Security

Reply
Occasional Contributor II
Posts: 16
Registered: ‎01-16-2015

timer wpa-key-period

Hello,

 

I have some client disconnection in my wifi system. I read this in the controller log:

 

<132093> |AP IAP-225-n16@192.168.1.16 stm| WPA2 Key message 2 from Station 08:d8:33:xx:xx:xx 18:64:72:xx:xx:xx IAP-225-n16 did not match the replay counter 02 vs 04

 I read that it is a good idea to change the "timer wpa-key-period" parameter to bigger one.

 

I had set it to 1000ms and change to 2000ms.

 

Anyone has experience changing this parameter? Which will be a good number?

 

Regards.

Guru Elite
Posts: 8,045
Registered: ‎09-08-2010

Re: timer wpa-key-period

You should open a TAC case before changing timers. 


Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 16
Registered: ‎01-16-2015

Re: timer wpa-key-period

Hello Tim,

 

Why coulad I open a TAC case?

 

Mostly the disconnecion happens in some specific Android devices, it is possible to apply this AAA profile to some MAC address?

 

I will appreciate any help.

Guru Elite
Posts: 8,045
Registered: ‎09-08-2010

Re: timer wpa-key-period

I always like to advise that you work with Aruba TAC when changing timers as they are often sensitive changes that can cause other issues.

 


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 4,116
Registered: ‎07-20-2011

Re: timer wpa-key-period

You should start by updating the drivers on your device.
https://arubanetworkskb.secure.force.com/pkb/articles/Troubleshooting/R-450
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Moderator
Posts: 321
Registered: ‎08-28-2009

Re: timer wpa-key-period

josu-k35

i'll be preparing a forum post on this soon enough (next week i hope), values over 1000ms are problematic for recent Apple devices at a minimum and you should exercise care in using anything greater than a few hundred msec.

 

And yes, TAC are guilty of using slapdash values - myself included and it is for this reason I recently discovered a problem with iOS8 and the usual values that we like to use on these timers (long story short, if the time is too long between eap-success and wpa2-key1, Apple device appears to start to scan and is gone by the time controller starts key exchange, which ends up seriously prolonging the exchange or failing completely)

 

Please reset all timers to default, ensure you have eapol rate optimsation turned on in the SSID profile, and see how the client behaves from auth trace buf under 'regular' conditions.

 

You can also look at enabling 'packet-capture wifi-client' and taking a look at the actual transaction (more or less mirrors the auth trace buf, but better granularity) to see what is going on.

 

regards

-jeff

Search Airheads
Showing results for 
Search instead for 
Did you mean: