«

Are you getting a slew of reason code 96 and 97 when you roam?
Roaming is supported in IAS and should work great. But some vendor
implementations are not 100% PEAP RFC compliant. this would cause issues
when Roaming

To test this theory, enable EAP-TLS (full auth happens no fast-reconnect)
and see if your laptops lose connectivity. If they don't then I suggest you
contact the AP vendor for an updated firmware

The next point would be to provide us with event log, trace logs, and a
netmon sniff to be able to tell for sure if this is the case

HTH


--
=============================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
=============================================

"RogerC" <> wrote in message
news:...
> Hi Bar,
> Thanks for your response.
> To clarify a few points....
> I did not say "2 APs per server" - I have 2 windows 2003 servers that are
> DC's with IAS configured. The 4 Access points are setup to use both of
> them as their primary and secondary RADIUS servers. The access points are
> set with the same SSID but all different channels.
> The clients and servers use PEAP-MS-CHAP v2 authentication with 'fast
> reconnect' enabled on the laptop and servers
> The building I am trying to cover is a long two storey office block with a
> large central staircase. I need an access point in each 'wing' to get
> sufficient coverage.
> A laptop user will successfully authenticate against the nearest access
> point but if he/she moves to another wing to say go for a meeting, even
> though there is an access point in the meeting room area the laptop will
> remain on the original access point even though the signal is too weak to
> be useable.
>
> RogerC
>
> "BAR" <> wrote in message
> news:E83086FC-8261-4EF5-93A7-...
>> How large an area do you need to cover?
>> Roaming and random connections leaves you open to unauthorised access.
>> If you have all the access points set up the same then network adapters
>> in
>> the Laptops will not properly differentiate between the APs: except for
>> signal strength, so you'd need to set channels differently for each one.
>>
>> Many issues in doing what you have suggested, and why 2 APs per server?
>>
>> My basic recommendations follow this:
>>
>> OK you have a PC connected to the internet at home or the office and you
>> want other PCs to share the internet access. Hopefully you'll have Cable
>> or
>> DSL internet access.
>> What should one do?
>> First, make sure everything you buy conforms to the dominant wireless
>> standard known as 802.11b, or Wi-Fi (short for wireless fidelity). That
>> way
>> you can mix brands, operating systems, even network a Mac to a Windows PC
>> and
>> everything should still work together.
>> There are two new, faster versions of Wi-Fi: 802.11a and 802.11g. "A" is
>> for
>> business use; "g" is for the home. Both bump networking speeds up from 11
>> megabits per second to 54 mbps. But unless you're moving around big video
>> files or sharing other graphics-rich multimedia applications, "b" will be
>> more than sufficient. If you still want "g," wait until the standard has
>> been
>> officially ratified this summer.
>> The heart of your network will be a wireless access point and the
>> Internet
>> Access or preferably one device that does both called a router, acting as
>> Wireless Access Point and cable or DSL modem and Network Switch. The
>> two-in-one units, available from Linksys, D-Link, Netgear and others,
>> start
>> at about $100; with a few Ethernet ports and USB port too, so you can
>> connect
>> to PCs using a standard Ethernet cable or USB cable.
>> To establish a wireless connection between a desktop PC and the wireless
>> router, you need a USB or Ethernet Cable.
>> To connect a notebook PC, you'll need a wireless PC card. If new
>> notebooks
>> have Wi-Fi capabilities built in. Notebooks with Intel's new Centrino
>> chip,
>> for example, are Wi-Fi-enabled.
>> Note that 802.11g is backwards compatible with 802.11b - meaning a laptop
>> with a "g" card will talk to a "b" router, albeit at the slower speed -
>> but
>> 802.11a is not. If your office installs an 802.11a network, get a
>> dual-band
>> wireless PC card for your laptop so that it can connect both at home and
>> at
>> work.
>> Make sure that the software that comes with your gear will walk you
>> through
>> the installation. The steps will vary slightly, depending on each
>> computer's
>> operating system. The older the OS, the trickier it can be; Windows XP is
>> designed to detect and configure a PC card to talk to an existing
>> network.
>> Before you start, gather the following information:
>> . your broadband connection's IP address, e.g., 123.43.2.1
>> . subnet mask, e.g., 255.255.122.0
>> . default gateway e.g., 192.168.0.2
>> . DNS IP addresses e.g., 123.123.123.1
>> You can get these things from your Internet provider; your
>> customer-service
>> rep will know what you're talking about (or you can find this using the
>> Properties tab, under Network Connections). Each is just a series of
>> numbers
>> (e.g., 123.43.2.1) that you'll be prompted to plug in during setup. (If
>> your
>> provider supports a protocol called DHCP, your router should retrieve
>> these
>> settings automatically when you plug it in.)
>> You may also be asked to choose an SSID (service set identifier) I
>> recommend
>> that you do not accept the default setting as anyone nearby with a
>> wireless
>> device can also use your internet access. Set your SSID to a meaningful
>> name
>> use your Business Name. For work-group name use 'Wireless' and a
>> wireless
>> channel select from 1 - 11, I recommend you use a higher channel as
>> default
>> settings usually select the lower end. Keep these consistent for all of
>> your
>> machines.
>> Security
>> For additional security you can and should use Wired Equivalent Privacy
>> (WEP) algorithm: and set this at 64bit: you can then choose a combination
>> of
>> 10 hexadecimal characters [0-9 + A-F], again for this may I recommend you
>> select your mobile phone number as it is 10 characters long and not known
>> to
>> all your neighbours.
>> Additionally you can set the Access Point to only allow access to
>> specific
>> units, where you would enter their MAC address, again a series of Hex
>> numbers, usually found on the Wireless Card plugged into the Laptops or
>> other
>> desktop PCs.
>>
>>
>>
>>
>> "RogerC" wrote:
>>
>>> Hi,
>>> Although I have put several posts on this and other newsgroups about
>>> wireless roaming I have never had any replies.
>>> Is there any documentation anywhere about setting up a wireless network
>>> with
>>> several access points to enable laptops to 'seamlessly roam' between
>>> them?
>>>
>>> I am using 2 win2003 servers with IAS, 4 access points with 802.1x
>>> enabled
>>> and win XP sp1 & sp2 clients. The clients authenticate correctly but
>>> will
>>> not roam when moving to another area.
>>>
>>> Thanks,
>>> RogerC
>>>
>>>
>>>
>
>

RogerC,
Cisco has a proprietary technology called WDS (Wireless Domain Services)
which allows you to roam from one AP to another without re-authenticating but
you need a Cisco ACS server.
One AP is setup as a master WDS AP and the rest are WDS AP clients. WDS
AP clients proxy the auth to the master WDS AP so the log shows as its coming
from the master WDS AP even when your roaming from different client AP's. The
only problem is the client WDS AP talks LEAP to the WDS AP to verify the
credentials that is why you need the ACS server.

Good news is you can setup the built-in radius server on the master WDS AP
(I am using cisco AP1100 btw) to do the client WDS AP LEAP authentication so
no need to buy the ACS

Roaming works OK but I noticed while running a continous ping when moving
from signal to I lose one ping but hey that fine with me.

http://www.cisco.com/en/US/products/...801c951f.shtml

"RogerC" wrote:

> Hi,
> Although I have put several posts on this and other newsgroups about
> wireless roaming I have never had any replies.
> Is there any documentation anywhere about setting up a wireless network with
> several access points to enable laptops to 'seamlessly roam' between them?
>
> I am using 2 win2003 servers with IAS, 4 access points with 802.1x enabled
> and win XP sp1 & sp2 clients. The clients authenticate correctly but will
> not roam when moving to another area.
>
> Thanks,
> RogerC
>
>
>

WDS is not supported by IAS for multiple reasons
A) it doesn't fit the security policy that IAS runs under, which requires
strong security practices. WDS, which is flexible, it doesn't provide that
amount of security
B) WDS only works with LEAP, which is much less secure than EAP-TLS and
PEAP. Again, it's very flexible but security is not it's forte
C) IAS doesn't send the access accept and encryption keys to anyone other
than the related access point/server. These keys are unique and are not
known by anyone else. With 802.11i the WDS model potentially be broken since
not even the RADIUS server knows the encryption keys being used by the
Access point/server, so Roaming with this more secure model will not be
functional until revised
D) Thin Access Point model, don't support from all these side effects since
authentication happens at the base switch and not at the access point itself

Now regarding the amount of time it takes a client to roam, this really
depends on the hardware (NIC and AP) not on the authentication server since
most authentications happen in <400ms. There are potentially many areas
where this can be slowed down, one of them might be DHCP, and other network
services


Hope you find this information useful


--
=============================================
This posting is provided "AS IS" with no warranties, and confers no rights

Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using and
troubleshooting RADIUS using IAS"
This chat will help you resolve all of your RADIUS/IAS issues. You can ask
about RADIUS, IAS, 802.1x, Active directory configuration and Certificate
services, related to IAS and RADIUS
Follow this link to join the chat
http://www.microsoft.com/communities...v29_IAS_RADIUS
=============================================

"Multiple remote access policies on Win2K"
< icrosoft.com> wrote in
message newsB1D416B-A00A-4814-9581-...
> RogerC,
> Cisco has a proprietary technology called WDS (Wireless Domain Services)
> which allows you to roam from one AP to another without re-authenticating
> but
> you need a Cisco ACS server.
> One AP is setup as a master WDS AP and the rest are WDS AP clients. WDS
> AP clients proxy the auth to the master WDS AP so the log shows as its
> coming
> from the master WDS AP even when your roaming from different client AP's.
> The
> only problem is the client WDS AP talks LEAP to the WDS AP to verify the
> credentials that is why you need the ACS server.
>
> Good news is you can setup the built-in radius server on the master WDS AP
> (I am using cisco AP1100 btw) to do the client WDS AP LEAP authentication
> so
> no need to buy the ACS
>
> Roaming works OK but I noticed while running a continous ping when moving
> from signal to I lose one ping but hey that fine with me.
>
> http://www.cisco.com/en/US/products/...801c951f.shtml
>
> "RogerC" wrote:
>
>> Hi,
>> Although I have put several posts on this and other newsgroups about
>> wireless roaming I have never had any replies.
>> Is there any documentation anywhere about setting up a wireless network
>> with
>> several access points to enable laptops to 'seamlessly roam' between
>> them?
>>
>> I am using 2 win2003 servers with IAS, 4 access points with 802.1x
>> enabled
>> and win XP sp1 & sp2 clients. The clients authenticate correctly but will
>> not roam when moving to another area.
>>
>> Thanks,
>> RogerC
>>
>>
>>

I am interested in your feedback on WDS (or I should say the Cisco WLSE
which uses WDS).
We have installed 20% of a 47 AP WLAN using EAP-TLS with IAS server
providing the security.
We only have one SSID and users are able to roam between the APs without
problems at the moment.

We have now just purchased a WLSE (2.7), which I understood could 'manage'
the access points in terms of setting power levels, doing neat things in
auto-site surveying etc. Hwoever, now we have the WLSE it seems that there
are significant limitations in that it will ONLY use LEAP for its
authentication......so does this mean our EAP-TLS will break?

Does anyone know if the two can coexist - ie using EAP-TLS to authenticate
the clients to the APs...but using LEAP for AP<->WLSE authentication so that
the WLSE can get all the neat info from the APs and tell us where we need to
move things to.
Thanks
Al.


"Multiple remote access policies on Win2K"
< icrosoft.com> wrote in
message newsB1D416B-A00A-4814-9581-...
> RogerC,
> Cisco has a proprietary technology called WDS (Wireless Domain Services)
> which allows you to roam from one AP to another without re-authenticating
> but
> you need a Cisco ACS server.
> One AP is setup as a master WDS AP and the rest are WDS AP clients. WDS
> AP clients proxy the auth to the master WDS AP so the log shows as its
> coming
> from the master WDS AP even when your roaming from different client AP's.
> The
> only problem is the client WDS AP talks LEAP to the WDS AP to verify the
> credentials that is why you need the ACS server.
>
> Good news is you can setup the built-in radius server on the master WDS AP
> (I am using cisco AP1100 btw) to do the client WDS AP LEAP authentication
> so
> no need to buy the ACS
>
> Roaming works OK but I noticed while running a continous ping when moving
> from signal to I lose one ping but hey that fine with me.
>
> http://www.cisco.com/en/US/products/...801c951f.shtml
>
> "RogerC" wrote:
>
>> Hi,
>> Although I have put several posts on this and other newsgroups about
>> wireless roaming I have never had any replies.
>> Is there any documentation anywhere about setting up a wireless network
>> with
>> several access points to enable laptops to 'seamlessly roam' between
>> them?
>>
>> I am using 2 win2003 servers with IAS, 4 access points with 802.1x
>> enabled
>> and win XP sp1 & sp2 clients. The clients authenticate correctly but will
>> not roam when moving to another area.
>>
>> Thanks,
>> RogerC
>>
>>
>>

Nope, they can't coexist.
EAP-TLS is the more secure of the two. LEAP is more flexible at the expense
of security. LEAP also doesn't use Certificates like EAP-TLS
I have heard that Cisco will be supporting EAP-FAST for WDS, so I would
assume it would extend that to WLSE. But it's their call. Contact Cisco
support for more help

--
=============================================
This posting is provided "AS IS" with no warranties, and confers no rights

Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using and
troubleshooting RADIUS using IAS"
This chat will help you resolve all of your RADIUS/IAS issues. You can ask
about RADIUS, IAS, 802.1x, Active directory configuration and Certificate
services, related to IAS and RADIUS
Follow this link to join the chat
http://www.microsoft.com/communities...v29_IAS_RADIUS
=============================================

"Al Blake" <> wrote in message
news:...
>I am interested in your feedback on WDS (or I should say the Cisco WLSE
>which uses WDS).
> We have installed 20% of a 47 AP WLAN using EAP-TLS with IAS server
> providing the security.
> We only have one SSID and users are able to roam between the APs without
> problems at the moment.
>
> We have now just purchased a WLSE (2.7), which I understood could 'manage'
> the access points in terms of setting power levels, doing neat things in
> auto-site surveying etc. Hwoever, now we have the WLSE it seems that there
> are significant limitations in that it will ONLY use LEAP for its
> authentication......so does this mean our EAP-TLS will break?
>
> Does anyone know if the two can coexist - ie using EAP-TLS to authenticate
> the clients to the APs...but using LEAP for AP<->WLSE authentication so
> that the WLSE can get all the neat info from the APs and tell us where we
> need to move things to.
> Thanks
> Al.
>
>
> "Multiple remote access policies on Win2K"
> < icrosoft.com> wrote in
> message newsB1D416B-A00A-4814-9581-...
>> RogerC,
>> Cisco has a proprietary technology called WDS (Wireless Domain Services)
>> which allows you to roam from one AP to another without re-authenticating
>> but
>> you need a Cisco ACS server.
>> One AP is setup as a master WDS AP and the rest are WDS AP clients. WDS
>> AP clients proxy the auth to the master WDS AP so the log shows as its
>> coming
>> from the master WDS AP even when your roaming from different client AP's.
>> The
>> only problem is the client WDS AP talks LEAP to the WDS AP to verify the
>> credentials that is why you need the ACS server.
>>
>> Good news is you can setup the built-in radius server on the master WDS
>> AP
>> (I am using cisco AP1100 btw) to do the client WDS AP LEAP authentication
>> so
>> no need to buy the ACS
>>
>> Roaming works OK but I noticed while running a continous ping when moving
>> from signal to I lose one ping but hey that fine with me.
>>
>> http://www.cisco.com/en/US/products/...801c951f.shtml
>>
>> "RogerC" wrote:
>>
>>> Hi,
>>> Although I have put several posts on this and other newsgroups about
>>> wireless roaming I have never had any replies.
>>> Is there any documentation anywhere about setting up a wireless network
>>> with
>>> several access points to enable laptops to 'seamlessly roam' between
>>> them?
>>>
>>> I am using 2 win2003 servers with IAS, 4 access points with 802.1x
>>> enabled
>>> and win XP sp1 & sp2 clients. The clients authenticate correctly but
>>> will
>>> not roam when moving to another area.
>>>
>>> Thanks,
>>> RogerC
>>>
>>>
>>>
>
>