Hi - Yes, I'm not currently using it as managed - I've edited all three AP's individually manually.
You don't have to use the managed to have the fast roaming although managed does save you entering the same details into all the AP's
I've also tried different Radius servers. If you turn on the logging and look at the logs you can see the devices failing to authenticate and then later authenticate without me changing anything. In my opinion there is something seriously wrong with the fast roaming and the Radius server mode. Spent a lot of time on it but not for the last few weeks as have had other priorities.

Jon

We have not experienced any issue with the roaming yet and have it set up on multiple sites. None use the built in radius though its all AD and NPS.
Some site are also running multiple VLANs and they all roam fine.

sicon wrote: We have not experienced any issue with the roaming yet and have it set up on multiple sites. None use the built in radius though its all AD and NPS.
Some site are also running multiple VLANs and they all roam fine.

So what mode are you using?
Do you have it configured as 802.1x in the mode if you do then you would need a radius server to authenticate with and that is where the problem seems to be. My problems occur whether it is a built in Radius server or an external one it does seem to make any difference

Jon

The RADUIS is part of the NPS policy on the 2012 R2 server,
There is then a policy/restriction to only allow users who are part of a certain security group to log on to the Wifi.
Yes it is 802.1X - the server then authenticates the access points with a Shared Secret.
The mode is mixed G & N only

The guest Wifi is just normal WPA2/PSK

Hi Sicon - The problems all seem to occur when Mode within the security section is set to have 802.1x e.g wpa2/802.1x

I agree the guest Wifi should be WPA2/PSK in the mode, but what do you have the mode within the security section set to for the main users?
Perhaps the use of "Mode" in different contexts is confusing things here.

It would need to be wpa2/802.1x in my opinion and then you need to configure the AP900 to use the Radius server on the Server 2012. I don't have AD setup here but have tried it against different Radius servers and the problem still exists. Its not that it never authenticates it is just that it doesn't always and you can see it in the AP900 syslogs which causes it to lose wifi connection normally on hand over.

Jon

So is quality roaming doable using just Draytek routers and APs and, if so, is it better with or without radius? Or is it better just to have a different SSID on each AP?