Wireless Access

 View Only
last person joined: 3 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

having to 'forget network' ssid , from one controller-based segment to another... same 802.1x / NPS back-end

This thread has been viewed 10 times
  • 1.  having to 'forget network' ssid , from one controller-based segment to another... same 802.1x / NPS back-end

    Posted Sep 05, 2024 11:16 AM

    Good day all

    we have 3 main controller-based locations (7210 , 7205 , 7205) where we have same-named SSID ('company') and all using same back-end NPS servers (3 spread-shot across campuses)

    the problem we have had for a long time is that as a user moves from one bldg that is based on 7210 , to another based on 7205-A ,  many-times they need to 'forget' the 'Company' SSID , in order to re-connect to 'same SSID' that's being controlled by different controller.

    it is basically a 'walking with a pebble in your shoe' for past couple YEARS now...and mgmt would really like to get this snafu FIXED, so it's more seamless (read: no forget/re-connect operation when traveling state-to-state , or , in case of a campus, needing to do same when moving one bldg to another).

    Each Controller is in its own ManagedNetwork of MobilityMaster ..and we have used same inside CA Cert for Windows Auth on each controller config

    any suggestions on what to look for as a differentiator ? 

    thanks ! 



  • 2.  RE: having to 'forget network' ssid , from one controller-based segment to another... same 802.1x / NPS back-end

    EMPLOYEE
    Posted Sep 05, 2024 11:23 AM

    Have you opened a case with TAC?

    If you are running a single campus, is there a reason not to run everything as a single cluster?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: having to 'forget network' ssid , from one controller-based segment to another... same 802.1x / NPS back-end

    Posted Sep 05, 2024 03:01 PM

    doing TAC case 'now' ...  and we have built-up the setup over time, not a 'single campus' setup




  • 4.  RE: having to 'forget network' ssid , from one controller-based segment to another... same 802.1x / NPS back-end

    Posted Sep 05, 2024 11:44 AM

    Eddie,

    Are you using a single certificate with a SAN (Subject Alternative Name) entry for each NPS server within that certificate or a wildcard certificate?

    Thanks,

    Brad

     






  • 5.  RE: having to 'forget network' ssid , from one controller-based segment to another... same 802.1x / NPS back-end

    Posted Sep 05, 2024 02:59 PM

    each NPS has own CERT , is not 'shared' or wild-card cert




  • 6.  RE: having to 'forget network' ssid , from one controller-based segment to another... same 802.1x / NPS back-end

    Posted Sep 05, 2024 03:02 PM

    Eddie,

    I believe that's your problem. When a client sees a NPS RADIUS server with the same SSID and a different certificate (from the one it already accepted), it makes sense that the connection would have to be forgotten before the client would attempt to connect.

    Thanks,

    Brad

     






  • 7.  RE: having to 'forget network' ssid , from one controller-based segment to another... same 802.1x / NPS back-end

    EMPLOYEE
    Posted Sep 05, 2024 05:27 PM

    Each server should have the exact same certificate for the purpose of RADIUS or you have to configure the supplicant with a list of expected FQDN that includes all of the various certificates presented.

    Wildcard should never be used for RADIUS.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------