Hello,
I am running into an issue that the time it takes for the IPSEC tunnel to come up on a Microbranch deployment (AP to VPNC tunnel) causes issues with EAP authentication. What we observe for a wired client:
- It takes 5 minutes to several hours for the IPSEC tunnel to establish.
- The RADIUS server is in our datacenter and cannot be reached until the tunnel is established. As a result users cannot authenticate.
- When the tunnel finally comes up, the user can still not authenticate, even if they reboot their machine
- The only way to fix the problem is to unplug the cable from the AP and plug it back in << I assume this action resets a counter
More troubleshooting uncovered that the AP does not send Access-Requests to the RADIUS server
The Microsoft settings are configured with 3 retries and a 30 second timeout. The Aruba settings are 3 retries 5 seconds timeout configured on for the RADIUS servers
From what I understand is that one EAPOL message from the Client can already result in 3 retries on the Aruba Side.My question: How can I change the behavior that the tunnel set up time does not lead to our end-users having to unplug/plug the cables from the AP to the device? Should I change the retries to a really high number?
------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
------------------------------