Central Wireless RADIUS: Roaming Clients between APX320 and APX530 lose connection when on APX530

Question

Hi, 
 we notice a strage issue for a while now when WiFi clients are connected to a 802.1X RADIUS WiFi that contains APX320 and APX530 APs that are managed in Sophos Central. Occasionally it happens, when they move in the office and roam between the two models, that they lose network connectivity and the new AP is not authenticating the roamed client against the RADIUS Server. At the RADIUS server we see no authentication - neither failed or success - happening. 
 We have the feeling that is is only related to the APX530 - The clients have no connection, when they are connected to APX530 with 5GHz. Central still shows an IP Address for the client device, but the device actually has no IP on it's network adapter. When we reboot the APX, it usually works again. Fast roaming is enabled. The users help themselves by turning their WiFi adapter of and on when they face the issue. It will not workaround immediately, they usually need some attempts until it may fix the issue. When it finally works, they are still connected to the APX530 as it is the nearest AP then. On the RADIUS we will then also see that authentication happened and was successful. 
 
 WiFi AP have Central firmware v2.3.4-5 
 
 There are only a few clients connected. No real load for the machines.

I'd like to know if there are known issues with that or if you have a hot idea how to debug on this.

emmosophos · Answer

UPDATE FROM LHERZOG about this case/thread 
 After further investigation by the development team for CWIFI-13163 &ldquo;Fast roaming issues - clients lose IP and need to reconnect,&rdquo; there is an issue with the Wi-Fi driver on the APX that is preventing the VLAN ID from syncing when fast roaming is enabled with dynamic VLANs. When the wireless client moves to a new access point, the packets coming through the new access point are not tagged with the correct VLAN ID. This results in the clients losing their IP address and must reconnect to the access point. To work around this, we recommend disabling fast roaming across the wireless network, this will allow wireless clients to roam between the access points with the correct dynamic VLAN ID. The other way is to set static VLAN assignments instead of using dynamic VLANs on the wireless network and enable fast roaming.

emmosophos · Answer

UPDATE FROM LHERZOG about this case/thread News from our support case 06845353 as reference in case other users may face such issues. 
 Sophos WiFi Dev Team has successfully recreated the issue. 
 
 When a client roams from AP1->AP2->AP1, we observe that the client traffic is not getting tagged properly with VLAN, which results in the client not getting the IP address. 
 When Fast roaming is enabled, radius authentication will be skipped when the client roams. 
 The client will receive the correct IP address after turning wifi on and off. This is because the client will go through the complete radius authentication where VLAN information will be captured through radius exchanges. 
 Disabling the fast roaming is a possible workaround for this issue for now but it comes with the cost of roaming delay.

Central Wireless RADIUS: Roaming Clients between APX320 and APX530 lose connection when on APX530

Top Replies