Security

last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM - Multiple Auths

This thread has been viewed 2 times

  • 1.  CPPM - Multiple Auths

    MVP
    Posted Jan 31, 2014 11:47 AM
      |   view attached

    Hey All,

     

    So we have CPPM with IAPs in an office. We are using AD to authenticate users via WPA2-AES. However, we are seeing a lot of requests coming into Access Tracker for all of the users, we have requests about every 10 minutes and every 5 minutes for some users. This may be causing an issue with some of the user's connecitivities because they are receiving timeouts. I understand the requests are coming into CPPM and CPPM is not asking for them, but is there a way to make the re-auth's less frequent? Ideally we would prefer to have every 1 hour if possible instead of every 5 to 10 minutes.

     

    Thanks!

     

    Attached is an example of a user.



  • 2.  RE: CPPM - Multiple Auths

    Posted Jan 31, 2014 12:25 PM

    Do you have reauthentication enabled in your dot1x profile?  If so, what is the timer set to?

     

    Do you have opportunistic key caching and validate PMKID enabled in your dot1x profile?

     

    Are your clients mobile and roaming often or stationary?



  • 3.  RE: CPPM - Multiple Auths

    MVP
    Posted Jan 31, 2014 12:28 PM

    Clients are stationary for the most part, we have a PC attached to a TV that is stationary and is having the same issues as the employee devices.

     

    As far as dot1x profile, we are using Instant AP105's and I wasn't able to find the reauth interval. I also don't believe the opportunistic key caching or PMKID validation is available either.

     

    Thanks!



  • 4.  RE: CPPM - Multiple Auths

    Posted Jan 31, 2014 04:23 PM

    If this client would be a smartphone it is very usual too see a lof of authentication requests since the smartphone is probably roaming around and is going on and off WiFi (if the smartphone goes to standby it will go off WiFi).

     

    For each roaming action and/or each re-association a full 802.1X authentication will happen unless the client has support for OKC or 802.11r (most smartphones will not).

     

    If you are seeing a RADIUS timeout in CPPM and the client is a smartphone it is possible the alert message would be "Client did not finish EAP transaction". In this case the client has started the 802.1X authentication but did not finish it, this could be due to user roaming through the building.



  • 5.  RE: CPPM - Multiple Auths

    Posted Feb 01, 2014 08:19 AM

    OKC should be available.  What version of IAP OS are you running?

     

    Looks like OKC was added in version 6.3.1.1-4.0.  Here are the release notes: http://www.arubanetworks.com/techdocs/Instant_40_Mobile/Advanced/Content/UG_files/Instant_overview/FeaturesInthisRelease.htm