RADIUS accounting when client is roaming
Last Post: January 23, 2019:
When a client is roaming from AP1 > AP2 with 802.1X auth and RADIUS accounting defined on the SSID, do we expect AP2, after full 802.1X auth, send Accounting-Request (start) to the server if the previous session is still active (session on AP1, because the client didn't send disassociation frame)?
Just one perspective:
The client may not have sent a disassociation frame, or it may have sent one, but been out of range of the original AP when it was sent.
If the Client were moving very fast, e.g. mounted on a forklift, or moving through doorways as in a warehouse, the original AP probably would not have heard the frame.
This situation is more likely to have occurred if the client had some flavor of aggressive power save enabled. (Also some older PS algorithms were notoriously poor.)
RADIUS will not deny the new connection just because of this behavior. An older client may also not send the frame if it were powered off, and then back on again.
How dense is the client load, and was this in a newer installation, with closely packed AP's, or an older one with more dispersed AP's ?
Are you running RRM, or has anything changed recently at the site ?
Is it a WFA certified client and how old (b/g/n) is it ?
@Howard much appreciate for your reply.
This is exactly what I am seeing. The test client was iPhone, and during the roaming process, l was not able to capture disassociate frame from the device while was taking monitor mode PCAP next to the AP1. As you said it probably happened due to the reasons you mentioned.
The accounting and association session will be active for another, l believe, 5 minutes on the source AP (AP1), then the sessions removed and accounting stop packet should be sent to the RADIUS accounting server.
I do not know what is the expected behaviour of the AP2 in this case? Will it initiate a new accounting request to the server right after the client complete roaming, or will it wait until the initial accounting session terminated by the AP1, so it can start its own?
It's behavior will somewhat depend on the type of roaming configured on the network, but it would NEVER wait for the first AP to totally drop the connection.
Any number of minutes would be nonsensical. Good roaming should take milliseconds to seconds.
Are your VLAN's and/or IP addressing setup correctly on both segments (AP's) in the network? Is your RADIUS or DHCP server located at a remote site?
Besides RADIUS logs, have you also checked your DHCP server logs for congruence ?
What happens if you take your sniffer along for the ride with the client ? Does it show the client behavior then ?
And for the heck of it, does the sniffer show any client dis-associations if you just power the phone off, after it has made a solid connection ?
Sorry, l think l was not clear. The roaming completes as normal for 802.1X (e.g up to one second). So there is no issue with roaming or any sort of DHCP. What l was observing during the roaming process is when the client completed the roaming, RADIUS auth went through as expected, but destination AP (AP2) didn't send Accounting-Request packet (start). This has been verified with PCAP taken from the AP LAN interface. This is where l stuck:
Is it bug that AP2 is not sending Accounting-Request packet (start) or is it because the AP1 (source AP) still have an active association/accounting session and two sessions cannot coexist.
I definitely will take more traces, but now l just want to know an expected behaviour.
I haven't had to test that sequence myself, and right this minute I don't have a way to test it.
So hopefully someone else can help answer this question.
Had a chance to test it today with two APs, so there will be a new Accounting-Request (start) packet regardless if the source AP has an active session or not. Shame l cannot attach PCAP or screenshot here.
I thought there might be, but didn't want to say it without proof.
Glad you got to test it out - I've often found it best to test things out for yourself.
BTW, are you using a particular sniffer dongle with Wireshark ?
Monitor mode PCAP was taken with MacBook Air. It does its job)) Same time Wireshark PCAP was running on the RADIUS NPS server.
omg this website is really good, thanks