Wireless Access

Reply
Contributor II
Posts: 48
Registered: ‎12-17-2012

RADIUS timeouts and rejects using 802.1x and mobile devices

Hello,

 

I am running ArubaOS 6.4.2.12 on a 7210 series controller and also use ClearPass 6.5.4

 

I have a SSID with 802.1x enabled so that people can use their Active Directory credentials to connect to the network. Most people are using Apple iOS based devices or Windows Phones.

 

There are quite a few users that have reported that they are losing Wifi connectivity throughout the day and after a few minutes its back up again.

 

What I see in ClearPass for iOS devices is that sometimes the authentication requests are being rejected. For Windows Phones I do see a lot of timeout messages in ClearPass (see attached screenshots).

 

From the ClearPass logs I see that the rejected RADIUS request from an iOS device is being classified into the default role instead of the correct one. Requests from Windows Phones sometimes run into a timeout for whatever reason.

 

Are there any timers that should be adjusted? Reauthentication intervals and such... I have left those on their default values so far.

 

Thanks for your help!

 

cheers,

Harald

MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: RADIUS timeouts and rejects using 802.1x and mobile devices

Do you have enable cache roles under the Enforcement Policy ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 48
Registered: ‎12-17-2012

Re: RADIUS timeouts and rejects using 802.1x and mobile devices

Victor,

 

no, that option was not enabled until now.

 

I have checked the last 15 minutes or so and so far its looking better. I still see the occasional REJECT but not so many as before.

 

Thanks for the hint. I will keep an eye on this!

 

cheers,

Harald

MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: RADIUS timeouts and rejects using 802.1x and mobile devices

Essentially what that does is prevent ClearPass from reaching AD every time a user successfully authenticates so it caches the user information for certain amount time and it doesn't overwhelm your AD server with every RADIUS request.
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: RADIUS timeouts and rejects using 802.1x and mobile devices

What is your average end to end processing time?
What EAP method are you using?
Are you terminating on the controller or ClearPass?
How dense is your deployment?
Are you using custom radio configurations or defaults?
Is your active directory infrastructure sized correctly?


Sent from Nine

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: