Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
The voice-aware Dot1x feature in ArubaOS allows optimizing the authentication activities by minimizing authentication transactions, which can affect call quality.
After the 802.1x success, key exchange happens between the client and the AP.
After a certain amount of time (which is configurable), the key rotates/changes.
802.1X transactions in the middle of a call can result in choppy voice quality due to the time taken by the AP and client for the four-way key handshake and the group key handshake.
Without key-caching, key negotiations are important and unavoidable as a client moves from one AP to another. However, ArubaOS can postpone rekeying for the duration of a call when a handset remains on the same AP, thus avoiding choppiness.
Also, rekeying in an 802.1x network can stress the processor of a handset to the degree that it can interrupt voice calls. Therefore, ArubaOS now has a feature that delays rekeying till the handset is idle (not on a call).
To enable this feature in Dot1x authentication profile, issue the following command:
(arun-3200) (802.1X Authentication Profile "dot1x") #voice-aware
Unicast and multicast rekeying and re-authentication can also be enabled in the AAA authentication Dot1x profile.
Also the unicast and multicast rekey and reauthentication intervals can be set in the same profile.
802.1X Authentication Profile "dot1x"
-------------------------------------
Parameter Value
--------- -----
Max authentication failures 0
Enforce Machine Authentication Disabled
Machine Authentication: Default Machine Role guest
Machine Authentication Cache Timeout 24 hrs
Blacklist on Machine Authentication Failure Disabled
Machine Authentication: Default User Role guest
Interval between Identity Requests 30 sec
Quiet Period after Failed Authentication 30 sec
Reauthentication Interval 86400 sec ç Configure reauthentication interval
Use Server provided Reauthentication Interval Disabled ç Using re-authentication interval on RADIUS
Multicast Key Rotation Time Interval 1800 sec ç Configure multicast rekey interval
Unicast Key Rotation Time Interval 900 sec ç Configure unicast rekey interval
Authentication Server Retry Interval 30 sec
Authentication Server Retry Count 2
Framed MTU 1100 bytes
Number of times ID-Requests are retried 3
Maximum Number of Reauthentication Attempts 3
Maximum number of times Held State can be bypassed 0
Dynamic WEP Key Message Retry Count 1
Dynamic WEP Key Size 128 bits
Interval between WPA/WPA2 Key Messages 2000 msec
Delay between EAP-Success and WPA2 Unicast Key Exchange 0 msec
Delay between WPA/WPA2 Unicast Key and Group Key Exchange 0 msec
WPA/WPA2 Key Message Retry Count 3
Multicast Key Rotation Disabled ç Enable/Disable Multicast re-keying
Unicast Key Rotation Disabled ç Enable/Disable Unicast re-keying
Reauthentication Disabled ç Enable/Disable re-authentication
Opportunistic Key Caching Enabled
Validate PMKID Disabled
Use Session Key Disabled
Use Static Key Disabled
xSec MTU 1300 bytes
Termination Disabled
Termination EAP-Type N/A
Termination Inner EAP-Type N/A
Token Caching Disabled
Token Caching Period 24 hrs
CA-Certificate N/A
Server-Certificate N/A
TLS Guest Access Disabled
TLS Guest Role guest
Ignore EAPOL-START after authentication Disabled
Handle EAPOL-Logoff Disabled
Ignore EAP ID during negotiation. Disabled
WPA-Fast-Handover Disabled
Disable rekey and reauthentication for clients on call Disabled ç Enable/Disable Voice aware Dot1x
When voice-aware Dot1x is enabled, and when clients are on call, rekey or re-authentication should not happen until the call is disconnected.