3

(I first posted this here, but it was suggested to be more on topic here)

I want to run the "same" WLAN in two independent sites (in different cities) in such a way that a user once connected to the WLAN in City A can easily connect in City B as well. As it turned out, just using the same SSID FOOBAR won't work. For example, in Windows boxes, you have to remove the known FOOBAR and then search again for available WLANs - aparently, the FOOBAR "here" is somehow different from the FOOBAR "there". In a way, it is understandable that just publishing the same SSID name should not be sufficient - after all anybody could just setup popular SSIDs, have walk-by clients attempt to automatically login with their credentials, and collect the data.

While both sites have their own WiFi management (a Sophos UTM), in the background all essentialities should be the same: Authentication is via a common RADIUS server (connected to both sites via tunnel) and therupon by MSCHAP via a common Windows AD server. So my question is: What else that must be kept in sync between my two cities in order to make the WLANs the "same" in a manner sufficient to allow automated connect to the second site the same way one re-connects to the first site? Is it some kind of private key or shared secret perhaps? In another forum, they suggested using the same DNS server IPs in both sites, but this appeared not to work for me. (However, one thing I cannot make the same in both sites is the IP range)

In case the answer depends on the type of clients, I am primarily interested in Windows 10 systems, but also iPhone/Android smartphones.

Hagen von Eitzen
  • 824
  • 3
  • 17
  • 43
  • I'm afraid the different MAC address of the AP give you this trouble. – AtomiX84 Apr 29 '19 at 15:00
  • @AtomiX84 But I have several APs (hence different MACs) per site anyway - and can roam freely between the APs of one site / reconnect to any(?) AP of the same site. – Hagen von Eitzen Apr 29 '19 at 15:06
  • @AtomiX84 This is obviously possible, since I can connect to `xfinitywifi` hotspots all around the country. – Barmar Apr 30 '19 at 19:32

2 Answers2

3

Your error is probably a mismatch in the encryption method used with the access-point that don't match both sites. To be exact it can be 3 things;

WPA2 Enterprise or WPA mismatch, TKIP / AES settings mismatch or the channel type, aka 5Ghz vs 2.4Ghz mismatch.

See that chart to be exact, you can see the authentication for the RADIUS server in the brown box, the other are the encryption use for the WIFI.

enter image description here

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • Thank you, that looked helpful. However, I checked: Both sites use "WPA2 Enterprise"; both use "AES (safe)"; while the WLAN managers allow "2.4 or 5 GHz", every single AP is restricted to 2.4 GHz band (with auto channel); other identical settings are client isolation=yes, hide SSID=no, U-APSD=yes, fast transition=no, MAC filter=none. One difference I now found is this: SIte A is set to "bridge client traffic to VLAN xy", site B has "bridge client traffic to AP's LAN". Judging by what VLAN differences do in a wired situation, I don't think that's it, but who knows (I don't, apparently) – Hagen von Eitzen Apr 30 '19 at 09:02
  • What about the TLS phase? That involves a server certificate, doesn't it? But going by the diagram, that would be of the RADIUS server, hence common (I think - could I unintentionally have used different certs for different RADIUS clients? I'll try to look into this) – Hagen von Eitzen Apr 30 '19 at 09:05
1

Not an answer but I have a VERY similar set up. 5 WAPs in 5 different locations. Same SSID, same encryption type, same password. Users can easily travel between sites without the need to re-authenticate nor reconfigure wireless networking. Wireless access points are Cisco Aironet and clients are Windows 10, Dell laptops.

Matt Forchette
  • 31
  • 3