Wireless Access

Here is a list of the changes that TAC made to my configuration in order to get mobile devices roaming properly. These settings also solve the slow performance issue on iOS devices when using encryption on your SSID. This will not prevent a hiccup if you are roaming from one controller to another, as that requires a re-auth, unless you do some fancy IP mobility.

Even though the AAA profile below says dot1x, it was done on both a WPA2-AES and a WPA2-PSK SSID. I am only showing the lines added! The "....." indicates that there are other lines already in this config area but not changed.

 

aaa authentication dot1x "Your-dot1x-profile"
.....
validate-pmkid
!

 

 

rf optimization-profile "Your-rf-opt-profile"

handoff-assist
!

TAC also disabled Client Aware, but I believe this was just for testing purposes.

I've seen the need to disable OKC and enable "validate-PMKID" for almost all WPA-2 environments with Apple MAC OSx  Clients.

 

I'm going to assemble a list of "poor or no OKC" clients and add them to this thread. 

 

Thanks Zach

 

Thanks Zack!

 

so what's this function for?

validate-pmkid

handoff-assist

Just to level set:

 

OKC or opportunistic key caching is a mechanism that allows devices to NOT have to re-negotiate keys with a radius server when roaming from one access point to another AP that they have already been on.  Devices that support OKC enjoy faster roam times to access points to which they have previously associated.  This ONLY applies on a 802.1x WLAN.

 

MAC OSX devices do NOT support OKC so if OKC is enabled in the 802.1x profile (it is by default), MACs will not complete their key exchange and it will manifest itself as a connectivity issue.  If you have a 100% MAC environment, it is best just to turn OKC off in the 802.1x profile.  Validate-PMKID provides a way to check to see if a device is attempting to associate using OKC, but allows clients like MACs that do not support OKC to complete a full key exchange, if they don't support OKC.  Having OKC and Validate-PMKID is if you have a mixed environment and you want to support clients that do OKC, but also allow non-OKC clients to co-exist.  You can also get by by turning OKC off altogether with few, if any issues.  OKC is much more important for Voice clients, where voip applications are very sensitive to roaming and need that fast roaming support.

 

Handoff-Assist is an old Aruba method of improving roaming by actively deauthenticating clients that fall under a certain signal threshold.  Some clients do not take too kindly of being actively deauthenticated, so this is a method that is not used very often any more.  A better method of improving roaming is using the "local probe response threshold" parameter in the Advanced Tab of the SSID profile.  A super-long thread on how to configure this is here:  http://community.arubanetworks.com/t5/Wireless-and-RF/Two-channel-plan-vs-Three-channel-plan/m-p/10115/highlight/true#M261

Thanks Colin. I'm not sure TAC tried the local probe response method or not. After several hours of changes and tests, perhaps the station handoff assist was a last ditch attempt to get our iPads to roam properly.

What is the point of changing the dot1x profile configuration if were not using any kind of dot1x authentication?