Wireless Access

Hello everyone

We have two SSID: Open (Mac Auth) and A new SSID (802.1x) 

I have dorms students complaning the 802.1x SSID is slow. There is quite a difference when testing with speedtest.net.

Open: 60 Mbps

Secure SSID: 6Mbps

I know it is not a reliable speed test etc. Just poiting out the big difference betwee the two SSIDs.

So, I wanted to check transfer rate by sending a 20MB file between two computers over wireless. When i transfer the file connected on the Open SSID i obtain a rate of 49Mbps , while on the 802.1x SSID 2.7Mbps.

Laptop

RSSI -60db

802.11n

Association Rate: 145Mbps

MCS index: 15

Channel 153, 5Ghz Band, 20Mhz

I understand that AES encryption create more overhead, but this is quite a difference. Also, I understand reliable throughput is difficult to estimate. At the moment of the test there were no other clients connected to the AP. So, I have students in the dorm complaning that the Secure SSID is slow.

- I will open a ticket with TAC.

Secure SSID:

show wlan virtual-ap ClearPass_VAP

Virtual AP profile "ClearPass_VAP"
--------------------------------------
Parameter                                       Value
---------                                       -----
AAA Profile                                     ClearPass_AAA
802.11K Profile                                 default
Hotspot 2.0 Profile                             N/A
SSID Profile                                    ClearPass_SSID
Virtual AP enable                               Enabled
VLAN                                               Pool
Forward mode                                    tunnel
Allowed band                                    all
Band Steering                                   Disabled
Steering Mode                                   prefer-5ghz
Dynamic Multicast Optimization (DMO)               Enabled
Dynamic Multicast Optimization (DMO)               Threshold  6
Drop Broadcast and Unknown Multicast              Enabled
Convert Broadcast ARP requests to unicast         Enabled
Authentication Failure Blacklist Time                     3600 sec
Blacklist Time                                                         3600 sec
Deny inter user traffic                                            Disabled
Deny time range                                 N/A
DoS Prevention                                  Disabled
HA Discovery on-association                     Enabled
Mobile IP                                       Enabled
Preserve Client VLAN                            Disabled
Remote-AP Operation                             standard
Station Blacklisting                            Enabled
Strict Compliance                               Disabled
VLAN Mobility                                   Disabled
FDB Update on Assoc                             Disabled
WMM Traffic Management Profile                  N/A

(CS_Local) #show wlan ssid-profile ClearPass_SSID

SSID Profile "ClearPass_SSID"
-----------------------------
Parameter                                         Value
---------                                         -----
SSID enable                                       Enabled
ESSID                                             ClearPass_Test
Encryption                                        wpa2-aes
Enable Management Frame Protection                Disabled
Require Management Frame Protection               Disabled
DTIM Interval                                     1 beacon periods
802.11a Basic Rates                               6 12 24
802.11a Transmit Rates                            6 9 12 18 24 36 48 54
802.11g Basic Rates                               1 2
802.11g Transmit Rates                            1 2 5 6 9 11 12 18 24 36 48 54
Station Ageout Time                               1000 sec
Max Transmit Attempts                             8
RTS Threshold                                     2333 bytes
Short Preamble                                    Enabled
Max Associations                                  64
Wireless Multimedia (WMM)                         Disabled
Wireless Multimedia U-APSD (WMM-UAPSD) Powersave  Enabled
WMM TSPEC Min Inactivity Interval                 0 msec
Override DSCP mappings for WMM clients            Disabled
DSCP mapping for WMM voice AC                     56
DSCP mapping for WMM video AC                     40
DSCP mapping for WMM best-effort AC               24
DSCP mapping for WMM background AC                8
Multiple Tx Replay Counters                       Disabled
Hide SSID                                         Disabled
Deny_Broadcast Probes                             Disabled
Local Probe Request Threshold (dB)                0
Disable Probe Retry                               Enabled
Battery Boost                                     Disabled
WEP Key 1                                         N/A
WEP Key 2                                         N/A
WEP Key 3                                         N/A
WEP Key 4                                         N/A
WEP Transmit Key Index                            1
WPA Hexkey                                        N/A
WPA Passphrase                                    N/A
Maximum Transmit Failures                         0
EDCA Parameters Station profile                   N/A
EDCA Parameters AP profile                        N/A
BC/MC Rate Optimization                           Disabled
Rate Optimization for delivering EAPOL frames     Enabled
Strict Spectralink Voice Protocol (SVP)           Disabled
High-throughput SSID Profile                      default
802.11g Beacon Rate                               default
802.11a Beacon Rate                               default
Video Multicast Rate Optimization                 default
Advertise QBSS Load IE                            Disabled
Advertise Location Info                           Disabled
Advertise AP Name                                 Disabled
802.11r Profile                                   N/A
Enforce user vlan for open stations               Disabled
Enable OKC                                        Enabled

Any suggestions?

Thank you

Nils.

Agree I will enable it. Have you encourter similar situation? I am going to test from different area on the campus. Packets are taking the same hops. Also, there is no firewalls. One difference is that the Secure network have a single vlan 4,000 addresses while the Open have a single vlan of 1,000 addresses. Clearpass is the authentication server for the Secure and database for mac auth for the open ssid.

Thank you for you time,

Nils.

You should associate a device to that 802.1x SSID and then give us the output of "show ap association client-mac <mac address of that device>"

Here is the output;

(CS_Local) #show ap association client-mac b8:e8:56:10:9c:c2

The phy column shows client's operational capabilities for current association

Flags: A: Active, B: Band Steerable, H: Hotspot(802.11u) client, K: 802.11K client, R: 802.11R client, W: WMM client, w: 802.11w client V: 802.11v BSS trans capable

PHY Details: HT   : High throughput;      20: 20MHz;  40: 40MHz
             VHT  : Very High throughput; 80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz
             <n>ss: <n> spatial streams

Association Table
-----------------
Name        bssid              mac                auth  assoc  aid  l-int  essid  vlan-id  tunnel-id  phy             assoc. time  num assoc  Flags  Band steer moves (T/S)
----        -----              ---                ----  -----  ---  -----  -----  -------  ---------  ---             -----------  ---------  -----  ----------------------
Commons_52  d8:c7:c8:8d:e0:d1  b8:e8:56:10:9c:c2  y     y      2    10     1NSU   717      0x108ae    a-HT-20sgi-2ss  37m:53s      2          WAB    0/0

b8:e8:56:10:9c:c2-d8:c7:c8:8d:e0:d1 Stats
------------------------------------------
Parameter                            Value
---------                            -----
Channel                              153
Channel Frame Retry Rate(%)          0
Channel Frame Low Speed Rate(%)      0
Channel Frame Non Unicast Rate(%)    0
Channel Frame Fragmentation Rate(%)  0
Channel Frame Error Rate(%)          0
Channel Bandwidth Rate(kbps)         0
Channel Noise                        96
Client Frame Retry Rate(%)           0
Client Frame Low Speed Rate(%)       0
Client Frame Non Unicast Rate(%)     0
Client Frame Fragmentation Rate(%)   0
Client Frame Receive Error Rate(%)   0
Client Bandwidth Rate(kbps)          0            
Client Tx Packets                    315999
Client Rx Packets                    109613
Client Tx Bytes                      68690609
Client Rx Bytes                      95231712
Client SNR                           29
A2c_SM SeqNum, Old SeqNums           134 0

It does not look like an RF issue.  Is the controller the default gateway for clients, or is it a layer 3 switch?

WMM is automatically enabled when 802.11n is turned on regardless of the SSID parameter...

The default gateway is terminated on a Layer 3 Switch. Between the controller and the router we have 2 10Gb ports LAG.

I would move the 802.1x SSID onto the same VLAN as the open SSID or create a new SSID with 802.1x and match the VLAN with the open SSID to see if it makes a difference.

I am suspecting it could be something in the router, But i want to discard wireless controller settings. The Secure SSID DG terminate in a different L3 router than the Open SSID. Also, the Open SSID we provide public addresses and the 802.1x SSID is natted addresses. We provide public  addresses to the Open SSID because is the network student uses for game consoles and streaming devices. In the 802.1x I verified the roles Students and Employees and on Both there is no BW restrictions.

The Dorms building anchor have only a 1Gb port as uplink. However, I checked and it is not overutilized. Also, let me mention we are on summer break and we dont have the full amont of students until fall. However, it is a concern that without too many students on the dorms the 802.1X SSID will be slow.

Thank you

Nils.

Too many variables.  You need to put 802.1x on the open SSID and test.

You are right!! I will try it and report my findings.

So I created an 802.1x SSID for testing

- Regardless of which vlan the wireless connnection is slow. 7Mpbs Avg.

Then I created a Open SSID for testing

- Regardless of which vlan the wireless connection seems to Avg 40 Mbps.

Still quite a differnce between the secure and open ssid.

So then I moved the AP from one building to another controller and experience the same issue.

On Monday i will call support. Any suggestions?

Thank you

Nils.

Yes.  Call support.

You said that the controllers are not the gateway, and you suspecting a router might be causing the issue. You could test that by placing two PC's on the switch in the same vlan as the wireless users use and try your tests again. This would bypass the wireless but still use the same infrastructure path up to but before the controllers. Just a thought.

I found the problem to be not the wireless controllers but a tipping point box between the AP and controller was doing a L3 scanning causing slowness on the encrypted SSID. In case someone else run into a similar issue. 

Thank you

Nils. 

I found the problem to be not the wireless controllers but a tipping point box between the AP and controller was doing a L3 scanning causing slowness on the encrypted SSID. In case someone else run into a similar issue. 

Thank you

Nils. 

Yes my next step will be to create a new 802.1X ssid with the same vlan of  the OPEN SSID and test.