WLAN roaming configuration

The Inter AC Tunneling Protocol (IACTP) is a proprietary protocol of H3C which defines how access controllers (ACs) communicate with each other. IACTP provides a generic packet encapsulation and transport mechanism between ACs to provide secure AC-AC communications based on the standard TCP client/server model.

A mobility group is a group of ACs that communicate with each other using the IACTP protocol. A maximum of 8 ACs can be present in a mobility group in current version. Formation and maintenance of a mobility group is done using IACTP.

IACTP provides a control tunnel for applications such as roaming to share/exchange messages. It also provides a data tunnel to encapsulate data packets to be transported between ACs. It can be used either with IPv4 or with IPv6.

Whenever a station supporting key caching associates to any of the ACs in a mobility group (which would be its Home-AC (HA)) for the first time, it goes through 802.1X authentication followed by 11 Key exchange. The station information is synchronized across the ACs in the mobility group prior to the roaming of the station within an AC/across ACs. When this station roams to another AC in the mobility group (which would be its Foreign-AC (FA)), the station information is used to fast authenticate the station by skipping 802.1X authentication, and performing only 802.11 key exchange to facilitate seamless roaming within the mobility group.

Configuring WLAN roaming

Configuring a roaming group

NOTE:

Roaming group configuration is available only for inter-AC roaming. For the configuration example of

inter-AC roaming, see " Inter-AC roaming configuration example

."

1.

Select Roam > Roam Group from the navigation tree.

Figure 368 Configuring a roaming group

2.

3.

Configure a roaming group as described in

Table 111 .

Click Apply.

336

Table 111 Configuration items

Item Description

Service status

• enable—Enable IACTP service.

• disable—Disable IACTP service.

IP type Select IPv4 or IPv6.

Source address

Auth mode

Auth key

Source address of the IACTP protocol.

MD5—Select the MD5 authentication mode. This item is optional.

The control message integrity can be verified when the MD5 authentication mode is selected. The sender (an AC) calculates a digest based on the content of a control message. On receiving such a message, the receiver (another AC in the roaming group) will calculate the digest again and compare it against the digest present in the message to verify the integrity of the packet received. If the digests are the same, the packet is not tampered.

MD5 authentication key.

If you select the MD5 authentication mode, you need to input an authentication key.

Adding a group member

1.

Select Roam > Roam Group from the navigation tree.

Figure 369 Adding a group member

2.

3.

4.

Add a group member as described in Table 112

.

Click Add.

Click Apply.

Table 112 Configuration items

Item Description

Add the IP address of an AC to a roaming group.

IP address

IMPORTANT:

When you configure a roaming group, the roaming group name configured for the ACs in the same roaming group must be the same.

337

Item Description

VLAN

Configure the VLAN to which the roaming group member belongs.

This configuration item is optional.

NOTE:

•

The user profile configurations of the ACs in a roaming group must be the same. For more information, see "User configuration."

• The ACs in a roaming group cannot be configured as hot backup ACs.

Displaying client information

1.

Select Roam > Roam Client from the navigation tree.

Figure 370 Displaying client information

By clicking a target client, you can view the detailed information and roaming information of the client.

The detailed information and roaming information of a client you can view by selecting Roam > Client

Information are the same as those you can view by selecting Summary > Client. For the related information, see "Summary."

WLAN roaming configuration examples

Intra-AC roaming configuration example

Network requirements

As shown in Figure 371 , an AC has two APs associated and all of them are in VLAN 1. A client is

associated with AP 1. Configure intra-AC roaming so that the client can associate with AP 2 when roaming to AP 2.

338

Figure 371 Network diagram

AC

RADIUS server

AP 1

000f-e27b-3d90

VLAN 1

L2 switch

AP 2

AP 2

000f-e233-5500

VLAN 1

Roaming

Client

Configuring the AC

NOTE:

If remote authentication is required in the authentication mode you select, configure the RADIUS server.

For how to configure the RADIUS server, see "AAA configuration."

1.

Create two APs: a. b. c.

Select AP > AP Setup from the navigation tree.

Click Add.

On the page that appears, set the AP name to ap1, select the AP model WA2620-AGN, select manual from the Serial ID list, enter the serial ID of the AP, and click Apply.

2. d.

Follow the same steps to create the other AP.

Configure wireless service: a. b. c.

Select Wireless Service > Access Service from the navigation tree.

Click Add.

On the page that appears, set the service name to Roam. And click Apply.

NOTE:

For how to configure the authentication mode, see "Access service configuration." However, fast roaming can be implemented only when the RSN+802.1X authentication mode is adopted.

3.

Enable wireless service:

4. a. b.

Select Wireless Service > Access Service from the navigation tree.

Select the Roam box. c.

Click Enable.

Bind AP radios to the wireless service:

339

a. b. c. d.

Select Wireless Service > Access Service from the navigation tree.

Click the icon corresponding to the wireless service Roam to enter the page for binding

AP radio.

Select the box before ap1 with radio type 802.11n(2.4GHz), and the box before ap2 with radio type 802.11n(2.4GHz).

Click Bind.

Figure 372 Binding AP radios

5.

Enable dot11g radio: a.

Select Radio > Radio Setup from the navigation tree. b. c.

On the page that appears, select the box before ap1 with the radio mode 802.11n(2.4GHz), and select the box before ap2 with the radio mode 802.11n(2.4GHz).

Click Enable.

Figure 373 Enabling radio

Verifying the configuration

1.

Display the roaming information of the client:

340

a. b. c.

Select Summary > Client from the navigation tree.

Select the Roam Information tab.

Click the desired client to view the roaming information of the client.

From the roaming information, you can see that the client accesses the WLAN through AP 1,

and the BSSID of AP 1 is 000f-e27b-3d90 (see Figure 374

.).

Figure 374 Client status before intra-AC roaming d.

Click Refresh.

On the page that appears, you can see that the client is connected to the WLAN through AP

2, and the BSSID of AP 2 is 000f-e233-5500.

Figure 375 Client status after intra-AC roaming

2.

View the Roam Status field: a.

Select Summary > Client from the navigation tree.

341

b. c.

Click the Detail Information tab.

Click the desired client.

You can see that Intra-AC roam association is displayed in the Roam Status field.

Figure 376 Verifying intra-AC roaming

Configuration guidelines

When you configure intra-AC roaming, the SSIDs of the two APs must be the same. The same wireless service must be bound to the radios of the two APs in

Bind AP radios to the wireless service

.

Inter-AC roaming configuration example

Network requirements

As shown in Figure 377 , two ACs that each are connected to an AP are connected through a Layer 2

switch. Both ACs are in the same network. The IP address of AC 1 is 192.168.1.100 and that of AC 2 is

192.168.1.101. A client associates with AP 1.

Configure inter-AC roaming so that the client can associate with AP 2 when roaming to it.

342

Figure 377 Network diagram

Configuring AC 1 and AC 2

NOTE:

If remote authentication is required in the authentication mode you select, configure the RADIUS server.

For how to configure the RADIUS server, see "AAA configuration."

1.

Establish AC-AP connections:

Configure AC 1 and AC 2 so that a connection can be established between AP 1 and AC 1, and between AP 2 and AC 2. Only after the connections are established can you see that the two APs are in the running status. To view the AP status, select Summary > AP or AP > AP Setup.

For the related configuration, see "Access service configuration."

NOTE:

For the configuration of authentication mode, see "Access service configuration." Fast roaming supporting key caching can be implemented only when RSN+802.1X authentication is adopted.

2.

Configure a roaming group: a. b. c.

Select Roam > Roam Group from the navigation tree.

On the page that appears, select enable from the Service status list, select IPv4 from the IP Type list, enter 192.168.1.100 for Source address, the IP address of AC 1, enter the IP address of

AC 2 in the member list, and click Add.

Click Apply.

343

Figure 378 Configuring a roaming group on AC 1 d.

Create a roaming group on AC 2. The source address is the IP address of AC 2, and the member address is the IP address of AC 1. (Details not shown.)

Verifying the configuration

1.

Verify the status of the roaming group: a.

On AC 1, select Roam > Roam Group from the navigation tree, and you can see that the group member 192.168.1.101 is in Run state.

Figure 379 Verifying the roaming group state b.

On AC 2, select Roam > Roam Group from the navigation tree, and you can see that the group member 192.168.1.100 is in Run state.

Figure 380 Verifying the roaming group state:

2.

Display the client information: a.

After the client roams from AP 1 to AP 2, select Roam > Roam Client on AC 1.

You can see that the client roams out of 192.168.1.100.

344

Figure 381 Viewing client information

3. b.

Select Roam > Roam Client on AC 2.

You can see that the client roams in to 192.168.1.100.

View connection information about the client that is associated with the AP, and the Roam Status field in the client detailed information: a.

Before roaming, select Summary > Client from the navigation tree on AC 1. b. c. d.

You can see that the client is associated with AP 1.

After roaming: Select Summary > Client from the navigation tree on AC 1.

The client has roamed from AP 1 to AP 2, so no client information is displayed on the page.

Select Summary > Client from the navigation tree on AC 2.

You can view the client information.

Select the Detail Information tab, and then click the desired client.

You will see that Inter-AC roam association is displayed in the Roam Status field, which indicates that the client has roamed to AP 2.

Figure 382 Verifying inter-AC roaming

4.

View the BSSID field a.

Before roaming, select Summary > Client from the navigation tree on AC 1, select the Detail

Information tab, and click the desired client to view the roaming information of the client.

The roaming information in

Figure 383

shows that the client connects to the WLAN through AP

1, and the BSSID of AP 1 is 000f-e27b-3d90.

345

Figure 383 Client status before inter-AC roaming b.

Select Summary > Client, from the navigation tree on AC 2, select the Detail Information tab, and click the desired client to view the roaming information of the client.

The roaming information in

Figure 384

shows that the client connects to the WLAN through AP

2, and the BSSID of AP 2 is 000f-e233-5500.

Figure 384 Client status after intra-AC roaming

Configuration guidelines

Follow these guidelines when you configure inter-AC roaming:

•

The SSIDs and the authentication and encryption modes of two APs should be the same.

• A roaming group must be configured on both of the two ACs.

• Do not configure the ACs in a roaming group as AC backup.

346