A certain site reports network disrupt during handheld terminal roaming

 AAA Radius Server

    |

Internet

    |

Firewall —— AC —— SW —— AP —— handheld device

The handheld device uses MAC authentication and local forwarding. During roaming, there may be a network disrupt prompt, and services will recover after several seconds.

1. Check the overall configuration and found that the wireless association point is on the AP, which is a customer requirement and cannot be changed. Therefore, wireless roaming entries cannot be generated on the AC, and each roaming requires authentication with the AAA server, as shown in the figure below

2. Debug the MAC authentication process and found that the AAA server status is block, and it cannot be pinged

Display radius scheme shows the server status is also block

3. Then check the firewall policy and found that the firewall policy was blocking. After allowing the AAA IP, the service returned to normal

4. After rechecking the configuration, it was found that the service could recover after dozens of seconds post-roaming because wireless escape was configured, allowing the service to resume via the escape channel. The reason for the disruption lasting dozens of seconds was that after configuring wireless escape, the AC would still first send a request to the AAA server upon each roam, probing three times before resorting to the unauthenticated escape method if no response was received, as shown below:

1. Allow the AAA address on the firewall to ensure the handheld device can properly authenticate with AAA during each roam.

2. Change the association point to the AC so that roaming is achieved by querying the roaming table during the process eliminating the need for AAA authentication.