Sophos XG: Fast transition / WiFi roaming does not work

Probably means the devices can see a strong enough signal to not change APs. Try reducing your AP output level and see what affect that has?

Ian

Roaming is a device task. So i would advice the same. If the radius of both APs cross to much, the client can get "confused". 

I find the same issue with my environment - I have 6 sites quite apart that share the same SSID and I also find myself disabling / re-enabling my wifi to get it going.

They are not connected to the old AP as its well out of range.

I find that if I have a FW rule to allow everything out it works fine - so clearly an authentication thing with XG

Hi Ian,

I don't understand how a firewall rule affects internal AP roaming?

Ian

Not so much Roaming but Authentication in my case.

Hi Ian,

I am still having trouble with this firewall rule. Are you saying you have rule between each of your APs and the assume MS (authentication) server?

Please explain in detail your AP connections to the XG.

Thank you

Ian

Sure 

The WLAN users authenticate via RADIUS SSO to the XG

So if the XG fails to Authenticate them they pass no traffic. The default Firewall rule blocks unauthenticated traffic in my case.

Hi Ian,

I was contemplating trying Radius at home but decided against it because the MS server was requiring to many userid to be created and then there is how much pain is worth the experiment from the 'my internet is not working fixit brigade'?

I can setup a number of Sophos APs but not SSO authentication.

Ian

Believe me the RADOIS SSO is a real PITA if it doesn't work with devices dropping and the continuous turn wifi off / turn wifi on to re-authenticate

For a Home install I would just reserve IPs for devices and use Clientless Users. Also no IT Support needed RIGHT now as the dogs wifi stopped during Dogtube

Much less hassle and no need to worry about sharing the password to family.

Here we have around 250 Users and 150 Wireless Devices and trust no one with a password LOL

I still apply Web policies and App policies by user so need RADIUS to identify them.

I also like the ability to audit who did what when etc where as a group is much harder.

I do put some iPads into a group as these are locked down and I know the plebs cant abuse it

I am still struggeling with the issue here.

You are using the Radius SSO Option or Radius accounting option with sophos branded APs? 

As far as i know, the radius mapping should not be involved into the roaming scenario because your Client IP never change after you roam to another AP, isnt it? 

Which AP Solution do you use? 

I am still struggeling with the issue here.

You are using the Radius SSO Option or Radius accounting option with sophos branded APs? 

As far as i know, the radius mapping should not be involved into the roaming scenario because your Client IP never change after you roam to another AP, isnt it? 

Which AP Solution do you use? 

Sorry for the confusion.

Not using Sophos AP's - Meraki MR range

Ok! 

Lets go the next steps together. 

You have APs (nvm which one) and a Radius Server. 

I "assume" you have split the broadcast domains into different subnet ranges? 

So basically you have something like: VLAN(Management) - XG - VLAN(Server). 

In VLAN(Management) there are all APs connected to.

And in VLAN(Server) there is the Radius Server? 

So basically the AP send the Radius Request through XG to the Radius server.

Next step is, you are using the Radius requests as SSO on XG. So the Accounting information from radius get send to XG and XG can do the mapping from IP(Client) to Username.

Am i right? 

Because at this point, i am not able to see, whether the XG causes the issue because of lack of feature or just because some firewall rule is missing in the communication between the connected components.