Cisco Cisco 2504 Wireless Controller Manuale Tecnico
Here is an example of the frame exchange:
These messages appear in the debug output:
*apfMsConnTask_2: Jun 21 19:02:19.709: 00:40:96:b7:ab:5c
Reassociation received from mobile on BSSID 84:78:ac:f0:2a:90
!--- This is the Reassociation Request from the wireless client
to the selected AP
.
*apfMsConnTask_2: Jun 21 19:02:19.710: 00:40:96:b7:ab:5c
Sending Assoc Response to station on BSSID 84:78:ac:f0:2a:90
(status 0) ApVapId 1 Slot 0
!--- This is the Reassociation Response from the AP to the client
.
As shown, the client successfully performs a roaming event after the Reassociation Request to the
new AP is sent, and receives the Reassociation Response from the AP. Since the client already
has an IP address, the first data frames are for ARP packets.
new AP is sent, and receives the Reassociation Response from the AP. Since the client already
has an IP address, the first data frames are for ARP packets.
If you expect a roaming event, but the client sends an Association Request instead of a
Reassociation Request (which you can confirm from some captures and debugs similar to those
explained earlier in this document), then the client is not really roaming. The client begins a new
association to the WLAN as if a disconnection took place, and tries to reconnect from scratch. This
can happen for multiple reasons, such as when a client moves away from the coverage areas and
then finds an AP with enough signal quality to start an association, but it normally indicates a client
issue where the client does not initiate a roaming event due to drivers, firmware, or software
issues.
Reassociation Request (which you can confirm from some captures and debugs similar to those
explained earlier in this document), then the client is not really roaming. The client begins a new
association to the WLAN as if a disconnection took place, and tries to reconnect from scratch. This
can happen for multiple reasons, such as when a client moves away from the coverage areas and
then finds an AP with enough signal quality to start an association, but it normally indicates a client
issue where the client does not initiate a roaming event due to drivers, firmware, or software
issues.
Note: You can check with the wireless client vendor in order to determine the cause of the
issue.
issue.
Roaming with Higher-Level Security
When the SSID is configured with L2 higher-level security on top of basic 802.11 Open System
authentication, then more frames are required for the initial association and when roaming. The
two most-common security methods standardized and implemented for 802.11 WLANs are
described in this document:
authentication, then more frames are required for the initial association and when roaming. The
two most-common security methods standardized and implemented for 802.11 WLANs are
described in this document:
WPA/WPA2-PSK (Pre-Shared Key) - authentication of clients with a Preshared-Key.
●
WPA/WPA2-EAP (Extensible Authentication Protocol) - authentication of clients with an
802.1X/EAP method in order to validate more secure credentials through the use of an
Authentication Server, such as certificates, username and password, and tokens.
802.1X/EAP method in order to validate more secure credentials through the use of an
Authentication Server, such as certificates, username and password, and tokens.
●
It is important to know that, even though these two methods (PSK and EAP) authenticate/validate
the clients in different ways, both use basically the same WPA/WPA2 rules for the key
management process. Whether the security is WPA/WPA2-PSK or WPA/WPA2-EAP, the process
known as the WPA/WPA2 4-Way handshake begins the key negotiation between the WLC/AP and
the client with a Master Session Key (MSK) as the original key material once the client is validated
with the specific authentication method used.
the clients in different ways, both use basically the same WPA/WPA2 rules for the key
management process. Whether the security is WPA/WPA2-PSK or WPA/WPA2-EAP, the process
known as the WPA/WPA2 4-Way handshake begins the key negotiation between the WLC/AP and
the client with a Master Session Key (MSK) as the original key material once the client is validated
with the specific authentication method used.