Cloud Managed Networks

I have a customer with four separate locations and an SSID created on the Group in Central published on all four sites.

For some reason when a user moves from one location to another they have to forget the SSID and connect again and I can't figure out why. Anyone have an idea what might be the cause? They connect using MSCHAPv2 because they don't have a PKI server that can assign certificates to all the clients. It is only Windows 10 computers connecting to the SSID.

------------------------------
Johan
------------------------------

Hi Johan,

Maybe its an idea to check the wlan profile and look for any differents. Are all locations connect to the same RADIUS server? The RADIUS server certificate thats provide by the RADIUS server  to the clients must be the same on all location. If the certificatie is different your have to "forget" the network first as you mentioned.

Example...

netsh wlan show profiles name="HomeLAB-Corp"
 
Profile HomeLAB-Corp on interface Wi-Fi 6:
=======================================================================

Applied: All User Profile

Profile information
-------------------
Version : 1
Type : Wireless LAN
Name : HomeLAB-Corp
Control options :
Connection mode : Connect manually
Network broadcast : Connect only if this network is broadcasting
AutoSwitch : Do not switch to other networks
MAC Randomization : Disabled

Connectivity settings
---------------------
Number of SSIDs : 1
SSID name : "HomeLAB-Corp"
Network type : Infrastructure
Radio type : [ Any Radio Type ]
Vendor extension : Not present

Security settings
-----------------
Authentication : WPA2-Enterprise
Cipher : CCMP
Authentication : WPA2-Enterprise
Cipher : GCMP
FIPS mode : Disabled
Security key : Absent
802.1X : Enabled
EAP type : Microsoft: Smart Card or other certificate
802.1X auth credential : User credential
Credentials configured : No
Cache user information : Yes

Cost settings
-------------
Cost : Unrestricted
Congested : No
Approaching Data Limit : No
Over Data Limit : No
Roaming : No
Cost Source : Default

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | ACDA | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------

Original Message:
Sent: Apr 21, 2021 08:25 AM
From: Johan Lundmark
Subject: Clients not auto connecting to SSID when switching location

I have a customer with four separate locations and an SSID created on the Group in Central published on all four sites.

For some reason when a user moves from one location to another they have to forget the SSID and connect again and I can't figure out why. Anyone have an idea what might be the cause? They connect using MSCHAPv2 because they don't have a PKI server that can assign certificates to all the clients. It is only Windows 10 computers connecting to the SSID.

------------------------------
Johan
------------------------------

Hi,

The clients are all connecting to the same Clearpass server in a shared datacenter.

The certificate is a DigiCert certificate (clearpass.<domain.name>) that is valid until June next year.

------------------------------
Johan
------------------------------

Original Message:
Sent: Apr 21, 2021 02:55 PM
From: marcel koedijk
Subject: Clients not auto connecting to SSID when switching location

Hi Johan,

Maybe its an idea to check the wlan profile and look for any differents. Are all locations connect to the same RADIUS server? The RADIUS server certificate thats provide by the RADIUS server  to the clients must be the same on all location. If the certificatie is different your have to "forget" the network first as you mentioned.

Example...

netsh wlan show profiles name="HomeLAB-Corp"
 
Profile HomeLAB-Corp on interface Wi-Fi 6:
=======================================================================

Applied: All User Profile

Profile information
-------------------
Version : 1
Type : Wireless LAN
Name : HomeLAB-Corp
Control options :
Connection mode : Connect manually
Network broadcast : Connect only if this network is broadcasting
AutoSwitch : Do not switch to other networks
MAC Randomization : Disabled

Connectivity settings
---------------------
Number of SSIDs : 1
SSID name : "HomeLAB-Corp"
Network type : Infrastructure
Radio type : [ Any Radio Type ]
Vendor extension : Not present

Security settings
-----------------
Authentication : WPA2-Enterprise
Cipher : CCMP
Authentication : WPA2-Enterprise
Cipher : GCMP
FIPS mode : Disabled
Security key : Absent
802.1X : Enabled
EAP type : Microsoft: Smart Card or other certificate
802.1X auth credential : User credential
Credentials configured : No
Cache user information : Yes

Cost settings
-------------
Cost : Unrestricted
Congested : No
Approaching Data Limit : No
Over Data Limit : No
Roaming : No
Cost Source : Default

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | ACDA | Ekahau ECSE | Not an HPE Employee | Opionions are my own

Original Message:
Sent: Apr 21, 2021 08:25 AM
From: Johan Lundmark
Subject: Clients not auto connecting to SSID when switching location

I have a customer with four separate locations and an SSID created on the Group in Central published on all four sites.

For some reason when a user moves from one location to another they have to forget the SSID and connect again and I can't figure out why. Anyone have an idea what might be the cause? They connect using MSCHAPv2 because they don't have a PKI server that can assign certificates to all the clients. It is only Windows 10 computers connecting to the SSID.

------------------------------
Johan
------------------------------

What is your RADIUS Server, and what RADIUS certificate does it have?
How are the clients configured for the trusted RADIUS server and Root CA?

If you have different RADIUS server certificates at each site, and not configured the client to trust all of them, you may see this behavior.
My recommendation would be to have the same RADIUS certificate on each of your RADIUS servers and to properly configure your client supplicant to only trust your own RADIUS server name and root CA.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Apr 21, 2021 08:25 AM
From: Johan Lundmark
Subject: Clients not auto connecting to SSID when switching location

I have a customer with four separate locations and an SSID created on the Group in Central published on all four sites.

For some reason when a user moves from one location to another they have to forget the SSID and connect again and I can't figure out why. Anyone have an idea what might be the cause? They connect using MSCHAPv2 because they don't have a PKI server that can assign certificates to all the clients. It is only Windows 10 computers connecting to the SSID.

------------------------------
Johan
------------------------------

Hi,

The clients are all connecting to the same Clearpass server in a shared datacenter.

The certificate is a DigiCert certificate (clearpass.<domain.name>) that is valid until June next year.

------------------------------
Johan
------------------------------

Original Message:
Sent: Apr 26, 2021 07:51 AM
From: Herman Robers
Subject: Clients not auto connecting to SSID when switching location

What is your RADIUS Server, and what RADIUS certificate does it have?
How are the clients configured for the trusted RADIUS server and Root CA?

If you have different RADIUS server certificates at each site, and not configured the client to trust all of them, you may see this behavior.
My recommendation would be to have the same RADIUS certificate on each of your RADIUS servers and to properly configure your client supplicant to only trust your own RADIUS server name and root CA.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Apr 21, 2021 08:25 AM
From: Johan Lundmark
Subject: Clients not auto connecting to SSID when switching location

I have a customer with four separate locations and an SSID created on the Group in Central published on all four sites.

For some reason when a user moves from one location to another they have to forget the SSID and connect again and I can't figure out why. Anyone have an idea what might be the cause? They connect using MSCHAPv2 because they don't have a PKI server that can assign certificates to all the clients. It is only Windows 10 computers connecting to the SSID.

------------------------------
Johan
------------------------------

Please note that using a public certificate for EAP server (ClearPass) is not recommended, use a private certificate instead.

If the behaviour that you see is indeed:
- Client connects fine automatically as long as it is on the same location, even when client goes home and is returns.
- Client needs to be manually connected when it returns to a different location; and after that experiences the same as in the previous point,

And all locations use the same SSID and use the same ClearPass server, that does not make sense to me.

When you mention: SSID needs to be forgotten, and connected again, can you check the certificate while the client connects and confirm that it is the same certificate that you configured on ClearPass (for EAP)? I think you don't have the same cert. Could it be that you configured EAP Offload on the SSID? In that case, a local certificate on the AP is used instead of the certificate on ClearPass and that could lead to this behaviour.

(EAP offload needs to be switched OFF in most cases)



------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: May 10, 2021 09:13 AM
From: Johan Lundmark
Subject: Clients not auto connecting to SSID when switching location

Hi,

The clients are all connecting to the same Clearpass server in a shared datacenter.

The certificate is a DigiCert certificate (clearpass.<domain.name>) that is valid until June next year.

------------------------------
Johan

Original Message:
Sent: Apr 26, 2021 07:51 AM
From: Herman Robers
Subject: Clients not auto connecting to SSID when switching location

What is your RADIUS Server, and what RADIUS certificate does it have?
How are the clients configured for the trusted RADIUS server and Root CA?

If you have different RADIUS server certificates at each site, and not configured the client to trust all of them, you may see this behavior.
My recommendation would be to have the same RADIUS certificate on each of your RADIUS servers and to properly configure your client supplicant to only trust your own RADIUS server name and root CA.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Apr 21, 2021 08:25 AM
From: Johan Lundmark
Subject: Clients not auto connecting to SSID when switching location

I have a customer with four separate locations and an SSID created on the Group in Central published on all four sites.

For some reason when a user moves from one location to another they have to forget the SSID and connect again and I can't figure out why. Anyone have an idea what might be the cause? They connect using MSCHAPv2 because they don't have a PKI server that can assign certificates to all the clients. It is only Windows 10 computers connecting to the SSID.

------------------------------
Johan
------------------------------