Wireless Access

Hey guys,

 

I have a customer that has been experiencing issues with their RADIUS servers, after digging a little into the server logs we see a lot of authentications during the day and not only at peaks. After testing we saw that we have a lot of devices hopping from AP to AP (this is a somewhat AP dense deployment) and we see that almost all of the times the client hops from AP to AP a full 802.1x authentication to the RADIUS servers happens.

 

We don't have Termination enabled and we aren't sure if we want to enable it before we measure the impact on doing it. We will tune in the network in terms of data rates so we can stop non-moving devices to keep hoping between APs, but basically we will still have roaming devices and it would be great if those devices don't have to reauthenticate while they move.

In the 802.1x profile, you need to make sure the OKC (opportunistic key caching) is enabled to prevent the full reauth.  This will only help non-apple products.

 

On your other issue with frequent reauthentication, it typically happens when the power on the access points are too high and the clients jump from AP to AP, even when they are not moving.  Type "show ap arm state ap-name <name of ap>" and see how many access points a single access point can see.  In an ideal world, you don't want any access points seeing another access points on the same channel at 20 snr or stronger.  In the real world, this will happen on the 2.4ghz in a dense deployment due to the lack of channels, but you can lower the power to minimize it.

What type of devices are these ?

What type of APs are using ?

Do you have "validate pmkid" for Apple devices and "OKC" enabled ?

What EIRP levels do you currently have set under ARM ?

Sent from Outlook for iPhone

HI,

 

OKC is enabled, but the clients we tested were iOS devices. All the installed base are AP-225s.

 

Can we have PMKID enabled while OKC is enabled? I thought we must choose one or the other.

You can enable both

Sent from Outlook for iPhone