Wireless Access

In the client trail-info, what does "APAE Disconnect" mean?

Client Trail Info
-----------------
MAC                BSSID              ESSID        AP-name   VLAN  Deauth Reason                 Alert
---                -----              -----        -------   ----  -------------                 -----
c4:62:ea:xx:xx:fe  00:0b:86:xx:xx:e8  osuwireless  krce-1-1  3296  STA has roamed to another AP  APAE Disconnect

Deauth Reason
-------------
Reason                            Timestamp
------                            ---------
STA has roamed to another AP      Feb  4 11:08:32
Internal deauth                   Feb  4 10:35:52
Response to EAP Challenge Failed  Feb  4 10:35:51
Internal deauth                   Feb  4 09:22:49
Internal deauth                   Feb  4 09:06:51
STA has roamed to another AP      Feb  4 08:56:57
Num Deauths:6

Alerts
------
Reason                            Timestamp
------                            ---------
APAE Disconnect                   Feb  4 11:10:56
STA has roamed to another AP      Feb  4 11:08:32
Internal deauth                   Feb  4 10:35:52
Response to EAP Challenge Failed  Feb  4 10:35:51
Unspecified Failure               Feb  4 10:35:17
Internal deauth                   Feb  4 09:22:49
Internal deauth                   Feb  4 09:06:51
STA has roamed to another AP      Feb  4 08:56:57
Num Alerts:8

Mobility Trail
--------------
BSSID              ESSID        AP-name   Timestamp
-----              -----        -------   ---------
00:0b:86:xx:xx:e8  osuwireless  krce-1-1  Feb  4 11:10:56
00:0b:86:xx:xx:e8  osuwireless  krce-1-1  Feb  4 11:08:32
9c:1c:12:xx:xx:30  osuwireless  krce-1-4  Feb  4 11:08:32
9c:1c:12:xx:xx:30  osuwireless  krce-1-4  Feb  4 10:35:52
9c:1c:12:xx:xx:30  osuwireless  krce-1-4  Feb  4 10:35:52
9c:1c:12:xx:xx:30  osuwireless  krce-1-4  Feb  4 10:35:51
9c:1c:12:xx:xx:30  osuwireless  krce-1-4  Feb  4 10:35:21
9c:1c:12:xx:xx:20  attwifi      krce-1-4  Feb  4 10:35:17
9c:1c:12:xx:xx:20  attwifi      krce-1-4  Feb  4 10:35:16
9c:1c:12:xx:xx:20  attwifi      krce-1-4  Feb  4 10:35:10
Num Mobility Trails:10

I may be way off base here, but this is my understanding after looking into it in my own environment...

If a station associates to an 802.1x SSID but does not complete the EAPOL process within a timeout period (~60 seconds?), the controller deauths the station & logs it in the client's trail-info as an APAE disconnect.

In my environment, I see this sometimes when a client is too far from an AP (walking across campus w/their phone in their pocket), or if a client's driver is quite old.

If I'm completely wrong on this, Aruba folks, correct me and blank my post! :)

Hi,

To confirm APAE Disconnect: Authenticator Port Access Entity Disconnect. It is a Dot1x Event.

Authenticator PAE – The Authenticator PAE communicates with the Supplicant PAE, receiving identifying information from the Supplicant. Acting as a RADIUS client, the Authenticator PAE passes the Supplicant’s information to the Authentication Server, which decides whether the Supplicant can gain access to the port. If the Supplicant passes authentication, the Authenticator PAE grants it access to the port.

Please also take note for the event(s) preceding that. In Ryan's original case in this topic, there was an "internal deauth"

 Internal Deauth is silent ageout of station. it removes the entry of the client from the APs tables.

• This means - Without sending Deauth in the air.
• This can happen for multiple reason like Max Tx Fail for one reason.

Thx,

Hi, kc. In this case, however, the Internal Deauth was 35min prior and irrelevant I believe. More interesting is the client had associated to AP 1-4 and then 1-1 in the same second, which I assume was related to the APAE Disconnect.

Hi all,

What is the solution for this?

Just checking.

msaw,

APAE disconnect is not necessarily something that needs a solution.  What do you mean?