Wireless Access

Hello,

I was curious if there was a suggested limit to MC Roles in a 7210 Active-Active setup?

I've got around 400 APs; ~3200 Clients on any given day and I would like to have very granular roles.

Currently I have 85 with a new system I'm developing (including the defaults) and I have around 50 NPS policies.

Has anyone configured something this granular, is it a bad practice, and should I expect to experience latency?

My Airwave Clarity checks indicate authentications from 30ms-500Ms

My opinion:

I have never had a customer that had so many rules in NPS, so I cannot comment on the latency.  The limit would be in the administrator and his/her staff being able to troubleshoot so many rules.  If an end-user complains that they cannot access something, it would require someone who has access to the controller and NPS to determine (1) what role does the user need to be in (2) Is the user ending up in that role (3) does there need to be a third role to solve the user's issue (4) Is the role even responsible for the user's issue.  It just becomes to complicated to troubleshoot on a daily basis for the typical overwhelmed administrator.

I see.

Actually I built these rules for my own sanity, and also in hopes that our Techs would start to learn or understand wireless functionality. via Read-Only Airwave access.

Prior to this configuration, a device would just be listed as "ComputerAuth"; or user as "Staff"; I've defined roles based on device type, user type, and location in the titles to help me better identify and troubleshoot.

I've built granular groups on the back end most of which only have 1 member, which is the service account for something like an iPad to authenticate.

On my active clients currently, the clarity even has these authentication times at below 10ms now.

You shouldn't have any problems, then.

Have a good weekend.

Gotcha.

I'm curious if it correlates with the granularity though?

I.e traffic hits NPS

NPS evaluates multiple smaller groups faster than fewer large groups?

I wish I knew.

Maybe someone can weigh in.

I'm not sure that is something often done when using NPS (due to it being awsomely crappy (TM)) and as such the answers could be hard to get. Most of my customers run with 3-5 roles when they have NPS and when migrating to Aruba Clearpass that will increase alot, tho not to 85.

I think my sanity would be stretched if I had a matrix to deal with 85 roles in NPS, and I guess that would apply even using Clearpass and downloadable user-roles

If you can keep an authentication below 200ms then you're golden, and since you're saying 10ms then you don't have a problem.

From a perspective of unique rules there's really only 3 roles, which equate to Machine Authenticated, Staff User, Student User.

I've just created that many roles based on the NPS evaluations and the VSA they return.

i.e 

Campus A Student Test:

Student A - AD\StudentAGroup

Grant

Return VSA 1; Student A

Airwave displays: Student A User

Alternatively; MacBook's will show as Campus B Staff MacBook in Airwave, as opposed to just Machine Authenticated; etc.