Cloud Managed Networks

 View Only
  • 1.  Behavior of RADIUS retries on an AOS10 AP

    Posted Jun 05, 2024 12:43 PM

    Hello,

    I am running into an issue that the time it takes for the IPSEC tunnel to come up on a Microbranch deployment (AP to VPNC tunnel) causes issues with EAP authentication. What we observe for a wired client:

    • It takes 5 minutes to several hours for the IPSEC tunnel to establish.
    • The RADIUS server is in our datacenter and cannot be reached until the tunnel is established. As a result users cannot authenticate.
    • When the tunnel finally comes up, the user can still not authenticate, even if they reboot their machine
    • The only way to fix the problem is to unplug the cable from the AP and plug it back in << I assume this action resets a counter

    More troubleshooting uncovered that the AP does not send Access-Requests to the RADIUS server

    The Microsoft settings are configured with 3 retries and a 30 second timeout. The Aruba settings are 3 retries 5 seconds timeout configured on for the RADIUS servers

    From what I understand is that one EAPOL message from the Client can already result in 3 retries on the Aruba Side.My question: How can I change the behavior that the tunnel set up time does not lead to our end-users having to unplug/plug the  cables from the AP to the device? Should I change the retries to a really high number?



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------


  • 2.  RE: Behavior of RADIUS retries on an AOS10 AP

    Posted Jun 05, 2024 07:42 PM

    have you enabled "Query Status of RADIUS Servers(RFC 5997)" for your microbranch group?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Behavior of RADIUS retries on an AOS10 AP

    Posted Jun 06, 2024 02:38 PM

    Hi Ariyap,

    Thank you for the reply, I have to double check that and will ask the client. I assume I have to enable it.



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------