Wireless Access

We're running 2 separate wireless networks (internal using PEAP and an open, external using captive portal). 

Could there be any issues with having a large amount of users/devices connecting to the open network and not actually authenticating?  If so, what number would be considered large?

For example:  site has 2 APs and shows 15 connected users.  Looking at the clients we'll see 3 or 4 actually authenticated (to either network) and the rest are just connected to the open network - these are mostly iPhones, iPods, or other smartphone/tablets.

We're currently getting a lot of "slow wireless network" calls, but we aren't able to actually find any problems, so I'm running out of things to look at.  Somebody asked if these clients could be bringing down the network even though they aren't actually passing traffic, and I don't know the answer.....

---

@COLE1 wrote:

 

We're running 2 separate wireless networks (internal using PEAP and an open, external using captive portal). 

 

Could there be any issues with having a large amount of users/devices connecting to the open network and not actually authenticating?  If so, what number would be considered large?

 

For example:  site has 2 APs and shows 15 connected users.  Looking at the clients we'll see 3 or 4 actually authenticated (to either network) and the rest are just connected to the open network - these are mostly iPhones, iPods, or other smartphone/tablets.

 

We're currently getting a lot of "slow wireless network" calls, but we aren't able to actually find any problems, so I'm running out of things to look at.  Somebody asked if these clients could be bringing down the network even though they aren't actually passing traffic, and I don't know the answer.....

 

 

---

The general answer is "it depends".  

(1) They could associate from far away, so that they force all connected clients to communicate slower due to their low association rate.  

(2) They could also consume precious ip address space that you need and force you to reduce your DHCP leases to 15 minutes so that your address space is not depleted.  

(3) Last but not least, they can also send broadcast and multicast traffic that takes airtime from every device on the same band on that access point.

To deal with #1, you could change the local-probe-response-threshold parameter under Advanced in the SSID profile of that WLAN to something like 20 or 25 so that far away devices cannot associate:

The solution for #1 also deals with #2 in a way, but you can lower your DHCP lease time to augment that

The solution for #3 can be accomplished by dropping broadcasts and multicasts in the Virtual AP profile:

Thank you.

1)  Is that to say that a further away/slower connected PC will affect the others?  Does the connection drop down to the lowest common denominator, or just slower in general?

a) is the 20-25dB threshold number the same as the SNR?  When working on this last year I recommended that we aim for a SNR of 25dB.

b)  I'm all for enforcing some sort of threshold, but I'm assuming this may result in a reduced coverage in certain environments?   As management waffles between wireless as a luxury (best effort for coverage) and mandatory infrastructure, I'll need to time my responses to ensure I am able to secure the equipment to support these higher quality connections.  *note: this week it IS important!

2)  I don't think we've run into issues with DHCP leases at this time.  We reduced leases to 8 hours on the open network and have approx 200 addresses available.

3)  Would dropping broadcast and multicast traffic have any negative effects on the end user experience?

So even though the users are sitting in the "OPEN_SSID-guest-logon" role, they could still be consuming bandwidth and possibly passing traffic?  Furthermore, if they are further away and connected at slower speeds they could be slowing down connections for users that are actually using the network?

Because it is an open and broadcasted network, I'm assuming there is no way to prevent these automatic connections (besides the fact that we made it open and broadcasting so that users would find it easy to connect!), or force them to disconnect after certain amount of inactivity?   We currently have the disconnect set for 30 minutes, but we consistently see reported connections, only to click on them and find them reported as "inactive."

---

@COLE1 wrote:

 

Thank you.

 

1)  Is that to say that a further away/slower connected PC will affect the others?  Does the connection drop down to the lowest common denominator, or just slower in general?

 

<CJOSEPH> -  Clients that are further away take longer to transmit data, and faster clients will have to wait on them to send data, which will hurt throughput.  Clients that are further away are also more likely to retransmit, hurting performance even more.

 

a) is the 20-25dB threshold number the same as the SNR?  When working on this last year I recommended that we aim for a SNR of 25dB.

 

<CJOSEPH> That is SNR.  Try at 20 and increase based on feedback.

 

b)  I'm all for enforcing some sort of threshold, but I'm assuming this may result in a reduced coverage in certain environments?   As management waffles between wireless as a luxury (best effort for coverage) and mandatory infrastructure, I'll need to time my responses to ensure I am able to secure the equipment to support these higher quality connections.  *note: this week it IS important!

 

<CJOSEPH> - This will decrease coverage in certain environments, but it is applied per SSID so that you can have regular coverage for enterprise clients on that SSID, but best-effort coverage for clients on the guest SSID.  In areas with better coverage, it has the side effect of having clients make better decisions about roaming, as well.

 

 

2)  I don't think we've run into issues with DHCP leases at this time.  We reduced leases to 8 hours on the open network and have approx 200 addresses available.

 

3)  Would dropping broadcast and multicast traffic have any negative effects on the end user experience?

 

 <CJOSEPH> - The vast majority of traffic is unicast and most broadcast traffic is useless and can be discarded.  "Useful" traffic like ARP and DHCP are always allowed, however.

 

So even though the users are sitting in the "OPEN_SSID-guest-logon" role, they could still be consuming bandwidth and possibly passing traffic?  Furthermore, if they are further away and connected at slower speeds they could be slowing down connections for users that are actually using the network?

 

<CJOSEPH> - Correct.  The extent of the degradation depends on your specific network, and the clients, however.  Every probe request or any routine data that is sent by those clients, and all other clients on the same channel (not just same access point) cannot transmit at the same time.

 

Because it is an open and broadcasted network, I'm assuming there is no way to prevent these automatic connections (besides the fact that we made it open and broadcasting so that users would find it easy to connect!), or force them to disconnect after certain amount of inactivity?   We currently have the disconnect set for 30 minutes, but we consistently see reported connections, only to click on them and find them reported as "inactive."

 

<CJOSEPH> - Unless you make it a WPA preshared key network, many clients will simply associate to the strongest open network.  Even if you disconnect them, they will just come right back if they are in the area.  With all that being said, it would still be interesting to hear from users who have to deal with this and what they are doing.

 

HI ,

       For the Guest -SSID u can add the Encryption key so that who ever knows that key they only can connect .In this case the Authentication remains OPEN but encryption is ON .....i dont know whether its a suitable solution but u can try it ...:)

I am having the same problem. I have several locations with APs at Airports that when people walk by our location they grab an IP address. This is causing us problems with the 500 IP address pool that we have setup for guest access in the Aruba Controller. I currently have my DHCP lease time to 30 min, but I still have more SmartPhone and Tablets connecting than I have IP addresses that Aruba Controller can issue.

---

@alazalde wrote:

I am having the same problem. I have several locations with APs at Airports that when people walk by our location they grab an IP address. This is causing us problems with the 500 IP address pool that we have setup for guest access in the Aruba Controller. I currently have my DHCP lease time to 30 min, but I still have more SmartPhone and Tablets connecting than I have IP addresses that Aruba Controller can issue.

---

Alazalde,

What do you do to deal with it?

I currently do not have a solution. If guest start to complain to our managers I login to the controller and clear the dhcp binding to disconnect devices that are no longer in the are.  I rearly do that and just explain to the managers that we have a limited number of connections for the time been. Does anyone have any Ideas?

Shorter leases, maybe?

It seems like there is a lot of guessing on this post.  Anybody consider hooking up a sniffer to actually tell how much (and what kind) of traffic is actually being passed?

---

@memorri wrote:

It seems like there is a lot of guessing on this post.  Anybody consider hooking up a sniffer to actually tell how much (and what kind) of traffic is actually being passed?

---

Memorri,

The type and extent of traffic is not predictable, so a sniffer would only tell what happens when that sniffer is active, in the area that it is active.

There were were recommendations submitted before to mitigate the effects of random clients and not everyone is willing to implement all of them, so we listed as much as possible.  Zjennings had a recommendation to just put up a preshared key network whose SSID is "the_key_is_XXX" so that no random users will associate randomly.  That is probably one of the best ideas in recent memory.

Is there anything in particular that works for you?

Really good info cjoseph!

cjoseph in your image i notice that you also chekbox the convert broadcast arp to unicast

Should we enable that option also?

if so i tried enabling it but i get a warning  telling me Warning: broadcast-filter arp should be enabled with this option. Otherwise ARP requests will be dropped!

---

@NightShade1 wrote:

Really good info cjoseph!

cjoseph in your image i notice that you also chekbox the convert broadcast arp to unicast

Should we enable that option also?

if so i tried enabling it but i get a warning  telling me Warning: broadcast-filter arp should be enabled with this option. Otherwise ARP requests will be dropped!

 

 

---

The red writing is just a reminder that it needs to be enabled.

Yeah i know

what i was asking if that if i should enable the convert broadcast arp to unicast option... you just mention that i should enable  drop broadcast and multicast... but it was on the image...

Andi was wondering if we should enable ALSO the covert broadcast arp to unicast option.

both.

Took me a while to find the broadcast-filter arp opiton but well i found it.

Just one last question

As Broadcast is the enemy of Wifi would you recomend that we should always turn on Drop Broadcast and Multicast, Convert Broadcast ARP requests to unicast and  broadcast-filter ARP to have a more realible network i mean turning this on in all vaps and well the broadcast filter ip on the stateful firewall? 

Okay Collin thank you very much

Guess there wont be any issue with that... i can always ask the client if he is running any app that use broadcast and multicast.

Cheers