[NEBULA] Fast roaming

Denis
Denis Posts: 13  Freshman Member
First Anniversary First Comment
edited April 2021 in Nebula

Hello

We use NWA 123-AC-PRO access points, authentication radius, roaming works well, but when I try to connect to a wifi through an access point to which they have not connected yet, authentication is required. How can I make sure that when connected to 1 point, the device can connect to the wifi through any access point, without entering login and password?

I was looking for how to enable 802.11r fast roaming but cannot find how to enable it through the nebula.

«1

All Replies

  • AGagarin
    AGagarin Posts: 16  Freshman Member
    First Anniversary Friend Collector First Comment

    Hi.

    In my config it's here:


  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    Hi @Denis,

    You can check the event log for the station connection. If the station is doing roaming, you can see station leave log on the original AP like "Station: xx:xx:xx:xx:xx:xx has disassoc by STA Leave(L2UPFrame) on Channel: ". And, the station should be associated on the other AP without deauth.

    May I know if there's any information you expect to know or is there any problem for roaming?

    Thanks.

  • Denis
    Denis Posts: 13  Freshman Member
    First Anniversary First Comment

    Already solved the problem.

    We do not use fast roaming, we need Web authentication. We send passwords to wifi via SMS, which are registered in mysql.

    We use 15 access points, made the network open, users authenticate with zywall usg 310, the network works as we need. If we use the hotspot built into the access point, the device cannot authenticate at the access point to which the device has not previously connected. I understand that this works differently. But it would be nice if we could place hotspot on 1 access point and indicate to everyone else its url.

    In the configuration used, we had to connect our Zywall to the radius server, which theoretically creates another dangerous point in information security.

    I want us to be able to prohibit the assignment of administrative access rights through the radius in Zuwall usg 310, in fact, everything depends on the "Zyxel-User-Type" attribute and the entry in the mysql database or text file.

    Use external (radius) server for admin access = no - The best decision.

    This will allow we not to place high security requirements on the radius service and mysql service.

  • RUnglaube
    RUnglaube Posts: 135  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    @Denis are your 15 access points in the same L2 network?

    I have used captive portal implemented in the access points and the roaming works fine between the access points, no need to connect to each AP first. If your access points are in different subnets, then that could be the reason.

    "You will never walk along"
  • Denis
    Denis Posts: 13  Freshman Member
    First Anniversary First Comment

    @RUnglaube

    Access points work in the same l2 network, roaming works fine, but if you disconnect wifi and go to the access point on which the first entrance to the network was not performed, then the login and password to the network will be requested - captive portal.

  • Nebula_Bayardo
    Nebula_Bayardo Posts: 179  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    Hi @Denis

    Once a wireless client logs in to one of the APs, the Nebula Control Center will sync the other APs in the same Site.

    Unless you change to the other AP faster then this process (which is fast already), it shouldn't be an issue. Roaming wold suffer the same problem.

    Could you tell us more about your scenario?

  • Denis
    Denis Posts: 13  Freshman Member
    First Anniversary First Comment

    We use web authentication, a button is built into the web page that redirects to the page for sending a password via SMS. This is necessary in order not to change the password manually and not give out passwords to employees, they do everything on their own. As login, use the phone number of the employee.

    Technically, the model looks like this:

    AP - network is open

    Zywall USG 310 - Web authentication is enabled using freetime for guests, radius + sms for employees.

    Radius - freeradius + mysql, with each request, new passwords are generated and entered into the table.


    With this configuration, the access points do not authenticate the client, authentication is performed by Zywall, this allows you to create a network with a single entry point in which authentication is required only 1 time.


    When using web authentication built-in AP:

    there are 2 points, the client connected to the first, entered the login and password, connected to the network, switching between the points works fine, but if the client turns off wifi and goes to the second point and turns on wifi, then the point does not authenticate the device, it will open the authentication page.

    I have not tried using the nebula service to authenticate users, as this will not allow sending SMS with a password.

  • Nebula_Bayardo
    Nebula_Bayardo Posts: 179  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    Hi @Denis, could you please check if your AP devices are running the latest firmware version 5.50? Thanks!

  • Denis
    Denis Posts: 13  Freshman Member
    First Anniversary First Comment

    Hi Nebula_Bayardo

    Frimware

    V5.50(ABHD.2)

  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    Hi @Denis,

    May I know that if the client get the same IP after turning off wifi and went to the second point and turned on wifi?

    Thanks.

Nebula Tips & Tricks