Question : Configuring Cisco wireless access points for seamless roaming

We have been having some trouble recently with clients roaming between access points. When they roam off of one AP onto another, their application sessions (medical records software) disconnect in the switch. I'm seeking any thoughts on how to improve the experience for the roaming users.

Some background about the access point configurations. The APs are Cisco 1131APs, with WDS enabled and certificate-based authentication. We are open to changing the authentication (in the event that the certificates are creating a little additional roaming overhead), but would want to stick with a method for authenticating individual users rather than a single PSK.

I am including a (lightly scrubbed) sample configuration from one of the access points below We do not currently employ a wireless controller.

Any thoughts on this are greatly appreciated. To reiterate, the goal is to improve client roaming between access points so that open application sessions are not disconnected when switching from one AP to another, while still retaining the ability to authenticate individual users (and not needing to issue an organization-wide PSK).

Code Snippet:

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:

           
           
             !
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Wap1
!
enable secret 5 ***
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 172.16.9.250 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius OUR_INFRASTRUCTURE
 server 172.16.9.250 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login method_OUR_INFRASTRUCTURE group OUR_INFRASTRUCTURE
aaa authorization exec default local 
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
!
dot11 ssid OUR
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   guest-mode
!
power inline negotiation prestandard source
!
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 128bit 7 *** transmit-key
 encryption mode wep mandatory 
 !
 ssid OUR
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 172.16.9.241 255.255.248.0
 no ip route-cache
!
ip default-gateway 172.16.8.2
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1 
radius-server local
  nas 172.16.9.250 key 7 ***
  user WAP1 nthash 7 ***
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.9.250 auth-port 1812 acct-port 1813 key 7 ***
radius-server vsa send accounting
bridge 1 route ip
!
!
wlccp ap username WAP1 password 7 ***
wlccp authentication-server infrastructure method_OUR_INFRASTRUCTURE
wlccp wds priority 253 interface BVI1
!
line con 0
line vty 0 4
!
end

           
         

Open in New Window

Select All

Answer : Configuring Cisco wireless access points for seamless roaming

have you considered using CCKM?(if they support it)
It stands for Cisco Centralized Key Management, which bascially enables fast roaming by caching credentials on edge access points you may potentially roam to, disregarding the need to re authenticate to your cert server.

I have successful deployed a seamless roaming network but I have used different security protocols and involved a server 08 running Network Protection Policies. I can elaborate if you want