IAP and dot1x: too frequent reauth for windows AD clients
11-06-2017 01:47 AM - edited 11-06-2017 01:50 AM
could anyone point to known issue or bugfix or maybe similar experience, just for being certain that software release was the source of the issue.
I have a customer with IAP-205s (two) and main corporate network is using 802.1x authentication using radius (ms server 2008r2 tied to AD), using regular AD user/pass (not certificates).
Additionally, we differenciate users by their AD groups and are given radius vlan values: normal users are given one vlan (vlan2) and superusers are given second vlan (vlan 5). Wired traffic is simiarly done.
i'm having issues where AD windows clients (all versions: 7, 8 and 10) do too frequent authentication. Way too frequent, like once every 5 minutes or even more often. Association time is constantly changing and updating in our Airwave server for these clients every 2-5 minutes. MAC OS users seem to work okay and don't do frequent auth. Reauth timer set in Instant config is 24hrs. Wired win clients don't have such issues.
Roaming is not an issue, as secondary AP is far away (second part of the building) and not seen by clients.
not only that, for some reason and with random ocurrence (like once an hour or evem more often), auth fails and customers get dropped (and only win ad clients).
The symptoms are that wlan stays connected, but no traffic flows (no ping to gw). After a minute or two, new successful auth is made (automatically) and traffic can flow again.
Secondary guest SSID is working fine (both 2,4G and 5G).
Now, everything got fixed, when we upgraded IAP-s to 6.5.4. (and we had to upgrade our AW to 8.2.5)
Previous (faulty) software was 22.214.171.124-126.96.36.199, as it was "official" standard release for wpa2 security patch that worked with our AW 188.8.131.52 production server.
afaik, i didn't see any similar issues being fixed or mentioned in release notes.
Re: IAP and dot1x: too frequent reauth for windows AD clients
11-06-2017 04:59 AM
It would be hard to say if we cannot examine your live "older" system to determine what was causing your reauthentication problem. It could be a combination of configuration, clients, environment, or even software code that was causing your issue. It also might have been client-match settings. There is no one single thing that causes frequent reauths. Without looking at your old system that shows why the client disconnected in the first place, it would be hard to tell.
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars