Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
New Contributor

Re: 802.1x - why so many duplicate authentications from iPhones?

Does that two mil include airgroup? We average a total of around 2.3 mil auths per day load balanced between 4 nodes. This doesn't include airgroup request. We average around 8k clients consistently with peaks around 12k daily.

T.J. Norton
Liberty University
T.J. Norton - Wireless Architect

All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks
Guru Elite

Re: 802.1x - why so many duplicate authentications from iPhones?

No, just authentications. No AirGroup authorizations.






Sent from Windows Mail

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: 802.1x - why so many duplicate authentications from iPhones?

The client count was over wireless, This doesn't include all of our wired clients.
T.J. Norton - Wireless Architect

All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks
New Contributor

Re: 802.1x - why so many duplicate authentications from iPhones?

Awesome
T.J. Norton - Wireless Architect

All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks
Highlighted
Contributor I

Re: 802.1x - why so many duplicate authentications from iPhones?

Hi Danstl,

 

You might want to group logs per min/hour etc. This will lower your log numbers. I think your log tools had such a facility (even freeradius had.).

 

hdemir.

 

Guru Elite

Re: 802.1x - why so many duplicate authentications from iPhones?

Why don't we start from scratch by showing the values in your 802.1x profile attached to that SSID "show aaa  authentication dot1x <name of 802.1x profile"

 

Next, let's make sure in your SSID profile that EAPOL optimization is enabled.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Super Contributor I

Re: 802.1x - why so many duplicate authentications from iPhones?

2.5M in a month would not be a concern for me. We have peaked at 4.5+M in a day. Logs are logs, so I would just increase disk space or decrease the data retention for the logs themselves. My $0.02.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Frequent Contributor I

Re: 802.1x - why so many duplicate authentications from iPhones?

Parameter Value
--------- -----
Max authentication failures 0
Enforce Machine Authentication Disabled
Machine Authentication: Default Machine Role guest
Machine Authentication Cache Timeout 24 hr(s)
Blacklist on Machine Authentication Failure Disabled
Machine Authentication: Default User Role guest
Interval between Identity Requests 5 sec
Quiet Period after Failed Authentication 30 sec
Reauthentication Interval 86400 sec
Use Server provided Reauthentication Interval Disabled
Multicast Key Rotation Time Interval 1800 sec
Unicast Key Rotation Time Interval 900 sec
Authentication Server Retry Interval 5 sec
Authentication Server Retry Count 3
Framed MTU 1100 bytes
Number of times ID-Requests are retried 5
Maximum Number of Reauthentication Attempts 3
Maximum number of times Held State can be bypassed 0
Dynamic WEP Key Message Retry Count 1
Dynamic WEP Key Size 128 bits
Interval between WPA/WPA2 Key Messages 1000 msec
Delay between EAP-Success and WPA2 Unicast Key Exchange 0 msec
Delay between WPA/WPA2 Unicast Key and Group Key Exchange 0 msec
Time interval after which the PMKSA will be deleted 8 hr(s)
WPA/WPA2 Key Message Retry Count 3
Multicast Key Rotation Disabled
Unicast Key Rotation Disabled
Reauthentication Enabled
Opportunistic Key Caching Enabled
Validate PMKID Disabled
Use Session Key Disabled
Use Static Key Disabled
xSec MTU 1300 bytes
Termination Disabled
Termination EAP-Type N/A
Termination Inner EAP-Type N/A
Token Caching Disabled
Token Caching Period 24 hr(s)
CA-Certificate N/A
Server-Certificate N/A
TLS Guest Access Disabled
TLS Guest Role guest
Ignore EAPOL-START after authentication Disabled
Handle EAPOL-Logoff Disabled
Ignore EAP ID during negotiation. Disabled
WPA-Fast-Handover Disabled
Disable rekey and reauthentication for clients on call Disabled
Check certificate common name against AAA server Disabled

Guru Elite

Re: 802.1x - why so many duplicate authentications from iPhones?

Enable Validate PMKID. Macs do not support opportunistic key caching and that should be enabled when OKC is enabled.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Frequent Contributor I

Re: 802.1x - why so many duplicate authentications from iPhones?


@cjoseph wrote:
Enable Validate PMKID. Macs do not support opportunistic key caching and that should be enabled when OKC is enabled.

Thanks for the input.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: