Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Radius Auth Spam

This thread has been viewed 0 times

  • 1.  Radius Auth Spam

    Posted Apr 15, 2014 03:10 PM

    Hey guys,

     

    Just another quick one; we have a number of desktops that are using a Wifi dongle to connect to our 802.1X network, and we're noticing that these devices are authenticating to Radius (ClearPass) 5-6 times every 30-60 seconds. Now, I can only assume that these dongles are being thrown around from AP to AP due to Client Match and that each time it switches it's going to have to reauth (tried using 802.11r to compensate for this, but the network is just too large for it to be viable), but other than pushing something through our registry management tool to change the roaming tendancies on all of the dongle's drivers, is there something else that I can look at that'll help me figure out why these devices are having to re-auth so much?

     

    Thank you!



  • 2.  RE: Radius Auth Spam

    EMPLOYEE
    Posted Apr 15, 2014 04:09 PM

    Let's start with the type of dongle and the driver version...



  • 3.  RE: Radius Auth Spam

    Posted Apr 15, 2014 04:18 PM

    Sure. The dongle is the Netgear A6200 with the latest driver from Netgear's website.



  • 4.  RE: Radius Auth Spam

    EMPLOYEE
    Posted Apr 15, 2014 06:16 PM

    1.  Get the mac address of a device with the problem

    2.  execute "show ap arm client-match history client-mac <client-mac> " to see if clientmatch is even involved



  • 5.  RE: Radius Auth Spam

    Posted Apr 16, 2014 12:07 PM

    Colin,

     

    I've got one event showing Client Match moving this device to another AP, and it was successful (via CLI).

     

    From the GUI, I can confirm seeing the same (1 of 1 CM successful).

     

    However, via ClearPass, I see this machine re-authing (rekeying) every 15-30 seconds, sometimes more. What else should I check for?

     

    Thanks!



  • 6.  RE: Radius Auth Spam

    EMPLOYEE
    Posted Apr 16, 2014 12:12 PM
    How much coverage do you have? How many access points you can see from your location? What is the power level on your access points in the area and how far apart are they?


  • 7.  RE: Radius Auth Spam

    Posted Apr 16, 2014 12:30 PM

    Coverage minimum is -65dBm on both 2.4GHz and 5.0GHz, with Band Steer for a-radio set preferentially. There are 3 other APs within range of this dongle. Power levels are being managed by ARM, and all are within normal limits. The APs are roughly 60-75ft apart from one another.



  • 8.  RE: Radius Auth Spam

    EMPLOYEE
    Posted Apr 16, 2014 12:33 PM

    Normal limits is different for everyone.  What power are your access points currently?



  • 9.  RE: Radius Auth Spam

    Posted Apr 16, 2014 12:43 PM

    True. On the floor where the device is, our APs are transmitting at 9 dbm on g and 22 dbm on a.