Higher Education

I was looking at our NPS logs and aruba authentication logs (and dhcpd while I was at it...) and was shocked to see so many duplicate entries for all our iPhone users. Our dhcpd server often sees multiple requests, our NPS log is just full of them... We do not see any connectivity issues, or have any reported problems from the users, the devices all seem to be authenticating correctly. The major correlation I see is that almost all the devices that are showing this behavior are iphones.

Could this be because the nature of the device to be in a purse or pocket, and often hops on and off the network?

Just curious if anyone else is seeing this behaviour.

Iphones and Ipads are always on as users move around a campus they continually authenticate, laptops useally only auth when opened and turned on.  In addition Ipads/Iphones do not support  Opportunistic key caching,  so they continually do a full re-auth 802.11r is suppose to resolve this if turned on... but also may cause some issues of its own.

 

that sucks... :) 

 

It is so annoying - I can see 50-60 of these from one user over the course of 5 minutes if they are walking around campus.  Is there anyway to slow this down.  I like to have my radius logs, but man they are getting a bit crazy with all the iphone auths!

Yes! We are a Cisco shop but are seeing the same behavior with duplicate dhcp scopes. This is happening on iphones and chromebooks.

Pola Swartz
Wireless Team Lead
Sr. Wireless Administrator
Department of Technology Services
Denver Public Schools
720-423-3603
I Proudly Play For Team DPS
[Description: DPS Logo]

So is there anyway to help this issue?  It seems the iPhones in particular do some agressive roaming of APs that seem to make this even more apparent... 

 

Since you are not experiencing any performance, roaming or connectivity
issues, I wouldn't change anything.

---

@cappalli wrote:
Since you are not experiencing any performance, roaming or connectivity
issues, I wouldn't change anything.

---

Well I would not say I am not experiencing any issues - my radius accounting/logging would beg to differ :)  My SQL radius logs are seeing around 2.5million entries a month... its kind of crazy...

 

I take that back - just checked my SQL log and just for today we have 234k log entries.  So that would be almost 5million log entires a month!

You might want to contact Apple about that behavior...

We see over 2 million auths per week. Those numbers don't sound out of the
ordinary.

How many users?  We have 600 users...

Hi Danstl,

 

You might want to group logs per min/hour etc. This will lower your log numbers. I think your log tools had such a facility (even freeradius had.).

 

hdemir.

 

Why don't we start from scratch by showing the values in your 802.1x profile attached to that SSID "show aaa  authentication dot1x <name of 802.1x profile"

 

Next, let's make sure in your SSID profile that EAPOL optimization is enabled.

 

Parameter Value
--------- -----
Max authentication failures 0
Enforce Machine Authentication Disabled
Machine Authentication: Default Machine Role guest
Machine Authentication Cache Timeout 24 hr(s)
Blacklist on Machine Authentication Failure Disabled
Machine Authentication: Default User Role guest
Interval between Identity Requests 5 sec
Quiet Period after Failed Authentication 30 sec
Reauthentication Interval 86400 sec
Use Server provided Reauthentication Interval Disabled
Multicast Key Rotation Time Interval 1800 sec
Unicast Key Rotation Time Interval 900 sec
Authentication Server Retry Interval 5 sec
Authentication Server Retry Count 3
Framed MTU 1100 bytes
Number of times ID-Requests are retried 5
Maximum Number of Reauthentication Attempts 3
Maximum number of times Held State can be bypassed 0
Dynamic WEP Key Message Retry Count 1
Dynamic WEP Key Size 128 bits
Interval between WPA/WPA2 Key Messages 1000 msec
Delay between EAP-Success and WPA2 Unicast Key Exchange 0 msec
Delay between WPA/WPA2 Unicast Key and Group Key Exchange 0 msec
Time interval after which the PMKSA will be deleted 8 hr(s)
WPA/WPA2 Key Message Retry Count 3
Multicast Key Rotation Disabled
Unicast Key Rotation Disabled
Reauthentication Enabled
Opportunistic Key Caching Enabled
Validate PMKID Disabled
Use Session Key Disabled
Use Static Key Disabled
xSec MTU 1300 bytes
Termination Disabled
Termination EAP-Type N/A
Termination Inner EAP-Type N/A
Token Caching Disabled
Token Caching Period 24 hr(s)
CA-Certificate N/A
Server-Certificate N/A
TLS Guest Access Disabled
TLS Guest Role guest
Ignore EAPOL-START after authentication Disabled
Handle EAPOL-Logoff Disabled
Ignore EAP ID during negotiation. Disabled
WPA-Fast-Handover Disabled
Disable rekey and reauthentication for clients on call Disabled
Check certificate common name against AAA server Disabled

2.5M in a month would not be a concern for me. We have peaked at 4.5+M in a day. Logs are logs, so I would just increase disk space or decrease the data retention for the logs themselves. My $0.02.

Does that two mil include airgroup? We average a total of around 2.3 mil auths per day load balanced between 4 nodes. This doesn't include airgroup request. We average around 8k clients consistently with peaks around 12k daily.

T.J. Norton
Liberty University

No, just authentications. No AirGroup authorizations.






Sent from Windows Mail

The client count was over wireless, This doesn't include all of our wired clients.

Awesome

Enable Validate PMKID. Macs do not support opportunistic key caching and that should be enabled when OKC is enabled.

---

@cjoseph wrote:
Enable Validate PMKID. Macs do not support opportunistic key caching and that should be enabled when OKC is enabled.

---

Thanks for the input.