Wireless Access

Reply
Frequent Contributor II
Posts: 106
Registered: ‎10-20-2011

Switching APs and dropping 802.1x

Okay I have an issue where I'm in a room with two APs and a client which will switch APs and ask the user to authenticate again.  I'm on a Macbook Air 2012 model with 10.8.x on it.

 

I've seen this issue when I roam around from room to room with the notebook open it will ask me for my credentials again when I get to the new AP.   I simply cancel and then go choose the network again.

 

How can I get a client to stick to one of the 2 APs in the room instead of hopping between the two?

 

Is this what "client match" will help with?

MVP
Posts: 384
Registered: ‎05-09-2013

Re: Switching APs and dropping 802.1x

ClientMatch will not necessarily help to resolve this issue. When the user moves from one AP to another, the user is forced to reauthenticate. The purpose of ClientMatch is to help solve the sticky client problem. Traditionally, user devices decided when to hand off to another AP based on factors such as signal strength. With ClientMatch, it allows the APs to decide when to hand off a device to another AP removing the sticky client effect.

 

I know this doesn't solve your problem, but it will at least save you the trouble of upgrading to early release code and still having the same problem.

 

I'm curious, how big is the room that 2 APs are located in? Is the room device dense? Typically positioning 2 APs in the same room causes interference and channel conflicts, although ARM will make adjustments, it still isn't considered best practice.

 

Thanks and good luck!


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Frequent Contributor II
Posts: 106
Registered: ‎10-20-2011

Re: Switching APs and dropping 802.1x

Hi,

 

Thank you very much for the response.  

 

The room is a Media Center in our High School so it has the potential to be dense for sure.  It isn't the biggest room.  I have two AP-105s in the room right now.  If I wanted to deal with the density issue should I upgrade to a better AP?  Maybe an 802.11ac AP?

 

 

MVP
Posts: 384
Registered: ‎05-09-2013

Re: Switching APs and dropping 802.1x

What controller model are you using in your environment? Are the APs that the device is roaming from and to in the same AP group?

 

another thing to check Authentication->L2 Authentication->802.1x Authentication Profile->"The users dot1x profile". Is "reauthentication" checked?


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Frequent Contributor II
Posts: 106
Registered: ‎10-20-2011

Re: Switching APs and dropping 802.1x

Yes they are in the same AP group and no reauthentication is not checked.  Should it be?

MVP
Posts: 384
Registered: ‎05-09-2013

Re: Switching APs and dropping 802.1x

No you don't want it checked. So does this only happen when moving from specific rooms or it happens throughout the whole network?


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
MVP
Posts: 384
Registered: ‎05-09-2013

Re: Switching APs and dropping 802.1x

You may want to open up a case with Aruba TAC and have them do a web session with you.

 

Aruba TAC: 1-800-WiFi-LAN (1-800-943-4526)


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Frequent Contributor II
Posts: 106
Registered: ‎10-20-2011

Re: Switching APs and dropping 802.1x

So this isn't something that you thing should be happening?  oh and we are using a 3600 controller.

MVP
Posts: 384
Registered: ‎05-09-2013

Re: Switching APs and dropping 802.1x

A user should only have to authenticate once. Something isn't carrying over from AP to AP when a device re-associates.

 

Did you ever think about using MAC authentication as well as 802.1x authentication? I'm not sure if that would fix the issue, but MAC authentication won't prompt a user, it will verify the MAC address is "known".

 

I would recommend contacting TAC, especially if this has become an inconvenience. They should be able to troubleshoot more efficiently.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: