Wireless Access

Q1: If OKC is disabled in the "802.1x authentication profile," but enabled in the "wlan ssid-profile" - which takes precedence?

Q2: Does roaming from band to band (same SSID) on the same AP require a full 802.1x re-auth? (This would be within an 8.9 cluster, with 802.11r/k not enabled, answer to Q1 above determines if OKC is enabled or not)

Q3: What is the AMP client "association history" showing? Is it the low level 802.11 auth + association, but not necessarily when the client fully roamed to that AP (802.11 auth + association + 802.1x auth)? I ask because comparing my ClearPass access tracker entries, they do not line up with the AMP client association history. The AMP client association history shows more entries than I see in access tracker when testing roaming with my test client. So for example: As my test client (windows laptop) roamed, I may see 12 association history events in AMP among 8 different APs, but I only see 4 access tracker entries in ClearPass sourced from 4 different APs.

Q4: In viewing the mobility trail via the cli (#show ap client trail-info) it seems limited to the last 10 entries. Is there a way to see more via cli? Is the controller cli "mobility trail" the same as the client "association history" displayed in AMP for a client?

------------------------------
Cody Ensanian
------------------------------

1- The wlan ssid-profile  EDIT: the 802.1x authentication profile
2- Not necessarily.  Most clients (besides mac osx) support OKC so a typical reauth would not be required.
3- It is not a full roaming history, it is just a sampling.  Some roams will be missed because the reports in that list only occur once per minute.  Look at the Clarity Entries for that client for a full roaming history along with whether or not a full reauth took place and how long each roam took.
4 - It is limited due to space.  There is no way to see more.  The mobility trail is the same limited entries but limited due to space.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: May 20, 2022 06:11 PM
From: Cody Ensanian
Subject: Roaming and association history questions

Q1: If OKC is disabled in the "802.1x authentication profile," but enabled in the "wlan ssid-profile" - which takes precedence?

Q2: Does roaming from band to band (same SSID) on the same AP require a full 802.1x re-auth? (This would be within an 8.9 cluster, with 802.11r/k not enabled, answer to Q1 above determines if OKC is enabled or not)

Q3: What is the AMP client "association history" showing? Is it the low level 802.11 auth + association, but not necessarily when the client fully roamed to that AP (802.11 auth + association + 802.1x auth)? I ask because comparing my ClearPass access tracker entries, they do not line up with the AMP client association history. The AMP client association history shows more entries than I see in access tracker when testing roaming with my test client. So for example: As my test client (windows laptop) roamed, I may see 12 association history events in AMP among 8 different APs, but I only see 4 access tracker entries in ClearPass sourced from 4 different APs.

Q4: In viewing the mobility trail via the cli (#show ap client trail-info) it seems limited to the last 10 entries. Is there a way to see more via cli? Is the controller cli "mobility trail" the same as the client "association history" displayed in AMP for a client?

------------------------------
Cody Ensanian
------------------------------

Thanks for your responses Colin! And thanks for pointing out the more detailed Clarity section in AMP. I see this can be exported to csv too, which is helpful. I have a few more follow up questions...

Based on your response to Q1 above, we do not appear to have OKC enabled on the ssid I am testing. 

Q5: Here are the clarity entries for my test client. How would you explain, for example, rows 14, 15, & 16, that show my client roaming to new APs, but there is no authentication. Wouldn't this require OKC or 802.11r (which I believe to be disabled on this ssid)?


Q6: Back to the band-to-band roam on same AP scenario: assuming OKC and 802.11r disabled, would the client need to go through a full 802.1x re-auth if roaming band-to-band? I am assuming so?

------------------------------
Cody Ensanian
------------------------------

Original Message:
Sent: May 20, 2022 07:25 PM
From: Colin Joseph
Subject: Roaming and association history questions

1- The wlan ssid-profile  EDIT: the 802.1x authentication profile
2- Not necessarily.  Most clients (besides mac osx) support OKC so a typical reauth would not be required.
3- It is not a full roaming history, it is just a sampling.  Some roams will be missed because the reports in that list only occur once per minute.  Look at the Clarity Entries for that client for a full roaming history along with whether or not a full reauth took place and how long each roam took.
4 - It is limited due to space.  There is no way to see more.  The mobility trail is the same limited entries but limited due to space.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: May 20, 2022 06:11 PM
From: Cody Ensanian
Subject: Roaming and association history questions

Q1: If OKC is disabled in the "802.1x authentication profile," but enabled in the "wlan ssid-profile" - which takes precedence?

Q2: Does roaming from band to band (same SSID) on the same AP require a full 802.1x re-auth? (This would be within an 8.9 cluster, with 802.11r/k not enabled, answer to Q1 above determines if OKC is enabled or not)

Q3: What is the AMP client "association history" showing? Is it the low level 802.11 auth + association, but not necessarily when the client fully roamed to that AP (802.11 auth + association + 802.1x auth)? I ask because comparing my ClearPass access tracker entries, they do not line up with the AMP client association history. The AMP client association history shows more entries than I see in access tracker when testing roaming with my test client. So for example: As my test client (windows laptop) roamed, I may see 12 association history events in AMP among 8 different APs, but I only see 4 access tracker entries in ClearPass sourced from 4 different APs.

Q4: In viewing the mobility trail via the cli (#show ap client trail-info) it seems limited to the last 10 entries. Is there a way to see more via cli? Is the controller cli "mobility trail" the same as the client "association history" displayed in AMP for a client?

------------------------------
Cody Ensanian
------------------------------

I have never manipulated the OKC parameter in the SSID profile, so I am not in what context it is used.  Leaving OKC on has the "Validate PMK cache" setting (default) that automatically determines if the client supports OKC or not".  Long story short, I wouldn't touch that parameter in the 802.1x profile or the SSID profile.  It doesn't hurt anything.

To avoid the 4-way handshake on a roam, some sort of caching mechanism would have to be in play, yes.  Typically an access point will cache keys for a client and if and when the client returns to the same AP it can skip the 4-way handshake.  It would then only have the 4-way handshake on new access points.  That is how it should work in general.

I honestly do not know how the band-to-band works in general with respect to this.


------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: May 23, 2022 10:29 AM
From: Cody Ensanian
Subject: Roaming and association history questions

Thanks for your responses Colin! And thanks for pointing out the more detailed Clarity section in AMP. I see this can be exported to csv too, which is helpful. I have a few more follow up questions...

Based on your response to Q1 above, we do not appear to have OKC enabled on the ssid I am testing. 

Q5: Here are the clarity entries for my test client. How would you explain, for example, rows 14, 15, & 16, that show my client roaming to new APs, but there is no authentication. Wouldn't this require OKC or 802.11r (which I believe to be disabled on this ssid)?


Q6: Back to the band-to-band roam on same AP scenario: assuming OKC and 802.11r disabled, would the client need to go through a full 802.1x re-auth if roaming band-to-band? I am assuming so?

------------------------------
Cody Ensanian

Original Message:
Sent: May 20, 2022 07:25 PM
From: Colin Joseph
Subject: Roaming and association history questions

1- The wlan ssid-profile  EDIT: the 802.1x authentication profile
2- Not necessarily.  Most clients (besides mac osx) support OKC so a typical reauth would not be required.
3- It is not a full roaming history, it is just a sampling.  Some roams will be missed because the reports in that list only occur once per minute.  Look at the Clarity Entries for that client for a full roaming history along with whether or not a full reauth took place and how long each roam took.
4 - It is limited due to space.  There is no way to see more.  The mobility trail is the same limited entries but limited due to space.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: May 20, 2022 06:11 PM
From: Cody Ensanian
Subject: Roaming and association history questions

Q1: If OKC is disabled in the "802.1x authentication profile," but enabled in the "wlan ssid-profile" - which takes precedence?

Q2: Does roaming from band to band (same SSID) on the same AP require a full 802.1x re-auth? (This would be within an 8.9 cluster, with 802.11r/k not enabled, answer to Q1 above determines if OKC is enabled or not)

Q3: What is the AMP client "association history" showing? Is it the low level 802.11 auth + association, but not necessarily when the client fully roamed to that AP (802.11 auth + association + 802.1x auth)? I ask because comparing my ClearPass access tracker entries, they do not line up with the AMP client association history. The AMP client association history shows more entries than I see in access tracker when testing roaming with my test client. So for example: As my test client (windows laptop) roamed, I may see 12 association history events in AMP among 8 different APs, but I only see 4 access tracker entries in ClearPass sourced from 4 different APs.

Q4: In viewing the mobility trail via the cli (#show ap client trail-info) it seems limited to the last 10 entries. Is there a way to see more via cli? Is the controller cli "mobility trail" the same as the client "association history" displayed in AMP for a client?

------------------------------
Cody Ensanian
------------------------------