Wireless Access

Hi,

I have configured an open SSID with MAC-authentication. Its working fine for the users whose mac addresses are added on the controller's local database. However for other users which are failing attempting association on this open SSID, there are thousands of SNMP traps generated every hour. This is quite high a number.

Below is my configuration, please suggest if I am missing something in my configuration for achieving mac-authentication with open SSID.

Any suggestions, please let me know.

(WLC_0001) #show wlan virtual-ap OPEN-SSID-vap_prof

Virtual AP profile "OPEN-SSID-vap_prof"
-------------------------------------
Parameter                                       Value
---------                                       -----
AAA Profile                                     OPEN-SSID-aaa_prof
802.11K Profile                                 default
Hotspot 2.0 Profile                             N/A
SSID Profile                                    OPEN-SSID-ssid_prof
Virtual AP enable                               Enabled
VLAN                                            822
Forward mode                                    tunnel
Allowed band                                    all
Band Steering                                   Disabled
Cellular handoff assist                         Disabled
Steering Mode                                   balance-bands
Dynamic Multicast Optimization (DMO)            Disabled
Dynamic Multicast Optimization (DMO) Threshold  6
Drop Broadcast and Unknown Multicast            Disabled
Convert Broadcast ARP requests to unicast       Enabled
Authentication Failure Blacklist Time           3600 sec
Blacklist Time                                  3600 sec
Deny inter user traffic                         Disabled
Deny time range                                 N/A
DoS Prevention                                  Disabled
HA Discovery on-association                     Enabled
Mobile IP                                       Enabled
Preserve Client VLAN                            Disabled
Remote-AP Operation                             standard
Station Blacklisting                            Enabled
Strict Compliance                               Disabled
VLAN Mobility                                   Disabled
WAN Operation mode                              always
FDB Update on Assoc                             Disabled
WMM Traffic Management Profile                  N/A
Anyspot profile                                 N/A




(WLC_0001) # show aaa profile OPEN-SSID-aaa_prof

AAA Profile "OPEN-SSID-aaa_prof"
------------------------------
Parameter                           Value
---------                           -----
Initial role                        denyall
MAC Authentication Profile          OPEN-SSID-USERS-Altai
MAC Authentication Default Role     guest
MAC Authentication Server Group     internal
802.1X Authentication Profile       dot1x_prof-iwj39
802.1X Authentication Default Role  guest
802.1X Authentication Server Group  N/A
Download Role from CPPM             Disabled
Set username from dhcp option 12    Disabled
L2 Authentication Fail Through      Disabled
Multiple Server Accounting          Disabled
User idle timeout                   N/A
Max IPv4 for wireless user          2
RADIUS Accounting Server Group      N/A
RADIUS Interim Accounting           Disabled
XML API server                      N/A
RFC 3576 server                     N/A
User derivation rules               N/A
Wired to Wireless Roaming           Enabled
SIP authentication role             N/A
Device Type Classification          Enabled
Enforce DHCP                        Disabled
PAN Firewall Integration            Disabled
Open SSID radius accounting         Disabled

(WLC_0001) #

(WLC_0001) #show wlan ssid-profile OPEN-SSID-ssid_prof

SSID Profile "OPEN-SSID-ssid_prof"
--------------------------------
Parameter                                         Value
---------                                         -----
SSID enable                                       Enabled
ESSID                                             OPEN-SSID
Encryption                                        opensystem
Enable Management Frame Protection                Disabled
Require Management Frame Protection               Disabled
DTIM Interval                                     1 beacon periods
802.11a Basic Rates                               6 9
802.11a Transmit Rates                            6 9 12 18 24 36 48 54
802.11g Basic Rates                               2 5
802.11g Transmit Rates                            2 5 6 9 11 12 18 24 36 48 54
Station Ageout Time                               1000 sec
Max Transmit Attempts                             8
RTS Threshold                                     2333 bytes
Short Preamble                                    Enabled
Max Associations                                  64
Wireless Multimedia (WMM)                         Disabled
Wireless Multimedia U-APSD (WMM-UAPSD) Powersave  Enabled
WMM TSPEC Min Inactivity Interval                 0 msec
Override DSCP mappings for WMM clients            Disabled
DSCP mapping for WMM voice AC (0-63)              N/A
DSCP mapping for WMM video AC (0-63)              N/A
DSCP mapping for WMM best-effort AC (0-63)        N/A
DSCP mapping for WMM background AC (0-63)         N/A
Multiple Tx Replay Counters                       Disabled
Hide SSID                                         Disabled
Deny_Broadcast Probes                             Disabled
Local Probe Request Threshold (dB)                0
Auth Request Threshold (dB)                       0
Disable Probe Retry                               Enabled
Battery Boost                                     Disabled
WEP Key 1                                         N/A
WEP Key 2                                         N/A
WEP Key 3                                         N/A
WEP Key 4                                         N/A
WEP Transmit Key Index                            1
WPA Hexkey                                        N/A
WPA Passphrase                                    ********
Maximum Transmit Failures                         0
EDCA Parameters Station profile                   N/A
EDCA Parameters AP profile                        N/A
BC/MC Rate Optimization                           Disabled
Rate Optimization for delivering EAPOL frames     Enabled
Strict Spectralink Voice Protocol (SVP)           Disabled
High-throughput SSID Profile                      OPEN-SSID-htssid_prof
802.11g Beacon Rate                               12
802.11a Beacon Rate                               12
Video Multicast Rate Optimization                 default
Advertise QBSS Load IE                            Disabled
Advertise Location Info                           Disabled
Advertise AP Name                                 Disabled
802.11r Profile                                   N/A
Enforce user vlan for open stations               Disabled
Enable OKC                                        Enabled

(WLC_0001) #

If you have:

- An Open SSID

- Many users that could pass by that could see and connect

You will have many mac authentication failures, because many devices are configure to connect to an open network automatically.

Thanks Joseph.

Will it not have any processing impact on Controller?

I see over 1000 of these traps generated every hour in an setup of over 200 APs. Should I consider it as an obvious behaviour?

Also, have pasted the configuration that I have for VAP profile, please suggest if thats in accordance with the recommended practice from Aruba

I don't suggest doing mac authentication on an open SSID.  If you create a preshared key, you will not see as many mac authentication requests.  I don't think Aruba has a position on that topic.