cnMaestro Roaming with Guest Portal Access not working

Epicolor · July 15, 2019, 12:49pm

Hi.

We have an issue with roaming when Guest Portal Access is enabled. (Guest Portal is requirement for Wifi4EU)

I wonder if anyone have the same issue? Or maybe I'm just missing something since Cambium is very new to me. I would be glad if someone would point at my error at this point.

unifi system:

unifi USG firewall (DHCP server)

two switch US-150W (unifi switch ports have ALL settings on ports with AP)

6x Cambium E410, 5x Cambium E500 + 1 E501S on the switches, indoor and outdoor

FW--SW--SW

Management: Corporate vlan1, unifi guest vlan 404

VLAN1 everything is static, VLAN 404 have DHCP server

Cambium:

Two AP group one for indoor one for outdoor.

Network: Ethernet Port 1: Trunk Multiple VLANs, Native VLAN: 1, Allowed VLANs: 1; 404, tagged: no

Both AP group uses the same WLAN

WLAN (vlan404): open / network wide isolation / Guest Access Enabled

Guest Portal: Enable Free Access, Renewal Frequency 12h, Session Duration 12h,

When Guest Portal Acces Is Disabled and just have simple open wifi. Everything works fine, client devices can roam without interruption.

When Guest Portal Acces is Enabled:

Clients connect, get Guest Splash Portal and can log in. Internet works until client moves to another AP. Then Client needs to log in again (should not) but portal does not pop up so easly this time as it needs a lot of refreshing and waiting to get the guest portal accesible again. Or when you go away lost connection or just disable wifi you need to log in again, but you already supposed to have a session for 12h. So every time client move to another AP it finds it self in the walled garden again and again. It is like if the AccesPoints does not inform the others about the client authentication and that it is already have a session.

We stared with cnMestro (cloud) 2.2.0 r-20?. And latest firmware. 3.11.1-r2 (did not tested 2.2.1-r5 yet)

Did a test lab with 2x E410 not same enviroment (cisco switches and firewall) but same settings. On cnMaestro On premises 2.2.0-r60

Test devices came with 3.6 firmware roaming worked well (I think) Upgraded 3.9, 3.10, 3.11 did not work. Downgrade to 3.6 worked again. (other then 3.6 clients MAC appeared on both AP or on none or moved very slowly even without Guest Portal Acces)

Now with 2.2.1 Have to start testing all over again. So far 2.2.1 with 3.10 (recomended version) not working.

Wright-Fi · July 15, 2019, 1:43pm

Can you please tick the "cnMaestro Managed Roaming" box within the WLANs settings and test your config again.

This setting allows client devices roam between APs without having to re-authenticate.

Epicolor · July 15, 2019, 2:01pm

We did test it with and without cnMaestro Managed Roaming (2.2.0). Same result.

And since all the AP are in the same subnet it should not be needed.

But I will test it tomorrow again with the new update 2.2.1.

Wright-Fi · July 15, 2019, 4:33pm

Thanks, do let us know how you get on and do doubble check that the devices have all synced to the new settings.

Here is some more info on cnMaestro Managed Roaming if required: https://community.cambiumnetworks.com/t5/cnPilot-E-Series-Enterprise-APs/cnPilot-controller-assisted-roaming/td-p/78504

Kunal_Solanki · July 15, 2019, 6:52pm

cnMaestro managed roaming is not required and should not be enabled when cnMaestro based guest portal is in use. cnMaestro managed roaming should be enabled when AP onboard guest portal is used or it's integrated with an external captive portal solution. When cnMaestro based guest portal is used then AP automatically syncs to cnMaestro and ensures that guest client state is maintained across roams between AP's in same subnet or in completely different network.

I will message you my email id for further debugging on this.

Epicolor · July 24, 2019, 12:48pm

I already had a ticket about this issue just wanted to have more advice from other people.

After the triatlon event ended we were able to do trials again with guest portal enabled.

With the latest version of 2.2.1-r7, it looks like roaming works fine this time.

Still we have some other issues like the clients browser not redirected to guest portal after the session expired.

But that is for another topic.

mixig · November 13, 2020, 9:15am

Hi, we have the same issue on 2.4.2 r14 (cloud), first time client is registered and as he move to another AP it pops up sign in… same subnet, same SSID, same portal.
cnMaestro managed roaming is NOT CHECKED.

With this every time when client is switched to another AP he needs to press pop up (sign-in), this is not normal and with that we need to turn of the Captive Portal
All APs are on 3.11.4.1 r3.

Please advice solution for this issue.

Thnaks

PFR · November 13, 2020, 8:21pm

Please show what u have under Guest Portal → Access in sections

Renewal Frequency ?

Session Duration ?

mixig · November 17, 2020, 9:24am

Hi,

I found the problem for my issue, for that particular WLAN (SSID) we enabled option MAC Authentication Fallback and in Configuration-> Association ACL select Default Access DENY and below put/add one MAC address (allow) (Cambium guide)
This setup is allowing us that particular device don’t be asked for login (no captive portal), but drawback is know that user must be registered (sign in) on each AP. After we disabled MAC Authentication Fallback everything start work as expected.

Workaround we created additional WLAN for that AP group with PSK to make that particular device be connected to the network.

My question is, what is the proper configuration to enable some device to be connected with MAC auth to SSID which has cpative portal and avoid issue we have in the first place (post above)

cireddy · November 17, 2020, 10:47am

The use case of MAC Authentication Fall Back is. “allow wireless clients to connect to guest enabled SSID, which are not capable of doing guest access authentication”

The configuration shall follow below flow,

Configure Guest enabled SSID with MAC authentication fall back
Configure MAC authentication data base like AP internal DB / cnMaestro / external RADIUS

When client connects AP does MAC authentication, if MAC authentication fails, clients will be redirected for guest access. If MAC authentication is successful, clients will be given internet access.

Clients roaming has to be seamless

Help me with the below answer,

AP model and firmware version
cnMaestro type like Cloud or OnPremises
If on premises version is used, what is the version number

mixig · November 17, 2020, 12:31pm

Hi,
Ap models are 502s, firmware 3.11.4.1 r3 and cnmaestro is cloud version 2.4.2 r14.

Thanks

mixig · December 2, 2020, 1:38pm

Same story on another cnmaestro, another customer, AP firmware / model sre the same, cnmaestro cloud.
Tried with few more older firmwares, no differences.