Wireless and RF

Reply
Frequent Contributor I

802.1x issue with MacOS

We have seen some MacOS 10.5+ machines having issues getting disconnected from the network or being really slow. User description of the problem is below. Radius server logs show frequent acc start and stops within a short time period. All of the stops had an Acct-Terminate-Cause = 28, which is not on the standard list of terminate causes. Is this Aruba specific maybe?
I have enabled PMKID just today after reading up on a thread here (just in case this was the issue).
----
user description of problem:
"cycles and then reconnects": I will be surfing just fine and then will try and load a webpage and it seems slow so I glance at the wireless signal indicator and will have an exclamation mark for maybe another second then reconnect to the network."
-----
BTW, this user signal level is very good, 40+ SNR. I have seen the same issue with other users, but all Macs.

Thanks!

Marcelo
Marcelo Lew
Wireless Network Architect-Engineer
University of Denver
Guru Elite

MAC Client Nuances

If you haven't already looked at the MAC client nuances article here: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=914 please do. If you have, what version of code is this and specifically what type of encryption do you have in place?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: 802.1x issue with MacOS

I have looked at this article before. very good info.
We are running 3.3.3.1 with AP-125s.
wpa-tkip and wpa2-aes
PEAP and TTLS.
Our DHCP guy sent me this info from his logs:

4:21, client requests IP 192.168.0.95 (probably an IP on a home
network, which the client last used). Lease 56.98 offered, but not
accepted by the client. Within a second, we get another request for a
lease, and the client accepts the
lease.

4:29, Two lease requests come in, both accepted by the client, and
granted by the DHCP server.

4:35, two lease requests come in, both accepted / granted.

4:58, Lease renewed.

5:19, Lease requested, accepted, and granted.

5:49, Lease requested, accepted, and granted.

There are a couple more renews, heading into 7:00 PM.
Marcelo Lew
Wireless Network Architect-Engineer
University of Denver
Frequent Contributor I

Re: 802.1x issue with MacOS

I have also put one of the users with issues in debug mode see if I can get some more info on the frequent authentication start and stops.
Marcelo Lew
Wireless Network Architect-Engineer
University of Denver
Guru Elite

show auth-tracebuf

mlew2433,

"Validate PMKID" is pretty much essential in MAC-world, because they don't support OKC.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: 802.1x issue with MacOS

We experienced the same issues with Mac's and seemed to have fixed the isssue by enabling "Allow Weak Encryption" in the High-Throughput SSID Profile setting within the Virtual AP.
Guru Elite

Allow Weak Encryption

You are correct. "Allow Weak Encryption" is supposed to allow users who are connected to an HT or 802.11n SSID when not using Open or AES to still connect, but at 54 megs. By default, the standard should NOT allow any users that are not using Open or AES as ciphers to connect. If you are using WPA-TKIP and attempting to connect to an 802.11n SSID for example, the controller will deny you access, entirely.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: 802.1x issue with MacOS

we have the same issue also. we have a large Campus where a lot of Apple devices get disconnected from the wireless from time to time. I will say 3 to 4 times a day or more.

I have tried all the steps recommended in MAC client nuances but still having issues with Android telphones, IPad, IPhones..
the only thing I did not try is:
We are runing a mixed encryption WPA Tkip, Aes and WPA2 Tkip, AES and I will make it as only WPA2 Aes
Guru Elite

Re: 802.1x issue with MacOS

The big question is do these disconnect happen to all devices or only apple devices? Since your problem is very broad, we cannot propose a solution based on the limited information here. If your problem is that widespread, you should open a case so that data can be collected and your problem diagnosed.

Besides that, in general some clients do not like to see multiple encryption types presented in an SSID, so you should work to standardizing an encryption type as soon as you can. If you have airwave deployed, the nightly summary will tell you how many clients are using the types of encryption you are using, so that you will be better advised which ones you can turn off. In addition, are you doing Broadcast Filtering on that Virtual AP? Apple clients are very chatty due to protocols like Bonjour and that chattiness effectively reduces the available unicast traffic, which could lead to disconnects due to collisions. Go into the Virtual AP of that wireless network and Turn on "Drop Broadcast and Multicast" and "Convert Broadcast ARP requests to Unicast".

Besides that, the "Nuances" post should give you the majority of what you need.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

obi
Contributor II

Re: 802.1x issue with MacOS

How would dropping broadcast affect these protocols and specially DHCP?
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: