Wireless Access

I've a user who is reporting that he's continually having to re-log into the network. Upon investigation it looks like he is equi-distant from two APs. Airwave is showing that he is quite often being unstuck, moving from one close by AP to another. (see attached). 

I understand that ClientMatch sends a de-auth to the client, and therefore I beieve the user would have to re-authenticate via portal or 802.1x once one of these events happened? Therefore, clientmatch is a possible cause of the reported behaviour?

(I've yet to visit site to check the actual RF side of things in the area. )

Try upgrading 4.0.0.4 and use the OCK.

Support for Client Roaming Based on Opportunistic Key Caching

Instant also supports opportunistic key caching (OKC) based roaming. In the OKC based roaming, the AP stores a
cached pairwise master key (PMK) for each client, which is derived from last 802.1X authentication completed by
the client in the network. By default, the 802.1X authentication profile enables a cached PMK, which is used when a
client roams to a new AP. The cached PMK is used when a client roams to a new AP. This allows faster roaming of
clients between the IAPs in a cluster, without requiring a complete 802.1X authentication.

some usefull options to debug client-match

(config) #logging level debugging arm-user-debug <mac>

(config) #show ap virtual-beacon-report client-mac <mac>

(config) #show log arm-user-debug all

(config) #show ap client trail-info <client-mac>

and you can adjust  Client Match settings if needed

Thanks, I'll delve into the debug to see if I can find out what's going on (assuming I can get the client online). 

Good to see that the client match settings are very configurable. lots of room for experimentation :)