Wireless Access

Hello,

 

I've been working on a client disconnect issue with Aruba TAC for a few weeks now. I notified them of some findings i found today while looking at our DHCP server which is Infoblox.

 

While troubleshooting with a client as this user roamed around a hospital wing I noticed his device was sending DHCPREQUEST and DHCPACK's between the DHCP server. I compared it to another user who was stationary and connected to 1 access point. I then had a 3rd user try the same thing and noticed a similar pattern. As he roamed around it seemed like his machine was constantly sending DHCPREQUEST and DHCPACKs

 

Is this a normal pattern for Wireless roaming. These users are reamaining within the same SSID,Subnet and Wireless controller. I assumed that once the Device received it's DHCP address it would keep the address as long as it was staying connected and would only ask for an IP when the client came back online and sends a DHCPDISCOVER.

- What kind of device is this?

- Are you using encryption?

 

Colin,

 

These are all Windows 7 devices connecting using WPA2 Enterprise with Mac Authentication.

It seems like mac authentication is occurring every time it roams.  Did you try it without mac authentication?

Colin,

 

I haven't tried it with MAC authentication. Do you think that is normal operation for Mac Authentication in regards to roaming? We are doing Mac authentication with a Cisco ACS server. I may take a look at those logs and see if i'm seeing the same amount of Mac Authentication.

 

I would think that once authenticaed on to the wireless network and put into the proper role that Mac Authentication is done at this point. Does it re-authenticate evertime it roams?

 

We have had Mac authentication with Aruba and ACS as the Authentication server for many years now. 

It depends.  Does the mac authentication return a VLAN, role or a Role with a VLAN?

 

The Mac Auth Returns a Role. 

If a device does not support opportunistic key caching, it does a full authentication on each roam.

Colin,

 

Thanks I spent this morning reading up a little bit on PMK and OKC. what commands can I use to view logs on a station and see if it's infact doing a full 802.1x as it roams between access points? I'm assuming Windows 7 supports OKC but the question i need to find out is if it's enabled on the client side. I checked my controller and it's enabled by default.

That would be "show auth-tracebuf".  http://community.arubanetworks.com/t5/Controller-Based-WLANs/What-do-the-different-numbers-mean-in-the-show-auth-tracebuf/ta-p/177860

 

The other thing is if the role that you return to the device has a VLAN assigned that could force a link up/down event for that device, so a DHCP renewal would be expected.

 

My last piece of advice is to return the the Aruba-User-Vlan attribute via radius instead of sending back a role that has a vlan assigned.

 

 

Colin,

 

Thanks for this info i'll take a look and do some more research. I checked again and it looks like the Role does not return back a vlan. The VLAN's the users are assigned to are the VLAN's we have assigned to that particular SSID. 

 

I know there are other SSID's that we do have a VLAN assigned by the Role but not for this particular SSID which seems to be where the issue is. This SSID happens to be our main production issue doing 802.1x with a Windows 7 deployment.

 

I hope this makes sense.

 

Thanks for your help

Well,

If the auth-tracebuf for that client shows the four way handshake, that means it is doing a full reauth and does not support OKC.

An Aruba Whitepaper about OKC is here:  http://community.arubanetworks.com/aruba/attachments/aruba/115/1097/1/Aruba+OKC+Implementation.pdf