Wireless Access

Hi all, so we were doing some testing with AirGroup, earlier in the summer, and we just recently noticed that our Radius server is getting close to 180 Access-Requests per second (which seems like a lot to me) from the AirGroup Domain VRRP IPs. We have a 3200XM (master), and three 3600 controllers, WC-1, 2, and 3. 1 and 3 are one IP, and 2 and 3 are the other IP.

Can someone help explain why we're getting all these? Clearly we don't really understand AirGroup well enough to advertise it's availability to our campus body, but we'd like to get a better handle on it and test a little more.

Do you have "AirGroup CPPM enforce registration" On?  If not, you should not see any airgroup traffic.

---

@cappalli wrote:
Are they hitting the AirGroup authorization service?

---

Sorry, where would I check that?

edit: quick check on Airheads only shows the Authorization Service in conjunction with CPPM which we don't have. Is there another place to check that, or is that solely tied to CPPM?

---

@cjoseph wrote:

Do you have "AirGroup CPPM enforce registration" On?  If not, you should not see any airgroup traffic.

---

No, it's set to Disabled.

I guess I should mention that we're running 6.3.1.0 and we don't have ClearPass. We were just testing out AirGroup to see it in action so to speak.

We have 3 7200s and 3 3200s and have just over 200 auths/sec hitting our radius server during peak hours.

We felt that this was excessive as well; so much so that we have a case open with Aruba and started a separate thread here as well.

See http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Excessive-reauthentication-from-many-connected-clients/td-p/122089,

While we are "learning" about the problems with Apple devices reauthenticating excessively, we are trying to make sure we have no other authentication issues. It is very interesting to hear from others what the load is on their radius servers.

Thanks, Fred

Fred@florida, your link has an extra comma for some reason.   The thread is here:  http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Excessive-reauthentication-from-many-connected-clients/td-p/122089

"show auth-tracebuf mac" should show the flow of the radius packets and give an idea what is happening.

The poster in this current thread did not turn on enforcement, so we have to find out why it is hitting his NPS server.

---

@cjoseph wrote:

Fred@florida, your link has an extra comma for some reason.   The thread is here:  http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Excessive-reauthentication-from-many-connected-clients/td-p/122089

 

"show auth-tracebuf mac" should show the flow of the radius packets and give an idea what is happening.

 

The poster in this current thread did not turn on enforcement, so we have to find out why it is hitting his NPS server.

---

I'm going to review the AirGroup Deployment Guide for 6.1.3.6 (probably similar to 6.3.1.0, right?) I'm sure we've misconfigured something, but I'll see if I can figure out what. To confirm, AirGroup CPPM enforce registration is only applicable if we have ClearPass, correct? Therefore having that set to Disabled is the correct setting in our situation, right?

I may have fixed the issue...looks like in Configuration > Advanced Services > AirGroup > AirGroup CPPM server aaa, we had our NPS server selected in the Server Group field. After changing that from CUI_srvgrp_NPS to N/A, it looks like NPS has stopped getting getting those invalid RADIUS hits. 

So I guess, even though AirGroup CPPM enforce registration was disabled, because NPS was specified, AirGroup requests were getting sent there anyways?

(Picture shows N/A now selected, with the server group previously selected highlighted.)