Wireless Access

Hi,

I experience some problems with a controller.

The users are disconnected from the network resources (file sharing, TSE session...) after a certain amount of time. This happen everytime, with any type of devices/manufacturers.

Please see the logs in attachments when an user is disconnected.

The AP broadcast just one SSID, with WPA-PSK authentication nothing more (no custom role, no mac authentication, just a basic setup).

Hope you can help me with this problem.

Thanks in advance.

Edit : I upgraded the controller with the last version (6.1.3.7) nothing changed.

Attachment(s)

LOG3.txt   1 KB 1 version

The logon user lifetime is described as follows:

Logon User Lifetime:

Maximum time, in minutes, unauthenticated clients are allowed to remain
logged on.
Range: 0–255
Default: 5 minutes

Have you done any changes to the logon role maybe, so the users stay in that initial role and does no authentication, and are then disconnected when the maximum time is reached?

Can you show us the configuration of the VAP in question?

Thanks for your answer. Please find some information about the VAP and aaa profiles.

I didn't make the installation, but I see nowhere some modification of aaa default settings...

wlan virtual-ap "PROFILE_SAINT_ROMAIN"
   aaa-profile "default-dot1x-psk"
   ssid-profile "SSID_SAINT_ROMAIN"
   vlan 172
!

#show aaa timers

User idle timeout = 300 seconds
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes
User Interim stats frequency = 600 seconds

#show aaa profile "default-dot1x-psk"

AAA Profile "default-dot1x-psk" (Predefined (editable))
-------------------------------------------------------
Parameter                                          Value
---------                                          -----
Initial role                                       logon
MAC Authentication Profile                         N/A
MAC Authentication Server Group                    default
802.1X Authentication Profile                      default-psk
802.1X Authentication Server Group                 N/A
L2 Authentication Fail Through                     Disabled
RADIUS Accounting Server Group                     N/A
RADIUS Interim Accounting                          Disabled
User derivation rules                              N/A
Wired to Wireless Roaming                          Enabled
Device Type Classification                         Enabled
Enforce DHCP                                       Disabled

#show wlan virtual-ap "PROFILE_SAINT_ROMAIN"       

Virtual AP profile "PROFILE_SAINT_ROMAIN"
-----------------------------------------
Parameter                                           Value
---------                                           -----
Virtual AP enable                                   Enabled
Allowed band                                        all
AAA Profile                                         default-dot1x-psk
802.11K Profile                                     default
SSID Profile                                        SSID_SAINT_ROMAIN
VLAN                                                172
Forward mode                                        tunnel
Deny time range                                     N/A
Mobile IP                                           Enabled
HA Discovery on-association                         Disabled
DoS Prevention                                      Disabled
Station Blacklisting                                Enabled
Blacklist Time                                      3600 sec
Dynamic Multicast Optimization (DMO)                Disabled
Dynamic Multicast Optimization (DMO) Threshold      6
Authentication Failure Blacklist Time               3600 sec
Strict Compliance                                   Disabled
VLAN Mobility                                       Disabled
Preserve Client VLAN                                Disabled
Remote-AP Operation                                 standard
Drop Broadcast and Multicast                        Disabled
Convert Broadcast ARP requests to unicast           Enabled
Disable conversion multicast RA packets to unicast  Disabled
Deny inter user traffic                             Disabled
Band Steering                                       Disabled
Steering Mode                                       prefer-5ghz
WMM Traffic Management Profile                      N/A

Any idea what it could be ?

Change the initial role in the default-dot1x-psk AAA profile to something else like "authenticated"

It's seem to be working...

I changed to "guest-logon" (I don't have the authenticated profile) and I have no more disconnection. Before that the users couldn't transfer a file larger than 50MB and now we tried with a 3GB file and it's OK....

I dont really understand why... What I don't understand either is why some of the user got a L3 role = logon, and others L3 role = guest-logon

Hope you can help me.

#show user-table ip 192.168.172.192


Name: , IP: 192.168.172.192, MAC: 00:26:82:f7:14:56, Role:guest-logon, ACL:1/0, Age: 00:00:48
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: AAA profile default role
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g, reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 172, Assigned: 0, Current: 172 vlan-how: 0 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0x1040, Port=0x10f6 (tunnel 118)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
    Current Role name: guest-logon, role-how: 10, L2-role: guest-logon, L3-role: logon
Essid: Hopital Saint Romain, Bssid: d8:c7:c8:0b:29:90 AP name/group: WT.0.2/CH_SAINT_ROMAIN Phy-type: g
RadAcct sessionID:n/a
RadAcct Traffic In 3386969/451011921 Out 2232136/182111465 (51:44633/0:0:6881:58705,34:3912/0:0:2778:52457)
Timers: ping_reply 0, spoof reply 0, reauth 0
Profiles AAA:default-dot1x-psk, dot1x:default-psk, mac: CP: def-role:'guest-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 0, dot1x 1, RADIUS interim accounting 0
IP Born: 1365768888 (Fri Apr 12 14:14:48 2013)
Core User Born: 1365767300 (Fri Apr 12 13:48:20 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 192.168.172.192, from DHCP server 192.168.172.254
Device Type: Windows-Update-Agent

#show user-table ip 192.168.172.188


Name: , IP: 192.168.172.188, MAC: ac:81:12:db:15:04, Role:guest-logon, ACL:6/0, Age: 00:00:05
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: AAA profile default role
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g, reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 172, Assigned: 0, Current: 172 vlan-how: 0 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0x1040, Port=0x10b3 (tunnel 51)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
    Current Role name: guest-logon, role-how: 10, L2-role: guest-logon, L3-role: guest-logon
Essid: Hopital Saint Romain, Bssid: d8:c7:c8:0b:2b:00 AP name/group: WT.1.3/CH_SAINT_ROMAIN Phy-type: g
RadAcct sessionID:n/a
RadAcct Traffic In 1359/328586 Out 1593/1538224 (0:1359/0:0:5:906,0:1593/0:0:23:30896)
Timers: ping_reply 0, spoof reply 0, reauth 0
Profiles AAA:default-dot1x-psk, dot1x:default-psk, mac: CP: def-role:'guest-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 0, dot1x 1, RADIUS interim accounting 0
IP Born: 1365772286 (Fri Apr 12 15:11:26 2013)
Core User Born: 1365772285 (Fri Apr 12 15:11:25 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 192.168.172.188, from DHCP server 192.168.172.254
Device Type: Windows-RSS-Platform/2.0 (MSIE 8.0; Windows NT 6.1)

Type "show rights" to see what roles you have.  guest-logon might not be the best role.  You can create a role with just the "allowall" acl and then change the initial role to that role.

Your change to the AAA profile will only take effect for new users that associate.  If you do a "aaa user delete all" it will make all users reconnect, and they should get the new role.  (this will cause a momentary 1 minute outage for all your users, to decide when you want to do this).

I tried to create a role with the 'allowall' acl, but I think I don't have the license to do it.

On the GUI, the boutton "Apply" is grayed out and in CLI the "user-role" command is not recognized.

That's why I tried with guest-logon. See below the other role I have.

#show rights

RoleTable
---------
Name            ACL  Bandwidth                  ACL List                  Type
----            ---  ---------                  --------                  ----
ap-role         4    Up: No Limit,Dn: No Limit                            System
cpbase          14   Up: No Limit,Dn: No Limit  cpbase/                   User
denyall         12   Up: No Limit,Dn: No Limit  denyall/                  User
guest           3    Up: No Limit,Dn: No Limit                            User
guest-logon     6    Up: No Limit,Dn: No Limit                            User
logon           1    Up: No Limit,Dn: No Limit                            User
stateful-dot1x  5    Up: No Limit,Dn: No Limit                            System
sys-ap-role     7    Up: No Limit,Dn: No Limit  sys-control/,sys-ap-acl/  System (not editable)

Okay.  you don't have the PEFNG license.

You should be okay, then..

Do you have an idea why the logon role doesn't work here ?

I don't have much experience working without the PEFNG license, but usually any user in the logon role gets disconnected after a certain amount of time.  Production users should not be in the logon role.

That's the first time I got this problem, for the other installation I did. I let the role to logon (cause I don't really have the choice) :smileyhappy:.

Do you think this guest-logon, will be more stable ?

Please observe it over the next few days to make sure everything is okay.

I will, thanks for your help.

I'll come back to you in few days.

I didn't have to wait too long...

Same thing with guest-logon...

Apr 12 16:02:31     authmgr    MAC=00:26:82:f7:14:56,IP=0.0.0.0 User role updated, existing Role=guest-logon/logon, new Role=guest-logon/guest-logon, reason=First IP user created
Apr 12 16:02:31     authmgr    MAC=00:26:82:f7:14:56 IP=192.168.172.192 User entry added: reason=Sibtye
Apr 12 16:02:31     authmgr    MAC=00:26:82:f7:14:56,IP=192.168.172.192 User role updated, existing Role=guest-logon/guest-logon, new Role=guest-logon/guest-logon, reason=User not authenticated for inheriting attributes
Apr 12 16:02:31     authmgr    MAC=00:26:82:f7:14:56,IP=192.168.172.192 User data downloaded to datapath, new Role=guest-logon/6, bw Contract=0/0,reason=New user IP processing

What is the problem?

The users are disconnected when they tried to copy a file from the network (or for other they are disconnected from TSE session).

What is their DHCP lease time? And How long has this been happening?

The DHCP lease time is the default one, and for what I know it has always been happening.

Okay.  How long is that, and how long has the network been installed?

If you want faster, more personal attention, you should open a support case so that they can get to the bottom of this.

The controller is installed since 1 year and the users complain just now about this.

I will open a support case, and come back to you to with their answer (I hope). Thanks anyway and if you have any other idea to help me to resolve this, please don't hesitate.

---

@syedmuradali wrote:
Hi Joseph,

what does 'bw Contract=0/0' mean??

---

No bandwidth contract assigned.