Wireless Access

Reply
Highlighted
Occasional Contributor II

[ NPS Policy Limits // MC Role Latency ]

Hello,

 

I was curious if there was a suggested limit to MC Roles in a 7210 Active-Active setup?

 

I've got around 400 APs; ~3200 Clients on any given day and I would like to have very granular roles.

 

Currently I have 85 with a new system I'm developing (including the defaults) and I have around 50 NPS policies.

 

Has anyone configured something this granular, is it a bad practice, and should I expect to experience latency?

 

My Airwave Clarity checks indicate authentications from 30ms-500Ms

Highlighted
Guru Elite

Re: [ NPS Policy Limits // MC Role Latency ]

My opinion:

I have never had a customer that had so many rules in NPS, so I cannot comment on the latency.  The limit would be in the administrator and his/her staff being able to troubleshoot so many rules.  If an end-user complains that they cannot access something, it would require someone who has access to the controller and NPS to determine (1) what role does the user need to be in (2) Is the user ending up in that role (3) does there need to be a third role to solve the user's issue (4) Is the role even responsible for the user's issue.  It just becomes to complicated to troubleshoot on a daily basis for the typical overwhelmed administrator.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: [ NPS Policy Limits // MC Role Latency ]

I see.

 

Actually I built these rules for my own sanity, and also in hopes that our Techs would start to learn or understand wireless functionality. via Read-Only Airwave access.

 

Prior to this configuration, a device would just be listed as "ComputerAuth"; or user as "Staff"; I've defined roles based on device type, user type, and location in the titles to help me better identify and troubleshoot.

 

I've built granular groups on the back end most of which only have 1 member, which is the service account for something like an iPad to authenticate.

 

On my active clients currently, the clarity even has these authentication times at below 10ms now.

Highlighted
Guru Elite

Re: [ NPS Policy Limits // MC Role Latency ]

You shouldn't have any problems, then.

 

Have a good weekend.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor II

Re: [ NPS Policy Limits // MC Role Latency ]

Gotcha.

 

I'm curious if it correlates with the granularity though?

 

I.e traffic hits NPS

 

NPS evaluates multiple smaller groups faster than fewer large groups?

 

Highlighted
Guru Elite

Re: [ NPS Policy Limits // MC Role Latency ]

I wish I knew.

 

Maybe someone can weigh in.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
MVP

Re: [ NPS Policy Limits // MC Role Latency ]

I'm not sure that is something often done when using NPS (due to it being awsomely crappy (TM)) and as such the answers could be hard to get. Most of my customers run with 3-5 roles when they have NPS and when migrating to Aruba Clearpass that will increase alot, tho not to 85.

 

I think my sanity would be stretched if I had a matrix to deal with 85 roles in NPS, and I guess that would apply even using Clearpass and downloadable user-roles

 

If you can keep an authentication below 200ms then you're golden, and since you're saying 10ms then you don't have a problem.


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted
Occasional Contributor II

Re: [ NPS Policy Limits // MC Role Latency ]

From a perspective of unique rules there's really only 3 roles, which equate to Machine Authenticated, Staff User, Student User.

 

I've just created that many roles based on the NPS evaluations and the VSA they return.

 

i.e 

 

Campus A Student Test:

 

Student A - AD\StudentAGroup

Grant

Return VSA 1; Student A

Airwave displays: Student A User

 

Alternatively; MacBook's will show as Campus B Staff MacBook in Airwave, as opposed to just Machine Authenticated; etc.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: