Controllerless Networks

Reply
Occasional Contributor II

IAP and dot1x: too frequent reauth for windows AD clients

Hi,

 

could anyone point to known issue or bugfix or maybe similar experience, just for being certain that software release was the source of the issue.

 

I have a customer with IAP-205s (two) and main corporate network is using 802.1x authentication using radius (ms server 2008r2 tied to AD), using regular AD user/pass (not certificates).

Additionally, we differenciate users by their AD groups and are given radius vlan values: normal users are given one vlan (vlan2) and superusers are given second vlan (vlan 5). Wired traffic is simiarly done.

 

i'm having issues where AD windows clients (all versions: 7, 8 and 10) do too frequent authentication. Way too frequent, like once every 5 minutes or even more often. Association time is constantly changing and updating in our Airwave server for these clients every 2-5 minutes. MAC OS users seem to work okay and don't do frequent auth. Reauth timer set in Instant config is 24hrs. Wired win clients don't have such issues.

Roaming is not an issue, as secondary AP is far away (second part of the building) and not seen by clients.


not only that, for some reason and with random ocurrence (like once an hour or evem more often), auth fails and customers get dropped (and only win ad clients).

The symptoms are that wlan stays connected, but no traffic flows (no ping to gw). After a minute or two, new successful auth is made (automatically) and traffic can flow again.

 

Secondary guest SSID is working fine (both 2,4G and 5G).

 

Now, everything got fixed, when we upgraded IAP-s to 6.5.4. (and we had to upgrade our AW to 8.2.5)

 

Previous (faulty) software was 6.5.1.5-4.3.1.6, as it was "official" standard release for wpa2 security patch that worked with our AW 8.2.3.1 production server.

afaik, i didn't see any similar issues being fixed or mentioned in release notes.

Guru Elite

Re: IAP and dot1x: too frequent reauth for windows AD clients

It would be hard to say if we cannot examine your live "older" system to determine what was causing your reauthentication problem.  It could be a combination of configuration, clients, environment, or even software code that was causing your issue.  It also might have been client-match settings.  There is no one single thing that causes frequent reauths.  Without looking at your old system that shows why the client disconnected in the first place, it would be hard to tell.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: