Wireless Access

Hi,

From time to time I have a few clients that can't connect to my wireless network.   Out of 150 clients per day, I woud say that I hear of five or siz people per week that have problems connecting.  All have up-to-date drivers and the types of users and laptops  vary.  If I could pinpoint anything, I'd say it tends to happen more when a user goes from being docked on the wired network to being on wireless as they move to a meeting room.

It is proving very difficult to nail down, but I believe it has something to do with how the Aruba controllers is talking to my Windows RADIUS servers.   On one particular occasion, I had a client which wouldn't connect, even without a reboot.  So I switched the RADIUS server order around in my RADIUS server group, and the client connected right away.

I setup client debugging and what I see is that the client associates, but then times out and deauths itself.   A sh auth-tracebuf shows the EAP exchange start, but after the controller sends an EAP-REQ, it receives no response from the client.

I noticed the following statistics on the controller in regards to RADIUS , and it has high timeouts as well as showing the RADIUS. servers up for only a short amount of time.

One of the RADIUS servers is on the same LAN as the controller, the other is in the US accessed via a WAN link.  

I've had the Windows guys log everything, but they can't seem to find anything wrong.

Here's some output, I would appreciate any help with trying to work this out.   We are running AOS6.1.3.3

RADIUS Server Statistics
------------------------
Statistics             ukradius0  usradius3
----------             --------  --------
Accounting Requests    12621     16170
Raw Requests           203134    233577
PAP Requests           0         0
CHAP Requests          0         0
MS-CHAP Requests       0         0
MS-CHAPv2 Requests     0         0
Mismatch Response      7         2
Bad Authenticator      0         0
Access-Accept          12837     13920
Access-Reject          798       811
Accounting-Response    12621     16170
Access-Challenge       188658    217231
Unknown Response code  0         0
Timeouts               3378      6505
AvgRespTime (ms)       11        115
Total Requests         215755    249747
Total Responses        214921    248134
Uptime (d:h:m)         0:0:5     0:1:39
SEQ Total/Free         255/255   255/255

What does your aaa authentication dot1x profile look like? We successfully used Microsoft NPS before we moved to ClearPass Policy Manager as our RADIUS server.

Aruba has not chosen reasonable default values in the dot1x authentication profile.

Here is our current dot1x authentication profile.

aaa authentication dot1x <insert your name here>
machine-authentication machine-default-role "denyall-role"
machine-authentication user-default-role "denyall-role"
timer idrequest_period 5
timer quiet-period 3
server server-retry-period 5
server server-retry 3
max-requests 5
timer wpa-key-period 2000
timer wpa2-key-delay 100
timer wpa-groupkey-delay 100
wpa-key-retries 2
validate-pmkid

Bruce Osborne

Liberty University

HI Bruce,

Here is our current profile, it looks a bit different to yours, any particular settings that you'd recommend we change ?

802.1X Authentication Profile "global-802.1x-default-auth-profile"
------------------------------------------------------------------
Parameter                                                  Value
---------                                                  -----
Max authentication failures                                0
Enforce Machine Authentication                             Disabled
Machine Authentication: Default Machine Role               guest
Machine Authentication Cache Timeout                       24 hr(s)
Blacklist on Machine Authentication Failure                Disabled
Machine Authentication: Default User Role                  guest
Interval between Identity Requests                         30 sec
Quiet Period after Failed Authentication                   30 sec
Reauthentication Interval                                  86400 sec
Use Server provided Reauthentication Interval              Disabled
Multicast Key Rotation Time Interval                       1800 sec
Unicast Key Rotation Time Interval                         900 sec
Authentication Server Retry Interval                       30 sec
Authentication Server Retry Count                          2
Framed MTU                                                 1100 bytes
Number of times ID-Requests are retried                    3
Maximum Number of Reauthentication Attempts                3
Maximum number of times Held State can be bypassed         0
Dynamic WEP Key Message Retry Count                        1
Dynamic WEP Key Size                                       128 bits
Interval between WPA/WPA2 Key Messages                     1000 msec
Delay between EAP-Success and WPA2 Unicast Key Exchange    0 msec
Delay between WPA/WPA2 Unicast Key and Group Key Exchange  0 msec
Time interval after which the PMKSA will be deleted        8 hr(s)
WPA/WPA2 Key Message Retry Count                           3
Multicast Key Rotation                                     Disabled
Unicast Key Rotation                                       Disabled
Reauthentication                                           Disabled
Opportunistic Key Caching                                  Enabled
Validate PMKID                                             Disabled
Use Session Key                                            Disabled
Use Static Key                                             Disabled
xSec MTU                                                   1300 bytes
Termination                                                Disabled
Termination EAP-Type                                       N/A
Termination Inner EAP-Type                                 N/A
Token Caching                                              Disabled
Token Caching Period                                       24 hr(s)
CA-Certificate                                             N/A
Server-Certificate                                         N/A
TLS Guest Access                                           Disabled
TLS Guest Role                                             guest
Ignore EAPOL-START after authentication                    Disabled
Handle EAPOL-Logoff                                        Disabled
Ignore EAP ID during negotiation.                          Disabled
WPA-Fast-Handover                                          Disabled
Disable rekey and reauthentication for clients on call     Disabled
Check certificate common name against AAA server           Enabled

I just wanted to add that my NPS servers show an inaccurate uptime as well.  My servers have been up since the weekend, but my controller shows their uptime is around a few hours.  I have some ClearPass servers, and an ACS server, and their uptime appears to be more accurate.  Wondering if this is a bug.

Hi,

I saw something similar - if there's many Radius timeouts, do a Wireshark between controller and WAN Radius and look for "ICMP destination unreachable - fragmentation needed"...that would be symptom.

V.D.

Hi,

Since making the changes last week, my uptime numbers are improved, but I still show the RADIUS servers as being up for only a few hours before they get marked down again.  It's not a fragmentation issue as the controller and one of the RADIUS servers is on the same VLAN.

I haven't heard of any users being unable to connect since I made the change but it's not unusual for them not to report this.

Another point of note,  we also have Cisco autonomous AP's here, which use the same RADIUS servers (we have around 50 RADIUS servers globally) and I checked a few of them today, and they also seem to show a short uptime of a few hours.

So it seems to me it's not just Aruba related, akthough I'm not aware of any users having issues connecting to our Cisco AP's.

Anyone got any ideas as to how to troubleshoot this further ?

Thanks