ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 12
Registered: ‎04-02-2007

802.1x reauth timers

As a second piece to my previous post. While looking into the other issue i just posted "Auth Server Group Order" I found that there are a number of clients using 802.1x authentication that attempt to authenticate every 15-30 seconds. I have looked into the controller and verified that the reauthenticaion interval is set to 86400 seconds and that in the user profile the reauthentication check box is not checked. I have checked and am not able to see anything that points to the client side for this issue. Any help is greatly appreciated.
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: 802.1x reauth timers

Can you post the logs that show the clients authenticating that frequently?
Occasional Contributor II
Posts: 12
Registered: ‎04-02-2007

Re: 802.1x reauth timers

10.0.3.12 RADIUS gcampbell-11 usdsecure authentication ACCEPT Mar 17, 2010 07:10:48 PDT
10.0.3.12 RADIUS gcampbell-11 usdsecure authentication ACCEPT Mar 17, 2010 07:10:02 PDT

10.0.3.12 RADIUS chealey usdsecure authentication ACCEPT Mar 17, 2010 07:08:27 PDT
10.0.3.12 RADIUS chealey usdsecure authentication ACCEPT Mar 17, 2010 07:08:19 PDT
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: 802.1x reauth timers

Could these be roaming events? If Opportunistic Key Caching is not enabled or the client doesn't support OKC, each roam event will require a full dot1x reauth.
Occasional Contributor II
Posts: 12
Registered: ‎04-02-2007

Re: 802.1x reauth timers

we do have a very dense deployment, it is possible that arm is helping to move clients to different access points in the class rooms causing this behavior. This could explain why it is only some users and not all users.
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: 802.1x reauth timers

Just for clarity, ARM makes sure the APs are on the best power and channel settings and can help with co-channel interference, band steering, passive load balancing and air-time fairness, but it is never an "active" act. What that means is the roaming, load balancing and all other client affecting features are up to the client drivers and NIC. If a client doesn't want to roam to a new AP, there is nothing Aruba can do to make it roam. We can ease the roaming transition with OKC, but that's about it. Even load balancing and band steering is up to the client. We can ignore 2.4GHz association attempts and hope it moves to 5GHz, but we can't force it and may have to eventually let it connect at 2.4GHz. We can ignore assocations on over-loaded APs, but only for a short time and then we have to let it on so that we don't affect client connectivity.

If you have a very dense deployment, I would suspect you are seeing roaming events. You may want to check out OKC and see if you can help out your client roaming times.
Occasional Contributor II
Posts: 12
Registered: ‎04-02-2007

Re: 802.1x reauth timers

Yes that is true all that is based on the client drivers. where is the OKC so that i can take a look at that and see if that helps with the roaming that we are seeing?
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: 802.1x reauth timers

It is under Configuration > Authentication > AAA Profiles tab > Open the AAA profile you use for these users > 802.1x Authentication Profile > Advanced tab

Or, you can do "show aaa authentication dot1x <802.1x auth profile name>" from the CLI. There are really no knobs, it is either enabled or disabled. If you clients support it, you should enable it. If the client's don't support it, you should leave it disabled.
MVP
Posts: 492
Registered: ‎04-03-2007

Validate PMKID

If you enable OKC, be sure to also enable "Validate PMKID".
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Occasional Contributor II
Posts: 12
Registered: ‎04-02-2007

Re: 802.1x reauth timers

Thanks Ryan. What has been you r experience also beng in Hgher Ed with the client support OKC?
Search Airheads
Showing results for 
Search instead for 
Did you mean: