Doesn't anyone Know anything about roaming?

Discussion in 'Wireless Networking' started by RogerC, Aug 25, 2004.

  1. RogerC

    RogerC Guest

    Hi,
    Although I have put several posts on this and other newsgroups about
    wireless roaming I have never had any replies.
    Is there any documentation anywhere about setting up a wireless network with
    several access points to enable laptops to 'seamlessly roam' between them?

    I am using 2 win2003 servers with IAS, 4 access points with 802.1x enabled
    and win XP sp1 & sp2 clients. The clients authenticate correctly but will
    not roam when moving to another area.

    Thanks,
    RogerC
     
    RogerC, Aug 25, 2004
    #1
    1. Advertisements

  2. RogerC

    Guest Guest

    How large an area do you need to cover?
    Roaming and random connections leaves you open to unauthorised access.
    If you have all the access points set up the same then network adapters in
    the Laptops will not properly differentiate between the APs: except for
    signal strength, so you'd need to set channels differently for each one.

    Many issues in doing what you have suggested, and why 2 APs per server?

    My basic recommendations follow this:

    OK you have a PC connected to the internet at home or the office and you
    want other PCs to share the internet access. Hopefully you’ll have Cable or
    DSL internet access.
    What should one do?
    First, make sure everything you buy conforms to the dominant wireless
    standard known as 802.11b, or Wi-Fi (short for wireless fidelity). That way
    you can mix brands, operating systems, even network a Mac to a Windows PC and
    everything should still work together.
    There are two new, faster versions of Wi-Fi: 802.11a and 802.11g. "A" is for
    business use; "g" is for the home. Both bump networking speeds up from 11
    megabits per second to 54 mbps. But unless you're moving around big video
    files or sharing other graphics-rich multimedia applications, "b" will be
    more than sufficient. If you still want "g," wait until the standard has been
    officially ratified this summer.
    The heart of your network will be a wireless access point and the Internet
    Access or preferably one device that does both called a router, acting as
    Wireless Access Point and cable or DSL modem and Network Switch. The
    two-in-one units, available from Linksys, D-Link, Netgear and others, start
    at about $100; with a few Ethernet ports and USB port too, so you can connect
    to PCs using a standard Ethernet cable or USB cable.
    To establish a wireless connection between a desktop PC and the wireless
    router, you need a USB or Ethernet Cable.
    To connect a notebook PC, you'll need a wireless PC card. If new notebooks
    have Wi-Fi capabilities built in. Notebooks with Intel's new Centrino chip,
    for example, are Wi-Fi-enabled.
    Note that 802.11g is backwards compatible with 802.11b — meaning a laptop
    with a "g" card will talk to a "b" router, albeit at the slower speed — but
    802.11a is not. If your office installs an 802.11a network, get a dual-band
    wireless PC card for your laptop so that it can connect both at home and at
    work.
    Make sure that the software that comes with your gear will walk you through
    the installation. The steps will vary slightly, depending on each computer's
    operating system. The older the OS, the trickier it can be; Windows XP is
    designed to detect and configure a PC card to talk to an existing network.
    Before you start, gather the following information:
    • your broadband connection's IP address, e.g., 123.43.2.1
    • subnet mask, e.g., 255.255.122.0
    • default gateway e.g., 192.168.0.2
    • DNS IP addresses e.g., 123.123.123.1
    You can get these things from your Internet provider; your customer-service
    rep will know what you're talking about (or you can find this using the
    Properties tab, under Network Connections). Each is just a series of numbers
    (e.g., 123.43.2.1) that you'll be prompted to plug in during setup. (If your
    provider supports a protocol called DHCP, your router should retrieve these
    settings automatically when you plug it in.)
    You may also be asked to choose an SSID (service set identifier) I recommend
    that you do not accept the default setting as anyone nearby with a wireless
    device can also use your internet access. Set your SSID to a meaningful name
    use your Business Name. For work-group name use ‘Wireless’ and a wireless
    channel select from 1 – 11, I recommend you use a higher channel as default
    settings usually select the lower end. Keep these consistent for all of your
    machines.
    Security
    For additional security you can and should use Wired Equivalent Privacy
    (WEP) algorithm: and set this at 64bit: you can then choose a combination of
    10 hexadecimal characters [0-9 + A-F], again for this may I recommend you
    select your mobile phone number as it is 10 characters long and not known to
    all your neighbours.
    Additionally you can set the Access Point to only allow access to specific
    units, where you would enter their MAC address, again a series of Hex
    numbers, usually found on the Wireless Card plugged into the Laptops or other
    desktop PCs.
     
    Guest, Aug 25, 2004
    #2
    1. Advertisements

  3. Perhaps you get more answers if you ask more specific questions

    "clients will not roam when moving" is rather vague. Do they stay connected
    to the old AP? Do they loose their connection, even though another AP is in
    range? Is the connection reestablished but slightly interrupted?
     
    Jeroen van Bemmel, Aug 25, 2004
    #3
  4. Hi Roger --

    You did not mention which authentication method you have deployed, but I am
    going to assume it is PEAP-MS-CHAP v2 since roaming is a feature of that
    auth method.

    To enable roaming, also called fast reconnect, in the IAS wireless remote
    access policy, go to the Properties for PEAP and click "Enable Fast
    Reconnect."

    On clients, in the Smart card or other certificate properties of a wireless
    network, select "Validate server certificate."

    --
    James McIllece, Microsoft

    Please do not send email directly to this alias. This is my online account
    name for newsgroup participation only.

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    James McIllece [MS], Aug 26, 2004
    #4
  5. RogerC

    RogerC Guest

    Hi Bar,
    Thanks for your response.
    To clarify a few points....
    I did not say "2 APs per server" - I have 2 windows 2003 servers that are
    DC's with IAS configured. The 4 Access points are setup to use both of them
    as their primary and secondary RADIUS servers. The access points are set
    with the same SSID but all different channels.
    The clients and servers use PEAP-MS-CHAP v2 authentication with 'fast
    reconnect' enabled on the laptop and servers
    The building I am trying to cover is a long two storey office block with a
    large central staircase. I need an access point in each 'wing' to get
    sufficient coverage.
    A laptop user will successfully authenticate against the nearest access
    point but if he/she moves to another wing to say go for a meeting, even
    though there is an access point in the meeting room area the laptop will
    remain on the original access point even though the signal is too weak to be
    useable.

    RogerC

     
    RogerC, Aug 26, 2004
    #5
  6. RogerC

    RogerC Guest

    Hi James,
    Thanks for your response.
    Yes, I am using PEAP-MS-CHAP v2 and I have "Enable Fast Reconnect." enabled
    on both servers and laptops.
    But.. I don't have "Validate server certificate." enabled on the laptops -
    where does this come into the roaming issue if my users authenticate
    correctly without it being enabled?

    I have 2 windows 2003 servers that are DC's with IAS configured. The 4
    Access points are setup to use both of them
    as their primary and secondary RADIUS servers. The access points are set
    with the same SSID but all different channels.
    Is this the correct setup?

    RogerC
     
    RogerC, Aug 26, 2004
    #6
  7. RogerC

    Jack Guest

    Hi
    Try to set the access points to different channels. I.e. they should not be
    on the same channel.
    Jack (MVP-Networking).
     
    Jack, Aug 26, 2004
    #7
  8. PEAP-MS-CHAP v2 provides mutual authentication which cannot correctly occur
    if clients are not configured to validate the server certificate; in
    addition, and more importantly, clients are exposed to some security
    vulnerabilities if they do not validate the server certificate, such as
    unknowing connection to a rogue network deployed by an attacker attempting
    to capture user name and password during the authentication attempt.

    It sounds like you have the APs configured correctly. Here are a couple of
    whitepapers you can take a look at to verify and/or troubleshoot your
    configuration:

    Troubleshooting Windows XP IEEE 802.11 Wireless Access
    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifitrbl.msp
    x

    "Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows"
    at http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx


    --
    James McIllece, Microsoft

    Please do not send email directly to this alias. This is my online account
    name for newsgroup participation only.

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    James McIllece [MS], Aug 26, 2004
    #8
  9. RogerC

    RogerC Guest

    Hi Jack,
    You have misread my post..
    It said "The access points are set with the same SSID but all different
    channels."
    Thanks for replying anyway.
    RogerC
     
    RogerC, Aug 26, 2004
    #9
  10. Roger,

    I assume you use WZC on the Windows XP clients (and not a third party WLAN
    selection tool). Then the selection of the SSID is done by WZC, but the
    selection of the AP is done by the WLAN driver. This is typically based on
    signal strength but can involve more complicated conditions.

    Check if you have the latest WLAN driver for your hardware. Also, did you
    try to see what happens if you use different SSIDs?

    Also, the other day I discovered that an Intel 2100 integrated WLAN did not
    support channels 1 and 12-13 (the latter being only allowed in Europe). The
    effect was that it added the AP to the list but could not authenticate
    (channel 1), or even that it would detect that the AP was available (shown
    as active in the preferred list) but not allowed me to select it. Can your
    clients associate with each AP individually (i.e. when you reboot does it
    select the AP in the room?)

     
    Jeroen van Bemmel, Aug 28, 2004
    #10
  11. Are you getting a slew of reason code 96 and 97 when you roam?
    Roaming is supported in IAS and should work great. But some vendor
    implementations are not 100% PEAP RFC compliant. this would cause issues
    when Roaming

    To test this theory, enable EAP-TLS (full auth happens no fast-reconnect)
    and see if your laptops lose connectivity. If they don't then I suggest you
    contact the AP vendor for an updated firmware

    The next point would be to provide us with event log, trace logs, and a
    netmon sniff to be able to tell for sure if this is the case

    HTH


    --
    =============================================
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
    =============================================

     
    Sam Salhi [MSFT], Oct 13, 2004
    #11
  12. RogerC

    Guest Guest

    RogerC,
    Cisco has a proprietary technology called WDS (Wireless Domain Services)
    which allows you to roam from one AP to another without re-authenticating but
    you need a Cisco ACS server.
    One AP is setup as a master WDS AP and the rest are WDS AP clients. WDS
    AP clients proxy the auth to the master WDS AP so the log shows as its coming
    from the master WDS AP even when your roaming from different client AP's. The
    only problem is the client WDS AP talks LEAP to the WDS AP to verify the
    credentials that is why you need the ACS server.

    Good news is you can setup the built-in radius server on the master WDS AP
    (I am using cisco AP1100 btw) to do the client WDS AP LEAP authentication so
    no need to buy the ACS:)

    Roaming works OK but I noticed while running a continous ping when moving
    from signal to I lose one ping but hey that fine with me.

    http://www.cisco.com/en/US/products...s_configuration_example09186a00801c951f.shtml
     
    Guest, Nov 5, 2004
    #12
  13. WDS is not supported by IAS for multiple reasons
    A) it doesn't fit the security policy that IAS runs under, which requires
    strong security practices. WDS, which is flexible, it doesn't provide that
    amount of security
    B) WDS only works with LEAP, which is much less secure than EAP-TLS and
    PEAP. Again, it's very flexible but security is not it's forte
    C) IAS doesn't send the access accept and encryption keys to anyone other
    than the related access point/server. These keys are unique and are not
    known by anyone else. With 802.11i the WDS model potentially be broken since
    not even the RADIUS server knows the encryption keys being used by the
    Access point/server, so Roaming with this more secure model will not be
    functional until revised
    D) Thin Access Point model, don't support from all these side effects since
    authentication happens at the base switch and not at the access point itself

    Now regarding the amount of time it takes a client to roam, this really
    depends on the hardware (NIC and AP) not on the authentication server since
    most authentications happen in <400ms. There are potentially many areas
    where this can be slowed down, one of them might be DHCP, and other network
    services


    Hope you find this information useful


    --
    =============================================
    This posting is provided "AS IS" with no warranties, and confers no rights

    Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using and
    troubleshooting RADIUS using IAS"
    This chat will help you resolve all of your RADIUS/IAS issues. You can ask
    about RADIUS, IAS, 802.1x, Active directory configuration and Certificate
    services, related to IAS and RADIUS
    Follow this link to join the chat
    http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
    =============================================

    "Multiple remote access policies on Win2K"
     
    Sam Salhi [MSFT], Nov 5, 2004
    #13
  14. RogerC

    Al Blake Guest

    I am interested in your feedback on WDS (or I should say the Cisco WLSE
    which uses WDS).
    We have installed 20% of a 47 AP WLAN using EAP-TLS with IAS server
    providing the security.
    We only have one SSID and users are able to roam between the APs without
    problems at the moment.

    We have now just purchased a WLSE (2.7), which I understood could 'manage'
    the access points in terms of setting power levels, doing neat things in
    auto-site surveying etc. Hwoever, now we have the WLSE it seems that there
    are significant limitations in that it will ONLY use LEAP for its
    authentication......so does this mean our EAP-TLS will break?

    Does anyone know if the two can coexist - ie using EAP-TLS to authenticate
    the clients to the APs...but using LEAP for AP<->WLSE authentication so that
    the WLSE can get all the neat info from the APs and tell us where we need to
    move things to.
    Thanks
    Al.


    "Multiple remote access policies on Win2K"
     
    Al Blake, Nov 19, 2004
    #14
  15. Nope, they can't coexist.
    EAP-TLS is the more secure of the two. LEAP is more flexible at the expense
    of security. LEAP also doesn't use Certificates like EAP-TLS
    I have heard that Cisco will be supporting EAP-FAST for WDS, so I would
    assume it would extend that to WLSE. But it's their call. Contact Cisco
    support for more help

    --
    =============================================
    This posting is provided "AS IS" with no warranties, and confers no rights

    Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using and
    troubleshooting RADIUS using IAS"
    This chat will help you resolve all of your RADIUS/IAS issues. You can ask
    about RADIUS, IAS, 802.1x, Active directory configuration and Certificate
    services, related to IAS and RADIUS
    Follow this link to join the chat
    http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
    =============================================
     
    Sam Salhi [MSFT], Nov 19, 2004
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.