Subject: RANDOM ANDROID DEVICE UNABLE TO RE-AUTHENTICATE TO THE CLEARPASS USING 802.1X WITH VLAN ENFORCEMENT CONFIGURATION
If you have 802.11r enabled and the devices are fast roaming outside of the area that you want them to do so, then you need to configure the mobility ID to be different for the various areas.
https://www.arubanetworks.com/techdocs/ArubaOS_8.12.0_Web_Help/Content/arubaos-solutions/virtual-ap/fast-bss-tran.htm
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Nov 28, 2024 06:20 AM
From: ajorigenes17
Subject: RANDOM ANDROID DEVICE UNABLE TO RE-AUTHENTICATE TO THE CLEARPASS USING 802.1X WITH VLAN ENFORCEMENT CONFIGURATION
Hello!
Yes, I understand that 802.11k/r/v needs to be enabled for a better user experience. However, based on our testing, some Android devices do not re-authenticate to ClearPass when moving between different buildings, even though each building is approximately 100 to 200 meters apart. Ideally, users should re-authenticate when moving to a different building, as they are disconnected while roaming to the new location. Reauthentication works fine on iOS, Windows, macOS, and some Android devices, but there are cases where certain Android devices fail to re-authenticate. This prevents these devices from being assigned the correct VLAN for the new location.
Original Message:
Sent: Nov 26, 2024 07:53 AM
From: jsolb
Subject: RANDOM ANDROID DEVICE UNABLE TO RE-AUTHENTICATE TO THE CLEARPASS USING 802.1X WITH VLAN ENFORCEMENT CONFIGURATION
Hello!
With Controller we used L3 Mobility design to ensure that the client could seemlessly roam between campus buildings. What is this solution based on? AOS10 or AOS8 Controller?
Regardless.. If an authentication is not triggered to Clearpass - it is most likley because fast roaming is in play - 802.11r/k/v and that not all devices support it. This is something you want to have active as turning this off kills your wifi-experience. You need to take a good look at your design again here mate.
Read more about it https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/221671-understand-802-11r-11k-11v-fast-roams-on.html
Also - read up on AOS10 design here - https://www.arubanetworks.com/techdocs/VSG/docs/035-campus-migrate/esp-campus-migrate-030-planning-iap/
------------------------------
John-Egil Solberg |
ACMX#316 | ACCX#902
Original Message:
Sent: Nov 25, 2024 08:29 AM
From: ajorigenes17
Subject: RANDOM ANDROID DEVICE UNABLE TO RE-AUTHENTICATE TO THE CLEARPASS USING 802.1X WITH VLAN ENFORCEMENT CONFIGURATION
Good Day,
I am implementing dynamic VLAN or VLAN enforcement in a university where each building is assigned different VLANs based on user roles. The client prefers this configuration as it simplifies the application of firewall policies for each building, if necessary, and aids in monitoring. The configuration works as intended, where users receive a dedicated VLAN based on their location.
However, we have noticed an issue with some random Android devices. These devices are unable to obtain the correct VLAN or IP address based on the user's location unless the user manually performs a "Forget SSID" action on their device. Upon investigation, we found that the user's device does not re-authenticate with ClearPass when moving to another building. This prevents the device from being assigned the accurate VLAN for the new location.
Issue Scenario:
- When a user connects to the SSID for the first time, ClearPass successfully authenticates the user and assigns the correct VLAN and IP address for that location.
- When the user moves to a different building and reconnects to the SSID, the device bypasses re-authentication with ClearPass. As a result, the device retains the VLAN and IP address assigned in the previous building, instead of receiving a new assignment for the current location.
This issue appears to be specific to certain Android devices. iOS, Windows, and macOS devices always re-authenticate with ClearPass when users move between buildings, ensuring they receive the correct VLAN. Additionally, affected Android devices bypass the active session count policies because they fail to re-authenticate with ClearPass after the initial successful authentication.
I just want to know if you have a solution in this issues or it is because android have different interpretation when it comes to 802.1x protocol
Thank you, and I look forward to your guidance.