Guest

Preview Tool

Cisco Bug: CSCuj07119 - APgroup NASid override not honored when roaming between APs in dif group

Last Modified

Jul 02, 2016

Products (1)

  • Cisco 5500 Series Wireless Controllers

Known Affected Releases

7.4(110.0)

Description (partial)

Symptom:
Wireless clients roaming between different FlexAPs doing local switching (on different Flex/AP-Groups, for bldgs 650 and 680 for example) are keeping their VLAN even when the client is supposed to be assigned to a new VLAN from AAA based on the new AP-Group. Because of this, since the VLAN kept by the client doesn't exist on the new AP/building, client can't pass traffic on its new location, but until it is finally deauthenticated and removed from the client list starting a brand new association (receiving now the new VLAN ID).

Conditions:
Wireless client is roaming from one AP (AP1) on an AP-Group to an AP on another AP-Group (AP2), where they are configured in FlexConnect mode doing local switching.

So when connecting to AP1, client is supposed to get VLAN-401, and when connecting to AP2, client should go to VLAN-402, but this VLAN ID should come from the server doing AAA override during authentication depending on location (based on the NAS-ID configured on the AP-Group). The old VLAN-401 is not configured and allowed on the new AP2 (and vice versa, due to buildings design).

Therefore, because of this bug, since the NAS-ID is not honored by the WLC to update the VLAN from AAA when roaming between those different AP-Groups, the client remains on the old VLAN so it can't continue passing traffic and basically the service is disrupted until they manually disconnect/reconnect the client, or the client is removed from the WLC's client association list after timing out (in which cases the client is now doing a brand new authentication receiving the proper VLAN for the new location/AP-Group).

Even though this is mainly affecting FlexConnect local switching setups as the client is kept on a VLAN that doesn't exist on the new AP (hence it can't pass traffic anymore), we noticed the VLAN ID was not updated based on the AP-Group even if the APs were in Local mode (in which case, user is not affected as the traffic is just tunneled back to the WLC where both VLANs exist).
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.