Controllerless Networks

Reply
Occasional Contributor II
Posts: 18
Registered: ‎03-21-2016

Macbook Reauthentication takes too long while roaming

[ Edited ]

Hi,

 

our setup:

-Radius against Windows Server 2008 R2 NPS

-OKC, 802.11k, 802.11v enabled

 

Linux Users roam totally fine with a small hickup about 1 second, but Mac users often loose connection for up to 20 seconds and stay in state authenticating.

 

All our Mac books are affected. It makes no difference if we Terminate EAP at the APs or not.

 

The only approach brought help was to use VC internal authentication. Then the macbooks were authenticating with peap-gtc and roaming is just as fine as with linux. But this is no way to go because we cant double maintain our users.

 

We are using current EA release.

 

Thanks for your help

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: Macbook Reauthentication takes too long while roaming

On a test client, try going into keychain, locating the RADIUS server cert
and changing it's permission to Full Trust. See if you have the same issue
after that.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 18
Registered: ‎03-21-2016

Re: Macbook Reauthentication takes too long while roaming

Did already tried that with the whole cert chain. Furthermore i've tested it with termination and without. Doesnt change anything.

 

Occasional Contributor II
Posts: 18
Registered: ‎03-21-2016

Re: Macbook Reauthentication takes too long while roaming

[ Edited ]

I see a difference between Windows NPS server and internal Radius..

 

While NPS server authenticates mschapv2, internal radius server implements eap-gtc.

 

Is it possible to setup an freeradius server which defaults to eap-gtc and mschap as fallback for windows clients?

 

 

 

//Edit: We ended up with a ugly but working solution. We've set up another SSID for apple devices., authenticating against LDAP with Termination enabled. Sadly Aruba Instant Firmware doesnt allow to bind to encrypted LDAP. Hopefolly the main problem and LDAPs can be fixed.

Search Airheads
Showing results for 
Search instead for 
Did you mean: