10-16-2013 07:31 AM
We have 802.1x authentication enabled with Oppurtunistic Key Caching turned on. We are experiencing issues with devices being dropped from the secure network. All APs are on the same controller and in the same AP group. The client vlan and client IPs are not changing. Does anyone have any suggestions?
10-16-2013 07:39 AM
Any commonalities/trends in terms of devices that you can see?
e.g. same make, same model, same OS, same supplicant etc.. or is it appearing 'randomly'
10-16-2013 07:44 AM
debug a client mac-address and check where it fails.
(config)#logging level debugging user
(config)#logging level debugging user-debug <device mac-address>
Check the output of
show log user | include <mac-addr of client>
show log user-debug | include <mac-addr of client>
show auth-tracebuf mac <mac-address of client being debugged>
what are the type of clients?
Do the client move, while getting dropped?
Code version on the controller?
Does the client able to get back its connectivity after getting dropped?
10-16-2013 09:40 AM
Without knowing anything about your setup.
If most are Apple IOS users, OKC will be a nightmare for you. I had a similar problem which was resolved by
Disabling OKC and enabling Validate PMKID instead. (AAA profile - advanced)
Enabling station handoff assist as well as putting a local probe threshold to a value which made sense.
Again, this all depends on the client environment
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
10-16-2013 02:26 PM
Key is definately understanding the client population and proportion that have the issue vs. the 'herd'. Then slicing into the details as to what is common with that segment of the populace. Lather rinse repeat .
10-18-2013 04:34 AM
I have the same issue running code before 220.127.116.11. After update to this path, the issues has gone. Now I'm on 18.104.22.168 and has no issue anymore.
How version you are?