I have been investigating issues with our laptops whereby they would freeze and become generally unresponsive when changing area and thus changing they connected WAP. This was causing big problems for staff who teach in multiple rooms and regularly change between wired and wireless connections.
We have a combination of HP ProCurve 420WW and HP ProCurve M110 AP’s. All AP’s are required to use 802.1x authentication against a Windows Server 2008 NPS. Two servers run this role – for resiliency.
Wireless settings for the clients are configured through Group Policy and enforced to all machines – specifying the connection protocols, authentication types, etc.
In the client connections, Fast Reconnect was enabled, as we knew users were going to be roaming across AP’s. However, the setting was not set on the server. This meant that although the client was permitted to allow Fast Re-connections, the server was rejecting fast reconnection attempts. I assume that the client continued to try Fast Reconnect, but it was continually being rejected by the server, and causing the client to freeze whilst it attempted the connection.
In NPS you need to enable the Fast Reconnect setting for your PEAP connection by:
- Expand Policies then Network Policies
- Open up your Wireless Policy.
- Select the Constraints tab, then Authentication
- Under EAP Types select Microsoft Protected EAP and then click Edit
- Make sure that Fast Reconnect is enabled.
As far as I know the setting takes effect the next time that a client completes a full authentication to the RADIUS server.
Another item to check, is that all the wireless AP’s authenticate to the same NPS server. Fast Reconnect only works for clients and AP’s that are connecting to the same RADIUS server. In my scenario I have set every AP to direct requests to a single RADIUS server, and fall back to a different secondary server. If the AP’s are assigned to a different RADIUS server, then a full authentication will occur every time that you change AP that has a different RADIUS server.
