Security

Reply
MVP
Posts: 342
Registered: ‎05-09-2013

CPPM - Multiple Auths

Hey All,

 

So we have CPPM with IAPs in an office. We are using AD to authenticate users via WPA2-AES. However, we are seeing a lot of requests coming into Access Tracker for all of the users, we have requests about every 10 minutes and every 5 minutes for some users. This may be causing an issue with some of the user's connecitivities because they are receiving timeouts. I understand the requests are coming into CPPM and CPPM is not asking for them, but is there a way to make the re-auth's less frequent? Ideally we would prefer to have every 1 hour if possible instead of every 5 to 10 minutes.

 

Thanks!

 

Attached is an example of a user.


Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: CPPM - Multiple Auths

Do you have reauthentication enabled in your dot1x profile?  If so, what is the timer set to?

 

Do you have opportunistic key caching and validate PMKID enabled in your dot1x profile?

 

Are your clients mobile and roaming often or stationary?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP
Posts: 342
Registered: ‎05-09-2013

Re: CPPM - Multiple Auths

Clients are stationary for the most part, we have a PC attached to a TV that is stationary and is having the same issues as the employee devices.

 

As far as dot1x profile, we are using Instant AP105's and I wasn't able to find the reauth interval. I also don't believe the opportunistic key caching or PMKID validation is available either.

 

Thanks!


Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
MVP
Posts: 130
Registered: ‎06-11-2013

Re: CPPM - Multiple Auths

If this client would be a smartphone it is very usual too see a lof of authentication requests since the smartphone is probably roaming around and is going on and off WiFi (if the smartphone goes to standby it will go off WiFi).

 

For each roaming action and/or each re-association a full 802.1X authentication will happen unless the client has support for OKC or 802.11r (most smartphones will not).

 

If you are seeing a RADIUS timeout in CPPM and the client is a smartphone it is possible the alert message would be "Client did not finish EAP transaction". In this case the client has started the 802.1X authentication but did not finish it, this could be due to user roaming through the building.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: CPPM - Multiple Auths

[ Edited ]

OKC should be available.  What version of IAP OS are you running?

 

Looks like OKC was added in version 6.3.1.1-4.0.  Here are the release notes: http://www.arubanetworks.com/techdocs/Instant_40_Mobile/Advanced/Content/UG_files/Instant_overview/FeaturesInthisRelease.htm

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: