"Fast Reconnect" or "Session Resumption" results in about half as many frames being used to reauthenticate the session. In terms of "meat space" time, the difference isn't substantial. However, a full PEAP or TTLS authentication can take up to 100ms to complete. (TTLS is a little faster than PEAP, because PEAP does a lot more stuff inside the TLS tunnel than TTLS.) So, if you are using VoIP, it might be worth fighting with session resumption (or Fast Reconnect, or whatever you want to call it.) But, you might be better off pushing on your VoIP phone provider to implement preauthentication with 802.11i. That takes half as many frames as a resumed session does. ;)
In my experience, session resumption sounds like a good idea. But there are a *LOT* of things that can go wrong. Supplicants may flush their session cache if they lose association for a short time. If you have redundant servers sessions may not resume properly. (In order for it to work you have to auth against the same server.) If the driver chooses to switch APs mid authentication you can end up with a real mess. You would probably find that these are the main reasons that it fails. On Tue, 2006-03-21 at 11:36 -0500, Flagg, Martin D. wrote: > I suspect roaming would work better with fast reconnect enabled but have > not done much testing. When I finally found the solution I was so happy > (it was the first week or two of school and I had other issues to deal > with) that I never tested again. The problem was so intermittent and so > frustrating when it would happen (locked out for hours) that I did not > want to revisit till summer. > > I have not received any complaints about roaming and really do not have > too many people walking around with their laptops on. No VOIP phones > yet so they have not been an issue. > > Martin D. Flagg > Network Engineer/Administrator > > > > > -----Original Message----- > From: Lee Badman [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 21, 2006 11:29 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Another RADIUS Question (802.1x) > > Thanks, Martin- what does that do to roaming/reauth, and are you doing > any voice? Put another way- have you identified trade-offs to disabling > fast reconnect on ACS? > > Lee > > >>> [EMAIL PROTECTED] 3/21/2006 11:26 AM >>> > Sorry, I did not specify, the article states exactly what I found, > disable fast reconnect on ACS. Been working great this entire school > year. > > > Martin D. Flagg > Network Engineer/Administrator > Hiram College > > > -----Original Message----- > From: Lee Badman [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 21, 2006 11:23 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Another RADIUS Question (802.1x) > > OK Martin- share the love. What was your corrective action? > > As for the Windows hotfix- it made a huge difference in functionality (I > just implemented it). But... > > - Microsoft needs to be contacted and they have to send it to you. > - They say it's not well-tested and to be used with caution > > So... not sure of the production-quality value. But in test, certainly > seems to have fixed at least two machines using the Windows client (not > yest tested with the vendor client utilities). > > Lee > > >>> [EMAIL PROTECTED] 3/21/2006 11:17 AM >>> > I had this problem months ago when I upgraded to 3.2. I finally found > the solution by trial and error with no help from Cisco, took about a > week of troubleshooting. > > > Martin D. Flagg > Network Engineer/Administrator > Hiram College > > > -----Original Message----- > From: Lee Badman [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 21, 2006 10:41 AM > To: [email protected] > Subject: Re: [WIRELESS-LAN] Another RADIUS Question (802.1x) > > Hi Archana, > > Long time- hope all is well with you. > > Just got info from Cisco that I will share with the group, but haven't > tried to do anything with it yet: > > >Regarding your concern, I did a research about this specific situation > and found new information in >this case. > > >In this moment I let you know that we could be affecting by the > >following bug: CSCef50870 > > >To check the details of the DDTS I just mentioned please refer to the > following link: > >http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCef50870 > >&Submit=Search > > >In this specific situation the action plan will be apply the hotfix of > Microsoft KB885453 and verify >the behavior of the authentication > process. > > > We'll see if it makes a difference... > > Lee > > > > >>> [EMAIL PROTECTED] 3/21/2006 10:09 AM >>> > Lee, > > We use Cisco 1200s, Free Radius, LDAP (authz), Kerberos(authc), PEAP, > WPA. We have this scenario in a pilot environment. > > We have not seen the symptom you describe. On the other hand I have > observed an occasional "validating identity" if a user is on the network > for a very long time causing the connection to hang ( a few hours), but > this has been sporadic and I'm still trying to see if there is a pattern > to it. > > Please share your results if you do learn something from your debug > process and we will do the same! > > Thanks, > Archana > > Lee Badman wrote: > > >Using Cisco 1130, ACS, Acs remote agent on a server in AD environment, > PEAP, WPA. > > > >Finding that Mac clients are a breeze to setup, very reliable > performance under OS X 10.4.5 with the above described framework. > > > >On Windows XP clients, getting a curious affect- if the wireless > connection is "cold"- like first of the day, or off for several hours- > the initial connection is rather peppy, works like a champ- user auth, > good keys setup, stable and solid connection. > > > >But, when you disconnect and then try to come back in get loooooong > periods of "waiting for network to be ready", "attempting to > authenticate" and or "validating identity". Ultimately, this session > goes nowhere. But turn off radio or remove card and wait hours, all is > well again and the next "initial" connection flies right through. > > > >Am starting the debug process, but wondering if this has already been > experienced by someone that might be able to enlighten me? > > > >Thanks- and Happy St. Patty's Day! > > > >Lee > > > >Lee Badman > >Network Engineer > >CWNA, CWSP > >Information Technology and Services > >(Formerly Computing and Media Services) Syracuse University > >(315) 443-3003 > >[EMAIL PROTECTED] > > > >********** > >Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > > > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
