Wireless Access

Reply
Aruba Employee
Posts: 3
Registered: ‎07-01-2014

Full 802.1x authentication while clients roam from AP to AP

Hey guys,

 

I have a customer that has been experiencing issues with their RADIUS servers, after digging a little into the server logs we see a lot of authentications during the day and not only at peaks. After testing we saw that we have a lot of devices hopping from AP to AP (this is a somewhat AP dense deployment) and we see that almost all of the times the client hops from AP to AP a full 802.1x authentication to the RADIUS servers happens.

 

We don't have Termination enabled and we aren't sure if we want to enable it before we measure the impact on doing it. We will tune in the network in terms of data rates so we can stop non-moving devices to keep hoping between APs, but basically we will still have roaming devices and it would be great if those devices don't have to reauthenticate while they move.

Guru Elite
Posts: 21,018
Registered: ‎03-29-2007

Re: Full 802.1x authentication while clients roam from AP to AP

In the 802.1x profile, you need to make sure the OKC (opportunistic key caching) is enabled to prevent the full reauth.  This will only help non-apple products.

 

On your other issue with frequent reauthentication, it typically happens when the power on the access points are too high and the clients jump from AP to AP, even when they are not moving.  Type "show ap arm state ap-name <name of ap>" and see how many access points a single access point can see.  In an ideal world, you don't want any access points seeing another access points on the same channel at 20 snr or stronger.  In the real world, this will happen on the 2.4ghz in a dense deployment due to the lack of channels, but you can lower the power to minimize it.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: Full 802.1x authentication while clients roam from AP to AP

What type of devices are these ?

What type of APs are using ?

Do you have "validate pmkid" for Apple devices and "OKC" enabled ?

What EIRP levels do you currently have set under ARM ?

Sent from Outlook for iPhone
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba Employee
Posts: 3
Registered: ‎07-01-2014

Re: Full 802.1x authentication while clients roam from AP to AP

HI,

 

OKC is enabled, but the clients we tested were iOS devices. All the installed base are AP-225s.

 

Can we have PMKID enabled while OKC is enabled? I thought we must choose one or the other.

MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: Full 802.1x authentication while clients roam from AP to AP

You can enable both

Sent from Outlook for iPhone
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: