Wireless Access

Reply
Contributor I

AirGroup Flooding Radius

Hi all, so we were doing some testing with AirGroup, earlier in the summer, and we just recently noticed that our Radius server is getting close to 180 Access-Requests per second (which seems like a lot to me) from the AirGroup Domain VRRP IPs. We have a 3200XM (master), and three 3600 controllers, WC-1, 2, and 3. 1 and 3 are one IP, and 2 and 3 are the other IP.

 

Can someone help explain why we're getting all these? Clearly we don't really understand AirGroup well enough to advertise it's availability to our campus body, but we'd like to get a better handle on it and test a little more.

Guru Elite

Re: AirGroup Flooding Radius

Do you have "AirGroup CPPM enforce registration" On?  If not, you should not see any airgroup traffic.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: AirGroup Flooding Radius

Are they hitting the AirGroup authorization service?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: AirGroup Flooding Radius


cjoseph wrote:

Do you have "AirGroup CPPM enforce registration" On?  If not, you should not see any airgroup traffic.



No, it's set to Disabled.

 

I guess I should mention that we're running 6.3.1.0 and we don't have ClearPass. We were just testing out AirGroup to see it in action so to speak.

Contributor I

Re: AirGroup Flooding Radius


cappalli wrote:
Are they hitting the AirGroup authorization service?


Sorry, where would I check that?

 

edit: quick check on Airheads only shows the Authorization Service in conjunction with CPPM which we don't have. Is there another place to check that, or is that solely tied to CPPM?

Guru Elite

Re: AirGroup Flooding Radius

Configuration > AirGroup, then enforce registration checkbox at the top.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: AirGroup Flooding Radius

We have 3 7200s and 3 3200s and have just over 200 auths/sec hitting our radius server during peak hours.

We felt that this was excessive as well; so much so that we have a case open with Aruba and started a separate thread here as well.

See http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Excessive-reauthentication-from-many-connected-clients/td-p/122089,

 

While we are "learning" about the problems with Apple devices reauthenticating excessively, we are trying to make sure we have no other authentication issues. It is very interesting to hear from others what the load is on their radius servers.

Thanks, Fred

Guru Elite

Re: AirGroup Flooding Radius

Fred@florida, your link has an extra comma for some reason.   The thread is here:  http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Excessive-reauthentication-from-many-connected-clients/td-p/122089

 

"show auth-tracebuf mac" should show the flow of the radius packets and give an idea what is happening.

 

The poster in this current thread did not turn on enforcement, so we have to find out why it is hitting his NPS server.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: AirGroup Flooding Radius


cjoseph wrote:

Fred@florida, your link has an extra comma for some reason.   The thread is here:  http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Excessive-reauthentication-from-many-connected-clients/td-p/122089

 

"show auth-tracebuf mac" should show the flow of the radius packets and give an idea what is happening.

 

The poster in this current thread did not turn on enforcement, so we have to find out why it is hitting his NPS server.


I'm going to review the AirGroup Deployment Guide for 6.1.3.6 (probably similar to 6.3.1.0, right?) I'm sure we've misconfigured something, but I'll see if I can figure out what. To confirm, AirGroup CPPM enforce registration is only applicable if we have ClearPass, correct? Therefore having that set to Disabled is the correct setting in our situation, right?

Contributor I

Re: AirGroup Flooding Radius

I may have fixed the issue...looks like in Configuration > Advanced Services > AirGroup > AirGroup CPPM server aaa, we had our NPS server selected in the Server Group field. After changing that from CUI_srvgrp_NPS to N/A, it looks like NPS has stopped getting getting those invalid RADIUS hits. 

So I guess, even though AirGroup CPPM enforce registration was disabled, because NPS was specified, AirGroup requests were getting sent there anyways?

 

(Picture shows N/A now selected, with the server group previously selected highlighted.)

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: