Doesn't anyone Know anything about roaming?

Discussion in 'Wireless Networking' started by RogerC, Aug 25, 2004.

  1. RogerC

    RogerC Guest

    Hi,
    Although I have put several posts on this and other newsgroups about
    wireless roaming I have never had any replies.
    Is there any documentation anywhere about setting up a wireless network with
    several access points to enable laptops to 'seamlessly roam' between them?

    I am using 2 win2003 servers with IAS, 4 access points with 802.1x enabled
    and win XP sp1 & sp2 clients. The clients authenticate correctly but will
    not roam when moving to another area.

    Thanks,
    RogerC
    RogerC, Aug 25, 2004
    #1
    1. Advertising

  2. How large an area do you need to cover?
    Roaming and random connections leaves you open to unauthorised access.
    If you have all the access points set up the same then network adapters in
    the Laptops will not properly differentiate between the APs: except for
    signal strength, so you'd need to set channels differently for each one.

    Many issues in doing what you have suggested, and why 2 APs per server?

    My basic recommendations follow this:

    OK you have a PC connected to the internet at home or the office and you
    want other PCs to share the internet access. Hopefully you’ll have Cable or
    DSL internet access.
    What should one do?
    First, make sure everything you buy conforms to the dominant wireless
    standard known as 802.11b, or Wi-Fi (short for wireless fidelity). That way
    you can mix brands, operating systems, even network a Mac to a Windows PC and
    everything should still work together.
    There are two new, faster versions of Wi-Fi: 802.11a and 802.11g. "A" is for
    business use; "g" is for the home. Both bump networking speeds up from 11
    megabits per second to 54 mbps. But unless you're moving around big video
    files or sharing other graphics-rich multimedia applications, "b" will be
    more than sufficient. If you still want "g," wait until the standard has been
    officially ratified this summer.
    The heart of your network will be a wireless access point and the Internet
    Access or preferably one device that does both called a router, acting as
    Wireless Access Point and cable or DSL modem and Network Switch. The
    two-in-one units, available from Linksys, D-Link, Netgear and others, start
    at about $100; with a few Ethernet ports and USB port too, so you can connect
    to PCs using a standard Ethernet cable or USB cable.
    To establish a wireless connection between a desktop PC and the wireless
    router, you need a USB or Ethernet Cable.
    To connect a notebook PC, you'll need a wireless PC card. If new notebooks
    have Wi-Fi capabilities built in. Notebooks with Intel's new Centrino chip,
    for example, are Wi-Fi-enabled.
    Note that 802.11g is backwards compatible with 802.11b — meaning a laptop
    with a "g" card will talk to a "b" router, albeit at the slower speed — but
    802.11a is not. If your office installs an 802.11a network, get a dual-band
    wireless PC card for your laptop so that it can connect both at home and at
    work.
    Make sure that the software that comes with your gear will walk you through
    the installation. The steps will vary slightly, depending on each computer's
    operating system. The older the OS, the trickier it can be; Windows XP is
    designed to detect and configure a PC card to talk to an existing network.
    Before you start, gather the following information:
    • your broadband connection's IP address, e.g., 123.43.2.1
    • subnet mask, e.g., 255.255.122.0
    • default gateway e.g., 192.168.0.2
    • DNS IP addresses e.g., 123.123.123.1
    You can get these things from your Internet provider; your customer-service
    rep will know what you're talking about (or you can find this using the
    Properties tab, under Network Connections). Each is just a series of numbers
    (e.g., 123.43.2.1) that you'll be prompted to plug in during setup. (If your
    provider supports a protocol called DHCP, your router should retrieve these
    settings automatically when you plug it in.)
    You may also be asked to choose an SSID (service set identifier) I recommend
    that you do not accept the default setting as anyone nearby with a wireless
    device can also use your internet access. Set your SSID to a meaningful name
    use your Business Name. For work-group name use ‘Wireless’ and a wireless
    channel select from 1 – 11, I recommend you use a higher channel as default
    settings usually select the lower end. Keep these consistent for all of your
    machines.
    Security
    For additional security you can and should use Wired Equivalent Privacy
    (WEP) algorithm: and set this at 64bit: you can then choose a combination of
    10 hexadecimal characters [0-9 + A-F], again for this may I recommend you
    select your mobile phone number as it is 10 characters long and not known to
    all your neighbours.
    Additionally you can set the Access Point to only allow access to specific
    units, where you would enter their MAC address, again a series of Hex
    numbers, usually found on the Wireless Card plugged into the Laptops or other
    desktop PCs.




    "RogerC" wrote:

    > Hi,
    > Although I have put several posts on this and other newsgroups about
    > wireless roaming I have never had any replies.
    > Is there any documentation anywhere about setting up a wireless network with
    > several access points to enable laptops to 'seamlessly roam' between them?
    >
    > I am using 2 win2003 servers with IAS, 4 access points with 802.1x enabled
    > and win XP sp1 & sp2 clients. The clients authenticate correctly but will
    > not roam when moving to another area.
    >
    > Thanks,
    > RogerC
    >
    >
    >
    =?Utf-8?B?QkFS?=, Aug 25, 2004
    #2
    1. Advertising

  3. Perhaps you get more answers if you ask more specific questions

    "clients will not roam when moving" is rather vague. Do they stay connected
    to the old AP? Do they loose their connection, even though another AP is in
    range? Is the connection reestablished but slightly interrupted?

    "RogerC" <> wrote in message
    news:...
    > Hi,
    > Although I have put several posts on this and other newsgroups about
    > wireless roaming I have never had any replies.
    > Is there any documentation anywhere about setting up a wireless network
    > with several access points to enable laptops to 'seamlessly roam' between
    > them?
    >
    > I am using 2 win2003 servers with IAS, 4 access points with 802.1x enabled
    > and win XP sp1 & sp2 clients. The clients authenticate correctly but will
    > not roam when moving to another area.
    >
    > Thanks,
    > RogerC
    >
    Jeroen van Bemmel, Aug 25, 2004
    #3
  4. "RogerC" <> wrote in
    news::

    > Hi,
    > Although I have put several posts on this and other newsgroups about
    > wireless roaming I have never had any replies.
    > Is there any documentation anywhere about setting up a wireless
    > network with several access points to enable laptops to 'seamlessly
    > roam' between them?
    >
    > I am using 2 win2003 servers with IAS, 4 access points with 802.1x
    > enabled and win XP sp1 & sp2 clients. The clients authenticate
    > correctly but will not roam when moving to another area.
    >
    > Thanks,
    > RogerC
    >
    >


    Hi Roger --

    You did not mention which authentication method you have deployed, but I am
    going to assume it is PEAP-MS-CHAP v2 since roaming is a feature of that
    auth method.

    To enable roaming, also called fast reconnect, in the IAS wireless remote
    access policy, go to the Properties for PEAP and click "Enable Fast
    Reconnect."

    On clients, in the Smart card or other certificate properties of a wireless
    network, select "Validate server certificate."

    --
    James McIllece, Microsoft

    Please do not send email directly to this alias. This is my online account
    name for newsgroup participation only.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    James McIllece [MS], Aug 26, 2004
    #4
  5. RogerC

    RogerC Guest

    Hi Bar,
    Thanks for your response.
    To clarify a few points....
    I did not say "2 APs per server" - I have 2 windows 2003 servers that are
    DC's with IAS configured. The 4 Access points are setup to use both of them
    as their primary and secondary RADIUS servers. The access points are set
    with the same SSID but all different channels.
    The clients and servers use PEAP-MS-CHAP v2 authentication with 'fast
    reconnect' enabled on the laptop and servers
    The building I am trying to cover is a long two storey office block with a
    large central staircase. I need an access point in each 'wing' to get
    sufficient coverage.
    A laptop user will successfully authenticate against the nearest access
    point but if he/she moves to another wing to say go for a meeting, even
    though there is an access point in the meeting room area the laptop will
    remain on the original access point even though the signal is too weak to be
    useable.

    RogerC

    "BAR" <> wrote in message
    news:...
    > How large an area do you need to cover?
    > Roaming and random connections leaves you open to unauthorised access.
    > If you have all the access points set up the same then network adapters in
    > the Laptops will not properly differentiate between the APs: except for
    > signal strength, so you'd need to set channels differently for each one.
    >
    > Many issues in doing what you have suggested, and why 2 APs per server?
    >
    > My basic recommendations follow this:
    >
    > OK you have a PC connected to the internet at home or the office and you
    > want other PCs to share the internet access. Hopefully you'll have Cable
    > or
    > DSL internet access.
    > What should one do?
    > First, make sure everything you buy conforms to the dominant wireless
    > standard known as 802.11b, or Wi-Fi (short for wireless fidelity). That
    > way
    > you can mix brands, operating systems, even network a Mac to a Windows PC
    > and
    > everything should still work together.
    > There are two new, faster versions of Wi-Fi: 802.11a and 802.11g. "A" is
    > for
    > business use; "g" is for the home. Both bump networking speeds up from 11
    > megabits per second to 54 mbps. But unless you're moving around big video
    > files or sharing other graphics-rich multimedia applications, "b" will be
    > more than sufficient. If you still want "g," wait until the standard has
    > been
    > officially ratified this summer.
    > The heart of your network will be a wireless access point and the Internet
    > Access or preferably one device that does both called a router, acting as
    > Wireless Access Point and cable or DSL modem and Network Switch. The
    > two-in-one units, available from Linksys, D-Link, Netgear and others,
    > start
    > at about $100; with a few Ethernet ports and USB port too, so you can
    > connect
    > to PCs using a standard Ethernet cable or USB cable.
    > To establish a wireless connection between a desktop PC and the wireless
    > router, you need a USB or Ethernet Cable.
    > To connect a notebook PC, you'll need a wireless PC card. If new
    > notebooks
    > have Wi-Fi capabilities built in. Notebooks with Intel's new Centrino
    > chip,
    > for example, are Wi-Fi-enabled.
    > Note that 802.11g is backwards compatible with 802.11b - meaning a laptop
    > with a "g" card will talk to a "b" router, albeit at the slower speed -
    > but
    > 802.11a is not. If your office installs an 802.11a network, get a
    > dual-band
    > wireless PC card for your laptop so that it can connect both at home and
    > at
    > work.
    > Make sure that the software that comes with your gear will walk you
    > through
    > the installation. The steps will vary slightly, depending on each
    > computer's
    > operating system. The older the OS, the trickier it can be; Windows XP is
    > designed to detect and configure a PC card to talk to an existing network.
    > Before you start, gather the following information:
    > . your broadband connection's IP address, e.g., 123.43.2.1
    > . subnet mask, e.g., 255.255.122.0
    > . default gateway e.g., 192.168.0.2
    > . DNS IP addresses e.g., 123.123.123.1
    > You can get these things from your Internet provider; your
    > customer-service
    > rep will know what you're talking about (or you can find this using the
    > Properties tab, under Network Connections). Each is just a series of
    > numbers
    > (e.g., 123.43.2.1) that you'll be prompted to plug in during setup. (If
    > your
    > provider supports a protocol called DHCP, your router should retrieve
    > these
    > settings automatically when you plug it in.)
    > You may also be asked to choose an SSID (service set identifier) I
    > recommend
    > that you do not accept the default setting as anyone nearby with a
    > wireless
    > device can also use your internet access. Set your SSID to a meaningful
    > name
    > use your Business Name. For work-group name use 'Wireless' and a
    > wireless
    > channel select from 1 - 11, I recommend you use a higher channel as
    > default
    > settings usually select the lower end. Keep these consistent for all of
    > your
    > machines.
    > Security
    > For additional security you can and should use Wired Equivalent Privacy
    > (WEP) algorithm: and set this at 64bit: you can then choose a combination
    > of
    > 10 hexadecimal characters [0-9 + A-F], again for this may I recommend you
    > select your mobile phone number as it is 10 characters long and not known
    > to
    > all your neighbours.
    > Additionally you can set the Access Point to only allow access to specific
    > units, where you would enter their MAC address, again a series of Hex
    > numbers, usually found on the Wireless Card plugged into the Laptops or
    > other
    > desktop PCs.
    >
    >
    >
    >
    > "RogerC" wrote:
    >
    >> Hi,
    >> Although I have put several posts on this and other newsgroups about
    >> wireless roaming I have never had any replies.
    >> Is there any documentation anywhere about setting up a wireless network
    >> with
    >> several access points to enable laptops to 'seamlessly roam' between
    >> them?
    >>
    >> I am using 2 win2003 servers with IAS, 4 access points with 802.1x
    >> enabled
    >> and win XP sp1 & sp2 clients. The clients authenticate correctly but will
    >> not roam when moving to another area.
    >>
    >> Thanks,
    >> RogerC
    >>
    >>
    >>
    RogerC, Aug 26, 2004
    #5
  6. RogerC

    RogerC Guest

    Hi James,
    Thanks for your response.
    Yes, I am using PEAP-MS-CHAP v2 and I have "Enable Fast Reconnect." enabled
    on both servers and laptops.
    But.. I don't have "Validate server certificate." enabled on the laptops -
    where does this come into the roaming issue if my users authenticate
    correctly without it being enabled?

    I have 2 windows 2003 servers that are DC's with IAS configured. The 4
    Access points are setup to use both of them
    as their primary and secondary RADIUS servers. The access points are set
    with the same SSID but all different channels.
    Is this the correct setup?

    RogerC

    "James McIllece [MS]" <> wrote in message
    news:Xns9550A59C6D12Ajamesmcionlinemicros@207.46.248.16...
    > "RogerC" <> wrote in
    > news::
    >
    >> Hi,
    >> Although I have put several posts on this and other newsgroups about
    >> wireless roaming I have never had any replies.
    >> Is there any documentation anywhere about setting up a wireless
    >> network with several access points to enable laptops to 'seamlessly
    >> roam' between them?
    >>
    >> I am using 2 win2003 servers with IAS, 4 access points with 802.1x
    >> enabled and win XP sp1 & sp2 clients. The clients authenticate
    >> correctly but will not roam when moving to another area.
    >>
    >> Thanks,
    >> RogerC
    >>
    >>

    >
    > Hi Roger --
    >
    > You did not mention which authentication method you have deployed, but I
    > am
    > going to assume it is PEAP-MS-CHAP v2 since roaming is a feature of that
    > auth method.
    >
    > To enable roaming, also called fast reconnect, in the IAS wireless remote
    > access policy, go to the Properties for PEAP and click "Enable Fast
    > Reconnect."
    >
    > On clients, in the Smart card or other certificate properties of a
    > wireless
    > network, select "Validate server certificate."
    >
    > --
    > James McIllece, Microsoft
    >
    > Please do not send email directly to this alias. This is my online
    > account
    > name for newsgroup participation only.
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    RogerC, Aug 26, 2004
    #6
  7. RogerC

    Jack Guest

    Hi
    Try to set the access points to different channels. I.e. they should not be
    on the same channel.
    Jack (MVP-Networking).


    "RogerC" <> wrote in message
    news:...
    > Hi James,
    > Thanks for your response.
    > Yes, I am using PEAP-MS-CHAP v2 and I have "Enable Fast Reconnect."

    enabled
    > on both servers and laptops.
    > But.. I don't have "Validate server certificate." enabled on the

    laptops -
    > where does this come into the roaming issue if my users authenticate
    > correctly without it being enabled?
    >
    > I have 2 windows 2003 servers that are DC's with IAS configured. The 4
    > Access points are setup to use both of them
    > as their primary and secondary RADIUS servers. The access points are set
    > with the same SSID but all different channels.
    > Is this the correct setup?
    >
    > RogerC
    >
    > "James McIllece [MS]" <> wrote in message
    > news:Xns9550A59C6D12Ajamesmcionlinemicros@207.46.248.16...
    > > "RogerC" <> wrote in
    > > news::
    > >
    > >> Hi,
    > >> Although I have put several posts on this and other newsgroups about
    > >> wireless roaming I have never had any replies.
    > >> Is there any documentation anywhere about setting up a wireless
    > >> network with several access points to enable laptops to 'seamlessly
    > >> roam' between them?
    > >>
    > >> I am using 2 win2003 servers with IAS, 4 access points with 802.1x
    > >> enabled and win XP sp1 & sp2 clients. The clients authenticate
    > >> correctly but will not roam when moving to another area.
    > >>
    > >> Thanks,
    > >> RogerC
    > >>
    > >>

    > >
    > > Hi Roger --
    > >
    > > You did not mention which authentication method you have deployed, but I
    > > am
    > > going to assume it is PEAP-MS-CHAP v2 since roaming is a feature of that
    > > auth method.
    > >
    > > To enable roaming, also called fast reconnect, in the IAS wireless

    remote
    > > access policy, go to the Properties for PEAP and click "Enable Fast
    > > Reconnect."
    > >
    > > On clients, in the Smart card or other certificate properties of a
    > > wireless
    > > network, select "Validate server certificate."
    > >
    > > --
    > > James McIllece, Microsoft
    > >
    > > Please do not send email directly to this alias. This is my online
    > > account
    > > name for newsgroup participation only.
    > >
    > > This posting is provided "AS IS" with no warranties, and confers no
    > > rights.

    >
    >
    Jack, Aug 26, 2004
    #7
  8. "RogerC" <> wrote in
    news::

    > Hi James,
    > Thanks for your response.
    > Yes, I am using PEAP-MS-CHAP v2 and I have "Enable Fast Reconnect."
    > enabled on both servers and laptops.
    > But.. I don't have "Validate server certificate." enabled on the
    > laptops - where does this come into the roaming issue if my users
    > authenticate correctly without it being enabled?
    >
    > I have 2 windows 2003 servers that are DC's with IAS configured. The
    > 4 Access points are setup to use both of them
    > as their primary and secondary RADIUS servers. The access points are
    > set with the same SSID but all different channels.
    > Is this the correct setup?
    >
    > RogerC
    >
    >snip<


    PEAP-MS-CHAP v2 provides mutual authentication which cannot correctly occur
    if clients are not configured to validate the server certificate; in
    addition, and more importantly, clients are exposed to some security
    vulnerabilities if they do not validate the server certificate, such as
    unknowing connection to a rogue network deployed by an attacker attempting
    to capture user name and password during the authentication attempt.

    It sounds like you have the APs configured correctly. Here are a couple of
    whitepapers you can take a look at to verify and/or troubleshoot your
    configuration:

    Troubleshooting Windows XP IEEE 802.11 Wireless Access
    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifitrbl.msp
    x

    "Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows"
    at http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx


    --
    James McIllece, Microsoft

    Please do not send email directly to this alias. This is my online account
    name for newsgroup participation only.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    James McIllece [MS], Aug 26, 2004
    #8
  9. RogerC

    RogerC Guest

    Hi Jack,
    You have misread my post..
    It said "The access points are set with the same SSID but all different
    channels."
    Thanks for replying anyway.
    RogerC

    "Jack" <JackMDS at veriz0n.net> wrote in message
    news:...
    > Hi
    > Try to set the access points to different channels. I.e. they should not
    > be
    > on the same channel.
    > Jack (MVP-Networking).
    >
    >
    > "RogerC" <> wrote in message
    > news:...
    >> Hi James,
    >> Thanks for your response.
    >> Yes, I am using PEAP-MS-CHAP v2 and I have "Enable Fast Reconnect."

    > enabled
    >> on both servers and laptops.
    >> But.. I don't have "Validate server certificate." enabled on the

    > laptops -
    >> where does this come into the roaming issue if my users authenticate
    >> correctly without it being enabled?
    >>
    >> I have 2 windows 2003 servers that are DC's with IAS configured. The 4
    >> Access points are setup to use both of them
    >> as their primary and secondary RADIUS servers. The access points are set
    >> with the same SSID but all different channels.
    >> Is this the correct setup?
    >>
    >> RogerC
    >>
    >> "James McIllece [MS]" <> wrote in message
    >> news:Xns9550A59C6D12Ajamesmcionlinemicros@207.46.248.16...
    >> > "RogerC" <> wrote in
    >> > news::
    >> >
    >> >> Hi,
    >> >> Although I have put several posts on this and other newsgroups about
    >> >> wireless roaming I have never had any replies.
    >> >> Is there any documentation anywhere about setting up a wireless
    >> >> network with several access points to enable laptops to 'seamlessly
    >> >> roam' between them?
    >> >>
    >> >> I am using 2 win2003 servers with IAS, 4 access points with 802.1x
    >> >> enabled and win XP sp1 & sp2 clients. The clients authenticate
    >> >> correctly but will not roam when moving to another area.
    >> >>
    >> >> Thanks,
    >> >> RogerC
    >> >>
    >> >>
    >> >
    >> > Hi Roger --
    >> >
    >> > You did not mention which authentication method you have deployed, but
    >> > I
    >> > am
    >> > going to assume it is PEAP-MS-CHAP v2 since roaming is a feature of
    >> > that
    >> > auth method.
    >> >
    >> > To enable roaming, also called fast reconnect, in the IAS wireless

    > remote
    >> > access policy, go to the Properties for PEAP and click "Enable Fast
    >> > Reconnect."
    >> >
    >> > On clients, in the Smart card or other certificate properties of a
    >> > wireless
    >> > network, select "Validate server certificate."
    >> >
    >> > --
    >> > James McIllece, Microsoft
    >> >
    >> > Please do not send email directly to this alias. This is my online
    >> > account
    >> > name for newsgroup participation only.
    >> >
    >> > This posting is provided "AS IS" with no warranties, and confers no
    >> > rights.

    >>
    >>

    >
    >
    RogerC, Aug 26, 2004
    #9
  10. Roger,

    I assume you use WZC on the Windows XP clients (and not a third party WLAN
    selection tool). Then the selection of the SSID is done by WZC, but the
    selection of the AP is done by the WLAN driver. This is typically based on
    signal strength but can involve more complicated conditions.

    Check if you have the latest WLAN driver for your hardware. Also, did you
    try to see what happens if you use different SSIDs?

    Also, the other day I discovered that an Intel 2100 integrated WLAN did not
    support channels 1 and 12-13 (the latter being only allowed in Europe). The
    effect was that it added the AP to the list but could not authenticate
    (channel 1), or even that it would detect that the AP was available (shown
    as active in the preferred list) but not allowed me to select it. Can your
    clients associate with each AP individually (i.e. when you reboot does it
    select the AP in the room?)

    "RogerC" <> wrote in message
    news:...
    > Hi Bar,
    > Thanks for your response.
    > To clarify a few points....
    > I did not say "2 APs per server" - I have 2 windows 2003 servers that are
    > DC's with IAS configured. The 4 Access points are setup to use both of
    > them as their primary and secondary RADIUS servers. The access points are
    > set with the same SSID but all different channels.
    > The clients and servers use PEAP-MS-CHAP v2 authentication with 'fast
    > reconnect' enabled on the laptop and servers
    > The building I am trying to cover is a long two storey office block with a
    > large central staircase. I need an access point in each 'wing' to get
    > sufficient coverage.
    > A laptop user will successfully authenticate against the nearest access
    > point but if he/she moves to another wing to say go for a meeting, even
    > though there is an access point in the meeting room area the laptop will
    > remain on the original access point even though the signal is too weak to
    > be useable.
    >
    > RogerC
    >
    > "BAR" <> wrote in message
    > news:...
    >> How large an area do you need to cover?
    >> Roaming and random connections leaves you open to unauthorised access.
    >> If you have all the access points set up the same then network adapters
    >> in
    >> the Laptops will not properly differentiate between the APs: except for
    >> signal strength, so you'd need to set channels differently for each one.
    >>
    >> Many issues in doing what you have suggested, and why 2 APs per server?
    >>
    >> My basic recommendations follow this:
    >>
    >> OK you have a PC connected to the internet at home or the office and you
    >> want other PCs to share the internet access. Hopefully you'll have Cable
    >> or
    >> DSL internet access.
    >> What should one do?
    >> First, make sure everything you buy conforms to the dominant wireless
    >> standard known as 802.11b, or Wi-Fi (short for wireless fidelity). That
    >> way
    >> you can mix brands, operating systems, even network a Mac to a Windows PC
    >> and
    >> everything should still work together.
    >> There are two new, faster versions of Wi-Fi: 802.11a and 802.11g. "A" is
    >> for
    >> business use; "g" is for the home. Both bump networking speeds up from 11
    >> megabits per second to 54 mbps. But unless you're moving around big video
    >> files or sharing other graphics-rich multimedia applications, "b" will be
    >> more than sufficient. If you still want "g," wait until the standard has
    >> been
    >> officially ratified this summer.
    >> The heart of your network will be a wireless access point and the
    >> Internet
    >> Access or preferably one device that does both called a router, acting as
    >> Wireless Access Point and cable or DSL modem and Network Switch. The
    >> two-in-one units, available from Linksys, D-Link, Netgear and others,
    >> start
    >> at about $100; with a few Ethernet ports and USB port too, so you can
    >> connect
    >> to PCs using a standard Ethernet cable or USB cable.
    >> To establish a wireless connection between a desktop PC and the wireless
    >> router, you need a USB or Ethernet Cable.
    >> To connect a notebook PC, you'll need a wireless PC card. If new
    >> notebooks
    >> have Wi-Fi capabilities built in. Notebooks with Intel's new Centrino
    >> chip,
    >> for example, are Wi-Fi-enabled.
    >> Note that 802.11g is backwards compatible with 802.11b - meaning a laptop
    >> with a "g" card will talk to a "b" router, albeit at the slower speed -
    >> but
    >> 802.11a is not. If your office installs an 802.11a network, get a
    >> dual-band
    >> wireless PC card for your laptop so that it can connect both at home and
    >> at
    >> work.
    >> Make sure that the software that comes with your gear will walk you
    >> through
    >> the installation. The steps will vary slightly, depending on each
    >> computer's
    >> operating system. The older the OS, the trickier it can be; Windows XP is
    >> designed to detect and configure a PC card to talk to an existing
    >> network.
    >> Before you start, gather the following information:
    >> . your broadband connection's IP address, e.g., 123.43.2.1
    >> . subnet mask, e.g., 255.255.122.0
    >> . default gateway e.g., 192.168.0.2
    >> . DNS IP addresses e.g., 123.123.123.1
    >> You can get these things from your Internet provider; your
    >> customer-service
    >> rep will know what you're talking about (or you can find this using the
    >> Properties tab, under Network Connections). Each is just a series of
    >> numbers
    >> (e.g., 123.43.2.1) that you'll be prompted to plug in during setup. (If
    >> your
    >> provider supports a protocol called DHCP, your router should retrieve
    >> these
    >> settings automatically when you plug it in.)
    >> You may also be asked to choose an SSID (service set identifier) I
    >> recommend
    >> that you do not accept the default setting as anyone nearby with a
    >> wireless
    >> device can also use your internet access. Set your SSID to a meaningful
    >> name
    >> use your Business Name. For work-group name use 'Wireless' and a
    >> wireless
    >> channel select from 1 - 11, I recommend you use a higher channel as
    >> default
    >> settings usually select the lower end. Keep these consistent for all of
    >> your
    >> machines.
    >> Security
    >> For additional security you can and should use Wired Equivalent Privacy
    >> (WEP) algorithm: and set this at 64bit: you can then choose a combination
    >> of
    >> 10 hexadecimal characters [0-9 + A-F], again for this may I recommend you
    >> select your mobile phone number as it is 10 characters long and not known
    >> to
    >> all your neighbours.
    >> Additionally you can set the Access Point to only allow access to
    >> specific
    >> units, where you would enter their MAC address, again a series of Hex
    >> numbers, usually found on the Wireless Card plugged into the Laptops or
    >> other
    >> desktop PCs.
    >>
    >>
    >>
    >>
    >> "RogerC" wrote:
    >>
    >>> Hi,
    >>> Although I have put several posts on this and other newsgroups about
    >>> wireless roaming I have never had any replies.
    >>> Is there any documentation anywhere about setting up a wireless network
    >>> with
    >>> several access points to enable laptops to 'seamlessly roam' between
    >>> them?
    >>>
    >>> I am using 2 win2003 servers with IAS, 4 access points with 802.1x
    >>> enabled
    >>> and win XP sp1 & sp2 clients. The clients authenticate correctly but
    >>> will
    >>> not roam when moving to another area.
    >>>
    >>> Thanks,
    >>> RogerC
    >>>
    >>>
    >>>

    >
    >
    Jeroen van Bemmel, Aug 28, 2004
    #10
  11. Are you getting a slew of reason code 96 and 97 when you roam?
    Roaming is supported in IAS and should work great. But some vendor
    implementations are not 100% PEAP RFC compliant. this would cause issues
    when Roaming

    To test this theory, enable EAP-TLS (full auth happens no fast-reconnect)
    and see if your laptops lose connectivity. If they don't then I suggest you
    contact the AP vendor for an updated firmware

    The next point would be to provide us with event log, trace logs, and a
    netmon sniff to be able to tell for sure if this is the case

    HTH


    --
    =============================================
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
    =============================================

    "RogerC" <> wrote in message
    news:...
    > Hi Bar,
    > Thanks for your response.
    > To clarify a few points....
    > I did not say "2 APs per server" - I have 2 windows 2003 servers that are
    > DC's with IAS configured. The 4 Access points are setup to use both of
    > them as their primary and secondary RADIUS servers. The access points are
    > set with the same SSID but all different channels.
    > The clients and servers use PEAP-MS-CHAP v2 authentication with 'fast
    > reconnect' enabled on the laptop and servers
    > The building I am trying to cover is a long two storey office block with a
    > large central staircase. I need an access point in each 'wing' to get
    > sufficient coverage.
    > A laptop user will successfully authenticate against the nearest access
    > point but if he/she moves to another wing to say go for a meeting, even
    > though there is an access point in the meeting room area the laptop will
    > remain on the original access point even though the signal is too weak to
    > be useable.
    >
    > RogerC
    >
    > "BAR" <> wrote in message
    > news:...
    >> How large an area do you need to cover?
    >> Roaming and random connections leaves you open to unauthorised access.
    >> If you have all the access points set up the same then network adapters
    >> in
    >> the Laptops will not properly differentiate between the APs: except for
    >> signal strength, so you'd need to set channels differently for each one.
    >>
    >> Many issues in doing what you have suggested, and why 2 APs per server?
    >>
    >> My basic recommendations follow this:
    >>
    >> OK you have a PC connected to the internet at home or the office and you
    >> want other PCs to share the internet access. Hopefully you'll have Cable
    >> or
    >> DSL internet access.
    >> What should one do?
    >> First, make sure everything you buy conforms to the dominant wireless
    >> standard known as 802.11b, or Wi-Fi (short for wireless fidelity). That
    >> way
    >> you can mix brands, operating systems, even network a Mac to a Windows PC
    >> and
    >> everything should still work together.
    >> There are two new, faster versions of Wi-Fi: 802.11a and 802.11g. "A" is
    >> for
    >> business use; "g" is for the home. Both bump networking speeds up from 11
    >> megabits per second to 54 mbps. But unless you're moving around big video
    >> files or sharing other graphics-rich multimedia applications, "b" will be
    >> more than sufficient. If you still want "g," wait until the standard has
    >> been
    >> officially ratified this summer.
    >> The heart of your network will be a wireless access point and the
    >> Internet
    >> Access or preferably one device that does both called a router, acting as
    >> Wireless Access Point and cable or DSL modem and Network Switch. The
    >> two-in-one units, available from Linksys, D-Link, Netgear and others,
    >> start
    >> at about $100; with a few Ethernet ports and USB port too, so you can
    >> connect
    >> to PCs using a standard Ethernet cable or USB cable.
    >> To establish a wireless connection between a desktop PC and the wireless
    >> router, you need a USB or Ethernet Cable.
    >> To connect a notebook PC, you'll need a wireless PC card. If new
    >> notebooks
    >> have Wi-Fi capabilities built in. Notebooks with Intel's new Centrino
    >> chip,
    >> for example, are Wi-Fi-enabled.
    >> Note that 802.11g is backwards compatible with 802.11b - meaning a laptop
    >> with a "g" card will talk to a "b" router, albeit at the slower speed -
    >> but
    >> 802.11a is not. If your office installs an 802.11a network, get a
    >> dual-band
    >> wireless PC card for your laptop so that it can connect both at home and
    >> at
    >> work.
    >> Make sure that the software that comes with your gear will walk you
    >> through
    >> the installation. The steps will vary slightly, depending on each
    >> computer's
    >> operating system. The older the OS, the trickier it can be; Windows XP is
    >> designed to detect and configure a PC card to talk to an existing
    >> network.
    >> Before you start, gather the following information:
    >> . your broadband connection's IP address, e.g., 123.43.2.1
    >> . subnet mask, e.g., 255.255.122.0
    >> . default gateway e.g., 192.168.0.2
    >> . DNS IP addresses e.g., 123.123.123.1
    >> You can get these things from your Internet provider; your
    >> customer-service
    >> rep will know what you're talking about (or you can find this using the
    >> Properties tab, under Network Connections). Each is just a series of
    >> numbers
    >> (e.g., 123.43.2.1) that you'll be prompted to plug in during setup. (If
    >> your
    >> provider supports a protocol called DHCP, your router should retrieve
    >> these
    >> settings automatically when you plug it in.)
    >> You may also be asked to choose an SSID (service set identifier) I
    >> recommend
    >> that you do not accept the default setting as anyone nearby with a
    >> wireless
    >> device can also use your internet access. Set your SSID to a meaningful
    >> name
    >> use your Business Name. For work-group name use 'Wireless' and a
    >> wireless
    >> channel select from 1 - 11, I recommend you use a higher channel as
    >> default
    >> settings usually select the lower end. Keep these consistent for all of
    >> your
    >> machines.
    >> Security
    >> For additional security you can and should use Wired Equivalent Privacy
    >> (WEP) algorithm: and set this at 64bit: you can then choose a combination
    >> of
    >> 10 hexadecimal characters [0-9 + A-F], again for this may I recommend you
    >> select your mobile phone number as it is 10 characters long and not known
    >> to
    >> all your neighbours.
    >> Additionally you can set the Access Point to only allow access to
    >> specific
    >> units, where you would enter their MAC address, again a series of Hex
    >> numbers, usually found on the Wireless Card plugged into the Laptops or
    >> other
    >> desktop PCs.
    >>
    >>
    >>
    >>
    >> "RogerC" wrote:
    >>
    >>> Hi,
    >>> Although I have put several posts on this and other newsgroups about
    >>> wireless roaming I have never had any replies.
    >>> Is there any documentation anywhere about setting up a wireless network
    >>> with
    >>> several access points to enable laptops to 'seamlessly roam' between
    >>> them?
    >>>
    >>> I am using 2 win2003 servers with IAS, 4 access points with 802.1x
    >>> enabled
    >>> and win XP sp1 & sp2 clients. The clients authenticate correctly but
    >>> will
    >>> not roam when moving to another area.
    >>>
    >>> Thanks,
    >>> RogerC
    >>>
    >>>
    >>>

    >
    >
    Sam Salhi [MSFT], Oct 13, 2004
    #11
  12. RogerC,
    Cisco has a proprietary technology called WDS (Wireless Domain Services)
    which allows you to roam from one AP to another without re-authenticating but
    you need a Cisco ACS server.
    One AP is setup as a master WDS AP and the rest are WDS AP clients. WDS
    AP clients proxy the auth to the master WDS AP so the log shows as its coming
    from the master WDS AP even when your roaming from different client AP's. The
    only problem is the client WDS AP talks LEAP to the WDS AP to verify the
    credentials that is why you need the ACS server.

    Good news is you can setup the built-in radius server on the master WDS AP
    (I am using cisco AP1100 btw) to do the client WDS AP LEAP authentication so
    no need to buy the ACS:)

    Roaming works OK but I noticed while running a continous ping when moving
    from signal to I lose one ping but hey that fine with me.

    http://www.cisco.com/en/US/products...s_configuration_example09186a00801c951f.shtml

    "RogerC" wrote:

    > Hi,
    > Although I have put several posts on this and other newsgroups about
    > wireless roaming I have never had any replies.
    > Is there any documentation anywhere about setting up a wireless network with
    > several access points to enable laptops to 'seamlessly roam' between them?
    >
    > I am using 2 win2003 servers with IAS, 4 access points with 802.1x enabled
    > and win XP sp1 & sp2 clients. The clients authenticate correctly but will
    > not roam when moving to another area.
    >
    > Thanks,
    > RogerC
    >
    >
    >
    =?Utf-8?B?TXVsdGlwbGUgcmVtb3RlIGFjY2VzcyBwb2xpY2ll, Nov 5, 2004
    #12
  13. WDS is not supported by IAS for multiple reasons
    A) it doesn't fit the security policy that IAS runs under, which requires
    strong security practices. WDS, which is flexible, it doesn't provide that
    amount of security
    B) WDS only works with LEAP, which is much less secure than EAP-TLS and
    PEAP. Again, it's very flexible but security is not it's forte
    C) IAS doesn't send the access accept and encryption keys to anyone other
    than the related access point/server. These keys are unique and are not
    known by anyone else. With 802.11i the WDS model potentially be broken since
    not even the RADIUS server knows the encryption keys being used by the
    Access point/server, so Roaming with this more secure model will not be
    functional until revised
    D) Thin Access Point model, don't support from all these side effects since
    authentication happens at the base switch and not at the access point itself

    Now regarding the amount of time it takes a client to roam, this really
    depends on the hardware (NIC and AP) not on the authentication server since
    most authentications happen in <400ms. There are potentially many areas
    where this can be slowed down, one of them might be DHCP, and other network
    services


    Hope you find this information useful


    --
    =============================================
    This posting is provided "AS IS" with no warranties, and confers no rights

    Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using and
    troubleshooting RADIUS using IAS"
    This chat will help you resolve all of your RADIUS/IAS issues. You can ask
    about RADIUS, IAS, 802.1x, Active directory configuration and Certificate
    services, related to IAS and RADIUS
    Follow this link to join the chat
    http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
    =============================================

    "Multiple remote access policies on Win2K"
    <> wrote in
    message news:D...
    > RogerC,
    > Cisco has a proprietary technology called WDS (Wireless Domain Services)
    > which allows you to roam from one AP to another without re-authenticating
    > but
    > you need a Cisco ACS server.
    > One AP is setup as a master WDS AP and the rest are WDS AP clients. WDS
    > AP clients proxy the auth to the master WDS AP so the log shows as its
    > coming
    > from the master WDS AP even when your roaming from different client AP's.
    > The
    > only problem is the client WDS AP talks LEAP to the WDS AP to verify the
    > credentials that is why you need the ACS server.
    >
    > Good news is you can setup the built-in radius server on the master WDS AP
    > (I am using cisco AP1100 btw) to do the client WDS AP LEAP authentication
    > so
    > no need to buy the ACS:)
    >
    > Roaming works OK but I noticed while running a continous ping when moving
    > from signal to I lose one ping but hey that fine with me.
    >
    > http://www.cisco.com/en/US/products...s_configuration_example09186a00801c951f.shtml
    >
    > "RogerC" wrote:
    >
    >> Hi,
    >> Although I have put several posts on this and other newsgroups about
    >> wireless roaming I have never had any replies.
    >> Is there any documentation anywhere about setting up a wireless network
    >> with
    >> several access points to enable laptops to 'seamlessly roam' between
    >> them?
    >>
    >> I am using 2 win2003 servers with IAS, 4 access points with 802.1x
    >> enabled
    >> and win XP sp1 & sp2 clients. The clients authenticate correctly but will
    >> not roam when moving to another area.
    >>
    >> Thanks,
    >> RogerC
    >>
    >>
    >>
    Sam Salhi [MSFT], Nov 5, 2004
    #13
  14. RogerC

    Al Blake Guest

    I am interested in your feedback on WDS (or I should say the Cisco WLSE
    which uses WDS).
    We have installed 20% of a 47 AP WLAN using EAP-TLS with IAS server
    providing the security.
    We only have one SSID and users are able to roam between the APs without
    problems at the moment.

    We have now just purchased a WLSE (2.7), which I understood could 'manage'
    the access points in terms of setting power levels, doing neat things in
    auto-site surveying etc. Hwoever, now we have the WLSE it seems that there
    are significant limitations in that it will ONLY use LEAP for its
    authentication......so does this mean our EAP-TLS will break?

    Does anyone know if the two can coexist - ie using EAP-TLS to authenticate
    the clients to the APs...but using LEAP for AP<->WLSE authentication so that
    the WLSE can get all the neat info from the APs and tell us where we need to
    move things to.
    Thanks
    Al.


    "Multiple remote access policies on Win2K"
    <> wrote in
    message news:D...
    > RogerC,
    > Cisco has a proprietary technology called WDS (Wireless Domain Services)
    > which allows you to roam from one AP to another without re-authenticating
    > but
    > you need a Cisco ACS server.
    > One AP is setup as a master WDS AP and the rest are WDS AP clients. WDS
    > AP clients proxy the auth to the master WDS AP so the log shows as its
    > coming
    > from the master WDS AP even when your roaming from different client AP's.
    > The
    > only problem is the client WDS AP talks LEAP to the WDS AP to verify the
    > credentials that is why you need the ACS server.
    >
    > Good news is you can setup the built-in radius server on the master WDS AP
    > (I am using cisco AP1100 btw) to do the client WDS AP LEAP authentication
    > so
    > no need to buy the ACS:)
    >
    > Roaming works OK but I noticed while running a continous ping when moving
    > from signal to I lose one ping but hey that fine with me.
    >
    > http://www.cisco.com/en/US/products...s_configuration_example09186a00801c951f.shtml
    >
    > "RogerC" wrote:
    >
    >> Hi,
    >> Although I have put several posts on this and other newsgroups about
    >> wireless roaming I have never had any replies.
    >> Is there any documentation anywhere about setting up a wireless network
    >> with
    >> several access points to enable laptops to 'seamlessly roam' between
    >> them?
    >>
    >> I am using 2 win2003 servers with IAS, 4 access points with 802.1x
    >> enabled
    >> and win XP sp1 & sp2 clients. The clients authenticate correctly but will
    >> not roam when moving to another area.
    >>
    >> Thanks,
    >> RogerC
    >>
    >>
    >>
    Al Blake, Nov 19, 2004
    #14
  15. Nope, they can't coexist.
    EAP-TLS is the more secure of the two. LEAP is more flexible at the expense
    of security. LEAP also doesn't use Certificates like EAP-TLS
    I have heard that Cisco will be supporting EAP-FAST for WDS, so I would
    assume it would extend that to WLSE. But it's their call. Contact Cisco
    support for more help

    --
    =============================================
    This posting is provided "AS IS" with no warranties, and confers no rights

    Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using and
    troubleshooting RADIUS using IAS"
    This chat will help you resolve all of your RADIUS/IAS issues. You can ask
    about RADIUS, IAS, 802.1x, Active directory configuration and Certificate
    services, related to IAS and RADIUS
    Follow this link to join the chat
    http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
    =============================================

    "Al Blake" <> wrote in message
    news:...
    >I am interested in your feedback on WDS (or I should say the Cisco WLSE
    >which uses WDS).
    > We have installed 20% of a 47 AP WLAN using EAP-TLS with IAS server
    > providing the security.
    > We only have one SSID and users are able to roam between the APs without
    > problems at the moment.
    >
    > We have now just purchased a WLSE (2.7), which I understood could 'manage'
    > the access points in terms of setting power levels, doing neat things in
    > auto-site surveying etc. Hwoever, now we have the WLSE it seems that there
    > are significant limitations in that it will ONLY use LEAP for its
    > authentication......so does this mean our EAP-TLS will break?
    >
    > Does anyone know if the two can coexist - ie using EAP-TLS to authenticate
    > the clients to the APs...but using LEAP for AP<->WLSE authentication so
    > that the WLSE can get all the neat info from the APs and tell us where we
    > need to move things to.
    > Thanks
    > Al.
    >
    >
    > "Multiple remote access policies on Win2K"
    > <> wrote in
    > message news:D...
    >> RogerC,
    >> Cisco has a proprietary technology called WDS (Wireless Domain Services)
    >> which allows you to roam from one AP to another without re-authenticating
    >> but
    >> you need a Cisco ACS server.
    >> One AP is setup as a master WDS AP and the rest are WDS AP clients. WDS
    >> AP clients proxy the auth to the master WDS AP so the log shows as its
    >> coming
    >> from the master WDS AP even when your roaming from different client AP's.
    >> The
    >> only problem is the client WDS AP talks LEAP to the WDS AP to verify the
    >> credentials that is why you need the ACS server.
    >>
    >> Good news is you can setup the built-in radius server on the master WDS
    >> AP
    >> (I am using cisco AP1100 btw) to do the client WDS AP LEAP authentication
    >> so
    >> no need to buy the ACS:)
    >>
    >> Roaming works OK but I noticed while running a continous ping when moving
    >> from signal to I lose one ping but hey that fine with me.
    >>
    >> http://www.cisco.com/en/US/products...s_configuration_example09186a00801c951f.shtml
    >>
    >> "RogerC" wrote:
    >>
    >>> Hi,
    >>> Although I have put several posts on this and other newsgroups about
    >>> wireless roaming I have never had any replies.
    >>> Is there any documentation anywhere about setting up a wireless network
    >>> with
    >>> several access points to enable laptops to 'seamlessly roam' between
    >>> them?
    >>>
    >>> I am using 2 win2003 servers with IAS, 4 access points with 802.1x
    >>> enabled
    >>> and win XP sp1 & sp2 clients. The clients authenticate correctly but
    >>> will
    >>> not roam when moving to another area.
    >>>
    >>> Thanks,
    >>> RogerC
    >>>
    >>>
    >>>

    >
    >
    Sam Salhi [MSFT], Nov 19, 2004
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Qintin
    Replies:
    13
    Views:
    1,058
    Blinky the Shark
    May 23, 2004
  2. cardio

    Anyone Know Anything About MORPHEUS

    cardio, Jun 8, 2004, in forum: Computer Support
    Replies:
    6
    Views:
    708
    Tiddie \(The Inte®net Devil\)
    Jun 28, 2004
  3. Robert11

    "SysFader": Anyone Know Anything About ?

    Robert11, Dec 9, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    1,642
    °Mike°
    Dec 9, 2004
  4. David S.
    Replies:
    13
    Views:
    566
    Synapse Syndrome
    Aug 12, 2005
  5. Bev

    Anyone know anything about Kodak CX4200

    Bev, Aug 1, 2003, in forum: Digital Photography
    Replies:
    1
    Views:
    338
    Ron Baird
    Aug 7, 2003
Loading...

Share This Page