Wireless Access

Supposedly 6.1.2.6 added a feature called Software Retries (sw-retry).    I am troubleshooting 802.1x authentication timeout issues with Mac (and some iOS) devices.  I want to turn this feature on, but my 6.1.3.3 installation doesn't seem to have it.  Was this removed somewhere along the line?

From the 6.1.2.6 release notes:

Changes in Retries (AP to Client)
When the client is not responding to 802.11 packets, the AP will launch two hardware retries; if the hardware retries are notsucessful then software retries. Default value of this knob is disabled (see also 58358).
A knob has been added under HT-SSID profile - sw-retry (type: boolean)
To enable:   wlan ht-ssid-profile <profile name> sw-retry
To disable:  wlan ht-ssid-profile <profile name> no sw-retry

Thanks

It is temporal diversity, now, but it should not really affect timeouts.

Do you have OKC unchecked already?

At first I tried validate PMKID with OKC on; but then also tried OKC off.   Neither had any noticeable affect.  Research brought me to what was the sw-retry setting; no Temporal Diversity.   You don't think it won't have any benefit to 802.1x authentications timing out?  

I've had very inconsistent experience, mostly from MacBooks and to some degree to iPads.   I originally thought it to be ClearPass Policy Manager issue, but seemed to have ruled that out with TAC, they wanted to involve the controller team, but I have not gotten to that yet (next step).   I've gone thorugh all the recommendations for Macs that I know of and from this community, but still having the problems.   I am trying to determine if indeed it is Aruba or Apple related.   It's a K-12 with very little Windows; which don't seem to have any issues.

Thanks

Are the timeouts in the Clear Pass Policy Manager or somewhere else?

Yes, CPPM shows Request Timed out waiting for client reply.   The Mac Book clients usually report:  Could not join "NETWORK".  A connection timeout occurred.  

TAC went through all the logs and didnt' see any issues with CPPM and/or AD as back-end.    I started to do some show auth-trace bu commands, but didn't see anything definitive in my eyes; but will share.   Feel free to respond, but I'll probably open a new thread and clomark this sw-retry one as resolved.

Colin, one more thing.  If you had to sum up that setting (temporal diversity); what would you say its benefit is?  What scenario might you see it implemented.

what are your dot1x profile settings for

 Authentication Server Retry Interval  
 Authentication Server Retry Count    

@ariyap

Using the default settings; they have not been changed:

Authentication Server Retry Interval   = 30
Authentication Server Retry Count  = 2

try it with and see if it makes a diff

Authentication Server Retry Interval = 5

Authentication Server Retry Count  =  3       

Not a great group of test users on the weekend, but after changing those retry settings, we still get the timeouts; and this is with about 20 people on an 80 AP network.   I'll work on getting some more debugging on this; but thanks for the suggestion.