Wireless Access

Reply
Regular Contributor II
Posts: 205
Registered: ‎09-28-2010

Unauthenticated clients - cause problems?

 

We're running 2 separate wireless networks (internal using PEAP and an open, external using captive portal). 

 

Could there be any issues with having a large amount of users/devices connecting to the open network and not actually authenticating?  If so, what number would be considered large?

 

For example:  site has 2 APs and shows 15 connected users.  Looking at the clients we'll see 3 or 4 actually authenticated (to either network) and the rest are just connected to the open network - these are mostly iPhones, iPods, or other smartphone/tablets.

 

We're currently getting a lot of "slow wireless network" calls, but we aren't able to actually find any problems, so I'm running out of things to look at.  Somebody asked if these clients could be bringing down the network even though they aren't actually passing traffic, and I don't know the answer.....

 

 

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Unauthenticated clients - cause problems?


COLE1 wrote:

 

We're running 2 separate wireless networks (internal using PEAP and an open, external using captive portal). 

 

Could there be any issues with having a large amount of users/devices connecting to the open network and not actually authenticating?  If so, what number would be considered large?

 

For example:  site has 2 APs and shows 15 connected users.  Looking at the clients we'll see 3 or 4 actually authenticated (to either network) and the rest are just connected to the open network - these are mostly iPhones, iPods, or other smartphone/tablets.

 

We're currently getting a lot of "slow wireless network" calls, but we aren't able to actually find any problems, so I'm running out of things to look at.  Somebody asked if these clients could be bringing down the network even though they aren't actually passing traffic, and I don't know the answer.....

 

 


The general answer is "it depends".  

 

(1) They could associate from far away, so that they force all connected clients to communicate slower due to their low association rate.  

(2) They could also consume precious ip address space that you need and force you to reduce your DHCP leases to 15 minutes so that your address space is not depleted.  

(3) Last but not least, they can also send broadcast and multicast traffic that takes airtime from every device on the same band on that access point.

 

To deal with #1, you could change the local-probe-response-threshold parameter under Advanced in the SSID profile of that WLAN to something like 20 or 25 so that far away devices cannot associate:

local2

 

The solution for #1 also deals with #2 in a way, but you can lower your DHCP lease time to augment that

 

The solution for #3 can be accomplished by dropping broadcasts and multicasts in the Virtual AP profile:

drop2



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II
Posts: 205
Registered: ‎09-28-2010

Re: Unauthenticated clients - cause problems?

 

Thank you.

 

1)  Is that to say that a further away/slower connected PC will affect the others?  Does the connection drop down to the lowest common denominator, or just slower in general?

 

a) is the 20-25dB threshold number the same as the SNR?  When working on this last year I recommended that we aim for a SNR of 25dB.

 

b)  I'm all for enforcing some sort of threshold, but I'm assuming this may result in a reduced coverage in certain environments?   As management waffles between wireless as a luxury (best effort for coverage) and mandatory infrastructure, I'll need to time my responses to ensure I am able to secure the equipment to support these higher quality connections.  *note: this week it IS important!

 

 

2)  I don't think we've run into issues with DHCP leases at this time.  We reduced leases to 8 hours on the open network and have approx 200 addresses available.

 

3)  Would dropping broadcast and multicast traffic have any negative effects on the end user experience?

 

 

So even though the users are sitting in the "OPEN_SSID-guest-logon" role, they could still be consuming bandwidth and possibly passing traffic?  Furthermore, if they are further away and connected at slower speeds they could be slowing down connections for users that are actually using the network?

 

Because it is an open and broadcasted network, I'm assuming there is no way to prevent these automatic connections (besides the fact that we made it open and broadcasting so that users would find it easy to connect!), or force them to disconnect after certain amount of inactivity?   We currently have the disconnect set for 30 minutes, but we consistently see reported connections, only to click on them and find them reported as "inactive."

 

 

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Unauthenticated clients - cause problems?


COLE1 wrote:

 

Thank you.

 

1)  Is that to say that a further away/slower connected PC will affect the others?  Does the connection drop down to the lowest common denominator, or just slower in general?

 

<CJOSEPH> -  Clients that are further away take longer to transmit data, and faster clients will have to wait on them to send data, which will hurt throughput.  Clients that are further away are also more likely to retransmit, hurting performance even more.

 

a) is the 20-25dB threshold number the same as the SNR?  When working on this last year I recommended that we aim for a SNR of 25dB.

 

<CJOSEPH> That is SNR.  Try at 20 and increase based on feedback.

 

b)  I'm all for enforcing some sort of threshold, but I'm assuming this may result in a reduced coverage in certain environments?   As management waffles between wireless as a luxury (best effort for coverage) and mandatory infrastructure, I'll need to time my responses to ensure I am able to secure the equipment to support these higher quality connections.  *note: this week it IS important!

 

<CJOSEPH> - This will decrease coverage in certain environments, but it is applied per SSID so that you can have regular coverage for enterprise clients on that SSID, but best-effort coverage for clients on the guest SSID.  In areas with better coverage, it has the side effect of having clients make better decisions about roaming, as well.

 

 

2)  I don't think we've run into issues with DHCP leases at this time.  We reduced leases to 8 hours on the open network and have approx 200 addresses available.

 

3)  Would dropping broadcast and multicast traffic have any negative effects on the end user experience?

 

 <CJOSEPH> - The vast majority of traffic is unicast and most broadcast traffic is useless and can be discarded.  "Useful" traffic like ARP and DHCP are always allowed, however.

 

So even though the users are sitting in the "OPEN_SSID-guest-logon" role, they could still be consuming bandwidth and possibly passing traffic?  Furthermore, if they are further away and connected at slower speeds they could be slowing down connections for users that are actually using the network?

 

<CJOSEPH> - Correct.  The extent of the degradation depends on your specific network, and the clients, however.  Every probe request or any routine data that is sent by those clients, and all other clients on the same channel (not just same access point) cannot transmit at the same time.

 

Because it is an open and broadcasted network, I'm assuming there is no way to prevent these automatic connections (besides the fact that we made it open and broadcasting so that users would find it easy to connect!), or force them to disconnect after certain amount of inactivity?   We currently have the disconnect set for 30 minutes, but we consistently see reported connections, only to click on them and find them reported as "inactive."

 

<CJOSEPH> - Unless you make it a WPA preshared key network, many clients will simply associate to the strongest open network.  Even if you disconnect them, they will just come right back if they are in the area.  With all that being said, it would still be interesting to hear from users who have to deal with this and what they are doing.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 72
Registered: ‎09-19-2011

Re: Unauthenticated clients - cause problems?

HI ,

       For the Guest -SSID u can add the Encryption key so that who ever knows that key they only can connect .In this case the Authentication remains OPEN but encryption is ON .....i dont know whether its a suitable solution but u can try it ...:)

New Contributor
Posts: 2
Registered: ‎03-29-2011

Re: Unauthenticated clients - cause problems?

I am having the same problem. I have several locations with APs at Airports that when people walk by our location they grab an IP address. This is causing us problems with the 500 IP address pool that we have setup for guest access in the Aruba Controller. I currently have my DHCP lease time to 30 min, but I still have more SmartPhone and Tablets connecting than I have IP addresses that Aruba Controller can issue.

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Unauthenticated clients - cause problems?


alazalde wrote:

I am having the same problem. I have several locations with APs at Airports that when people walk by our location they grab an IP address. This is causing us problems with the 500 IP address pool that we have setup for guest access in the Aruba Controller. I currently have my DHCP lease time to 30 min, but I still have more SmartPhone and Tablets connecting than I have IP addresses that Aruba Controller can issue.


Alazalde,

 

What do you do to deal with it?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 2
Registered: ‎03-29-2011

Re: Unauthenticated clients - cause problems?

I currently do not have a solution. If guest start to complain to our managers I login to the controller and clear the dhcp binding to disconnect devices that are no longer in the are.  I rearly do that and just explain to the managers that we have a limited number of connections for the time been. Does anyone have any Ideas?

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Unauthenticated clients - cause problems?

Shorter leases, maybe?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 1
Registered: ‎02-20-2012

Re: Unauthenticated clients - cause problems?

It seems like there is a lot of guessing on this post.  Anybody consider hooking up a sniffer to actually tell how much (and what kind) of traffic is actually being passed?

Search Airheads
Showing results for 
Search instead for 
Did you mean: