Higher Education

 View Only
Expand all | Collapse all

Surface 2 RT/Pro + Pre-N AP + 802.1x + WMM = Fail

This thread has been viewed 0 times
  • 1.  Surface 2 RT/Pro + Pre-N AP + 802.1x + WMM = Fail

    Posted Mar 28, 2014 05:44 PM

     

    We've been getting reports from Surface 2 RT and Pro users on campus reporting that our SSID with EAP-PEAP authentication hasn't been working for them.  They successfully complete EAP authentication, get assigned to the correct VLAN, and the Surface 2 seems to stop sending packets.  This often results in the device self assigning itself an autogenerated IP.  The users report the captive portal network on the same AP hardware works perfectly fine.

     

    I bought a Surface 2 RT tablet and spent the day confirming the following:

     

    Pre-N AP (61 and 65) if SSID is captive portal/open system and WMM is ENABLED: Surface 2 is fine

    Pre-N AP (61 and 65) if SSID is WPA2/EAP and WMM is disabled: Surface 2 is fine

    Pre-N AP (61 and 65) if SSID is WPA2/EAP and WMM is ENABLED: Surface 2 is BORKED

    N AP (105) if SSID is WPA2/EAP and WMM is ENABLED: Surface 2 is fine

     

    The Surface 2 line falls flat on it's face if ALL of the following is true:

     

    - Client is connected to an AP 61 or 65 (either a or b/g)

    - SSID is WPA2 authenicated

    - WMM is enabled

     

    Disabling WMM for the WPA2 SSID restores connectivity to the Surface 2 tablet.  No other toggle I've found in the SSID profile has made a difference so far.  The Surface 1 Pro I have on hand doesn't exhibit this issue and the complaints seem to all be Surface 2 Pro and RT devices.

     

    We're running 6.3.1.2 on our controllers and the Surface 2 RT device I'm testing with exhibits the behavior out of the box and also after every possible update offered in PC Settings is installed.

     

    From my understanding disabling WMM causes problems for Apple devices which far far outnumber Surface devices so that's a non-option even as a temporary workaround.

     

    Has anyone else seen this?

     

     



  • 2.  RE: Surface 2 RT/Pro + Pre-N AP + 802.1x + WMM = Fail

    Posted Mar 29, 2014 12:33 AM

    blocke,

     

    WMM is a part of the 802.11n spec and is enabled in the background even if the box is not checked in the SSID profile for access points that have an HT (802.11n) phy.  The Surface Pro could have problems with WMM enabled on non-802.11n SSIDs probably because Microsoft has not tested it much with non-802.11n access points.  The only devices that would expect to have WMM enabled on a non-802.11n SSID would be voice handsets.

     

    If you have a mix of 802.11n and non-802.11n access points, DON'T enable WMM, and you can sidestep your issue.  Your Apple devices should be fine with this arrangement.

     

    That is my best guess about what is happening here.



  • 3.  RE: Surface 2 RT/Pro + Pre-N AP + 802.1x + WMM = Fail

    Posted Mar 29, 2014 02:26 PM

    Blocke,

     

    We are interested in your issue.  Can you please open an automated case at support.arubanetworks.com and upload your logs.tar?  Message me the case# when you do so that we can examine your logs.tar

     

    In addition:

     

    What type of controller are you using with the 6.3.1.2 code?

     

     



  • 4.  RE: Surface 2 RT/Pro + Pre-N AP + 802.1x + WMM = Fail

    Posted Mar 31, 2014 01:41 PM

    Case created and private message sent.

     

    We're using a pair of 3600 as dedicated masters and a pair of 7220s to handle the APs.

     

    I'm going to take your advise and disable explicit WMM for pre-N stuff and hope nothing else breaks.

     

    Thanks.

     



  • 5.  RE: Surface 2 RT/Pro + Pre-N AP + 802.1x + WMM = Fail

    Posted Mar 31, 2014 02:10 PM

    blocke,

     

    Thank you.  Let us know if the workaround works.  If not, Engineering believes you are running into Bug#93874 and if you upgrade to 6.3.1.3 (or 4) it is patched in those versions:

     

    Bug 93874 Symptom: With Multiple TID Traffic to Temptrak device with AES Encryption, the device drops packets from AP.
    Scenario: This issue was observed on ArubaOS 6.3.1.1 and is specific to 7200 Series controllers. This issue occurred, because the 7200 Series controller was using multiple replay counters, which the device did not support. 

     

    Please let us know if the workaround works.  If not, please let us know if and when you would consider an upgrade.

     



  • 6.  RE: Surface 2 RT/Pro + Pre-N AP + 802.1x + WMM = Fail

    Posted Mar 31, 2014 02:57 PM

     

    Turning off WMM seems to fix the issue for my test device.

     

    We're going to move to 6.3.1.4 early tomorrow morning, turn WMM back on, and see if the issue still occurs.

     

    Thanks.

     



  • 7.  RE: Surface 2 RT/Pro + Pre-N AP + 802.1x + WMM = Fail

    Posted Apr 01, 2014 10:10 AM

     

    Upgraded to 6.1.3.4 early this morning and turned pre-N WMM back on for all SSIDs.

     

    My test Surface 2 RT device appears to be functioning fine on our EAP SSID and a faculty member chimmed in that his Surface 2 RT was also working this morning.

     

    So hopefully this fixes it.

     

    Thanks!

     



  • 8.  RE: Surface 2 RT/Pro + Pre-N AP + 802.1x + WMM = Fail

    Posted Apr 01, 2014 10:11 AM

    blocke,

     

    Thank you.

     

    Please let us know if you see anything different.



  • 9.  RE: Surface 2 RT/Pro + Pre-N AP + 802.1x + WMM = Fail

    Posted Apr 02, 2014 03:22 AM
    I haven't heard of the apple and wmm disabled issues. Can you elaborate?



    Ryan Holland
    Senior Network Engineer
    The Ohio State University
    Office of the Chief Information Officer
    KRC - Building E, 1121 Kinnear Rd., Columbus, OH 43212
    614-292-9906 Office
    holland.112@osu.edu ocio.osu.edu

    (sent while mobile)


  • 10.  RE: Surface 2 RT/Pro + Pre-N AP + 802.1x + WMM = Fail

    Posted Apr 02, 2014 04:52 AM

    Ryan,

     

    There was only a problem with Surface Tablets with WMM enabled in the SSID profile on non-802.11n access points.



  • 11.  RE: Surface 2 RT/Pro + Pre-N AP + 802.1x + WMM = Fail

    Posted Apr 02, 2014 11:58 AM

     

    I was refering to this article and incorrectly assumed it applied to pre-N radios in addition to the 802.11n radios the article specifically addresses: 

     

    http://support.apple.com/kb/ts3727

     

    Apple devices apparently don't like it when you turn WMM off on 802.11n phys.  It says nothing about 802.11abg phys. According to the cjoseph's above post Aruba gear won't let you turn off WMM on 802.11n so there appears to be nothing to worry about for Apple devices.

     

     



  • 12.  RE: Surface 2 RT/Pro + Pre-N AP + 802.1x + WMM = Fail

    Posted Apr 02, 2014 12:08 PM

    blocke,

     

    To be clear, WMM or 802.11e is part of the 802.11n spec, so it cannot be turned off...  It is not an Aruba thing....



  • 13.  RE: Surface 2 RT/Pro + Pre-N AP + 802.1x + WMM = Fail

    Posted Apr 02, 2014 12:13 PM

     

    I didn't mean to imply Aruba was in the wrong here in any way.

     

    More an observation that some of the terrible consumer grade gear out there apparently will let you break things as per the Apple article.  This obviously doesn't apply to Aruba gear.

     

    Just wanted to clarify things for future perusers of these forums via Google searches. :smileywink:

     



  • 14.  RE: Surface 2 RT/Pro + Pre-N AP + 802.1x + WMM = Fail

    Posted Apr 02, 2014 12:15 PM

    blocke,

     

    Thank you for that explanation.