Skip to main content
ssanga
Staff & Editor
ssanga
Staff & Editor
November 5, 2024

Troubleshooting Tip: Client VLAN ID and Preshared Key are lost after roaming between two APs

  • November 5, 2024
  • 0 replies
  • 818 views
Description This article describes how to address an issue where the client’s VLAN ID and pre-shared key are lost after roaming between two APs on an SSID configured with a Multiple Pre-shared Key (MPSK) profile with Fast BSS Transition enabled.
Scope FortiGate v7.4.5, v7.6.0
Solution

When an SSID with an MPSK profile is broadcasted across two or more FortiAPs, the client initially receives an IP address from the correct VLAN ID.
However, upon roaming from one AP to another, the VLAN ID and pre-shared key are lost, resulting in connectivity issues.

Sample Configuration:

 

config wireless-controller vap

    edit "wifi"
        set ssid "WiFi_SSID"
        set fast-bss-transition enable
        set schedule "always"
        set mpsk-profile "mac-mpsk-st"
        set dynamic-vlan enable
        set quarantine disable
    next
end

config wireless-controller mpsk-profile
    edit "mac-mpsk-st"
        config mpsk-group
            edit "mpsk-grp1"
                set vlan-type fixed-vlan
                set vlan-id 100
                    config mpsk-key
                        edit "key1"
                            set passphrase ENC
                        next
                    end
                next
            end
        next
    end

Behavior before roaming:

 

diag wireless-controller wlac -d sta online
vf=0 mpId=0 wtp=4 rId=2 wlan=wifi vlan_id=100 ip=10.100.80.2 ip6=fe80::1cdc:a003:61c1:f7a9 mac=26:20:f6:33:96:30 vci= host= user= group= signal=-45 noise=-95 idle=4 bw=8 use=5 chan=161 radio_type=11AX_5G security=wpa2_only_personal mpsk=p1 encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2

Behavior after roaming:

 

diag wireless-controller wlac -d sta online
vf=0 mpId=0 wtp=3 rId=2 wlan=wifi vlan_id=0 ip=192.168.10.2 ip6=:: mac=26:20:f6:33:96:30 vci= host= user= group= signal=-39 noise=-95 idle=2 bw=0 use=5 chan=153 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2

This issue has been resolved in FortiOS version 7.6.1.

Logs required by FortiGate TAC for investigation:

 

  1. Debugs:

diag debug application wpad 7
diag debug enable
diag wireless-controller wlac -c sta
diag wireless-controller wlac -d sta online

 

<Reproduce the issue by roaming from one AP to another, then retrieve these debug log outputs:


diag wireless-controller wlac -d sta online
diag debug reset

  1. TAC Report:

 

execute tac report

 

  1. Configuration file of the FortiGate.
    Terms & ConditionsAccessibility statement