Security

We have a Cisco wireless LAN controller but use Aruba Clearpass for the authentication and captive portal functions of our guest wireless network.

I'm currently troubleshooting a problem where some devices cannot connect to the guest network or see the portal. We use MAC filtering with on MAC filter failure to divert to the captive portal.

I have noticed that the RADIUS Authentication round trip time is often between 1000 - 2000 milliseconds between my WLC and Aruba Clearpass, so I feel that this might be a contributing factor in the connectivity issues that I'm investigating.

The RADIUS Accounting round trip time is usually much better - less than 10 milliseconds, therefore - on the face of it, network latency seems to be fine.

What things can be done to reduce/improve the auth round trip time? 

Does ClearPass run in Hyper-V?

What ClearPass version are you running? C100V? C200V? C300V? Hardware?

---

@jrwhitehead wrote:

Does ClearPass run in Hyper-V?

 

What ClearPass version are you running? C100V? C200V? C300V? Hardware?

 

 

---

Clearpass is running in the hardware appliance. It's the 25K hardware appliance.

I have noticed that there is a setting that delays RADIUS packets for reject responses:

==> Administration » Server Manager » Server Configuration || Radius Server || Reject Packet Delay = 1

I assume I need to account for this is the RADIUS round trip time for reject responses.

The server is being used for a captive portal using On MAC Filter Failure - so it is expected that there will be quite a few reject responses.

The issue I'm troubleshooting is that a large number of macOS clients are unable to join the network or see the captive portal, whereas all other clients can. So I'm working on the theory that this delay in RADIUS response could be part of the reason.

Are the macOS clients running Catalina?

Could be this: https://poweruser.blog/macos-catalina-wifi-issue-captive-portal-broken-45610cc016b5?gi=174bbbeb652

---

@jrwhitehead wrote:

Are the macOS clients running Catalina?

 

Could be this: https://poweruser.blog/macos-catalina-wifi-issue-captive-portal-broken-45610cc016b5?gi=174bbbeb652

---

These are macOS Catalina but we also experience the same issue with macOS Mojave.

I have seen this blog post before and tried all the fixes and we have also upgraded macOS to the latest version, but still having the issue.

I did open a call with Cisco for the controller side and Aruba for the Clearpass side, but so far, they have drawn a blank.

Cisco have stated that the macOS client will associate to the wireless network but doesn't subsequently perform a DHCP Discover and said I would need to speak to Apple about why that is. 

We do also see the incoming RADIUS packet at the Clearpass and the reject going back again, so we know all of that is working.

I'm currently working on the theory that perhaps the RADIUS packet is not getting returned to the client quickly enough and perhaps macOS is more sensitive to this than other operating systems.

I have just updated the Reject Packet Delay attribute on our Clearpass server and it would appear at first pass that this has resolved the issue:

==> Administration » Server Manager » Server Configuration || Radius Server || Reject Packet Delay = 1

Change from 1 to 0.

The RADIUS round trip time has now fallen to <100 milliseconds.

I will do further testing to be sure, but it seems that this is the fix.