We've seen issues where a campus was using non-controller based Cisco equipment and had the same problems. As the students moved around the campus their devices constantly reauthenticated. They had to order a controller to help fix the problem.
Another campus has controllers and has had success by changing the reauthentication timeout to something like 6 hours. Trent -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Bruce Boardman Sent: Friday, November 05, 2010 2:50 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Observed Signal Strength On Encrypted Wireless I agree get the MAC and userid and drill in. It's not the 802.11x. |Bruce Boardman, Network Engineer, Syracuse University - 315 889-1667 ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] On Behalf Of Jonn Martell [[email protected]] Sent: Friday, November 05, 2010 5:37 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Observed Signal Strength On Encrypted Wireless Hi David, One of the unfortunate things about wireless LANs is the standards never really addresses what parameters a vendors should use for a client to decide when to roam and when to stay on the previously associated AP. The algorithms are generally based on RSSI (relative signal strength indicator) which is a value that each manufacturers determine. All proprietary algorithms that are generally not advertised. Other things that vendors *might* use to decide when to roam vs staying on the AP includes the number of retries and the SNR. A vendor for example might have messed up, their roaming algorithms might be fine for Open but not so good for WPA2. They won't advertise it - they will just release an updated driver which the users generally don't upgrade unless told to. So roaming is all over the map for different client stations. So for one manufacturer, they might have a higher threshold and remain on a previously associated AP longer. That could be the cause of a lower perceived signal strength. With WPA2, the addition of encryption and keys does add a layer of complexity and possible variables to this. Do some vendors include other variables relating to WPA2 in their proprietary roaming algorithms? I'm not sure but I would not be surprised to see that some have... There's a bunch of stuff in 802.11i that are optional in the WPA2 certification. The re-authentication adds some time but I don't think that's the case here because unless you do very time sensitive work (like VOIP), most users won't see the 802.1x/EAP re-auth latency. The whole PKC-Fast Roaming 802.11i thing will help in this area but although it's supported in WPA2, I don't think it's mandatory I'm guessing that if you ask your help desk to record the usernames and MAC addresses, you might find a pattern for poorly implemented client drivers and supplicants? That's where I might start to focus my attention. If you can, get driver versions as well. To determine if sticky roaming is the issue, I would also get the helpdesk to work with users to disassociate when they have an issue and re-associate seeing if they end up using a stronger AP (with stronger signal strength). That can help determine if it's a roaming issue or not to help you narrow the problem. If it's not a roaming issue, they you should check your stats when the client is associated. If the clients runs CCX (the Cisco extentions), you can also get a bunch of info from the controller using: show client roam-history <client-MAC> You can also run show and debug on l2roam My guess is that it's a client issue. If you called Tier1 support from vendors they would advise: "Upgrade the drivers and try again :)" Hope that helps. ... Jonn Martell, speaking as a CWNE/CWNT instructor ;) On Fri, Nov 5, 2010 at 1:12 PM, David Blahut <[email protected]> wrote: > Hello All, > > > > We are a Cisco CAPWAP shop and recently switched from non-encrypted web > portal authenticated wireless to WPA2/802.1X/AES encrypted wireless with > RADIUS and LDAP in the back end. I have received several help desk tickets > with reports along the lines that "now that we are using the encrypted > wireless the signal is weaker or unusable". > > > > Anyone else experience this phenomenon? I can't believe it's the wireless > network, same radios after all. I could see the client interpreting the > signal level differently or the client associating to a more distant access > point because the closer one is more heavily taxed due to the encryption. I > could even see that the encrypted wireless is more sensitive to RF > interference. > > > > Anyway, any thoughts or ideas are welcomed. > > > > Thanks, > > David > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
