Higher Education

Hello 

 

What is the best way to measure end-to-end 802.1x procesing time? I received several complains from students in the dorm that their mobile devices (IPhones and Android) take time to authenticate or timeouts when roaming around the building. Students mentioned this issue did not occur when we were doing MAC auth in the SSID. The authentication server is clearpass. How do you see the procesing time of the request from clearpass to AD? I want to make sure the caching is working in the service. If a 24 hr cache is enable, then there should be a single request for a specific user to AD until next day? Am i correct? 

 

Thank you for time to read the post, 

Nils. 

If you do a Show Logs on an access tracker request, you’ll see each process broken down. How is the RF coverage? Many times issues arise when moving from MAC Auth to 1X and it is because of RF issues.

Are you referring to OKC/PMKID caching?

End-to-end request processing time is graphed in ClearPass under system monitor > ClearPass tab, then under the pulldown menu. You'd have to look at service categorization, authentication, role mapping, etc... and then subtract that from end-to-end time to interpret the CPPM->AD amount of time. You can also look at the logs for an individual client in access tracker and look at first and last log timestamps to get that individual's experience.

 

Aruba will tell you Clarity Live can tell you this, but I have found that is significantly skewed by "passer by" clients.

 

We're looking at seriously moving towards EAP-TLS, which will remove the whole AD portion from the equation.

 

As for the cacheing question, OKC will work for clients that support it and not require a reauthentication when they roam. If they disconnect, they'll have to auth when they return unless a PMKID exists for that BSSID and client that hasn't timed out.

Or, if you're referring to the clearpass authentication source "cacheing", that's just for LDAP(S) attributes. NTLM AD authentication would still occur.

Thank you for the responses!

 

I was refering to the Clearpass Authentication Source Cache. If it is caching only the attributes then a client have to go through a full 802.1x authentication. In short, the user credentials username/password are verified every time?. I have OKC with validate PMKID enable. 

 

Is there a command in the controller tha show you if the user took advantage of the OKC feature? 

 

The dorm building consit of 5 floors. Each floor have 25 dorm rooms. We have an AP-325 in every room of the buildling. Both bands are enable with 20Mhz channels. The power level for 5Ghz band is (min 9 max 18), and for 2.4Ghz (min 6 max 9). Mode aware and Client match is disable. 

 

I verified the DHCP pool. We have a /20 with 1 hr lease time. From the controller we dont have more than 2,500 users connected at night (busiest time). 

 

The student mentioned ramdomly the wireless connection will stop working, wifi icon spin, and they have to input credentials again. I asked if it happened stationary or when walking around. It seems it happen the most when moving around. 

 

I walked the bulding and my Iphone did not ask me to authenticate when moving from floor to floor, so i suspecting is a client specific issue. However, i want to rule out the connection between Clearpass and AD. A reason why i was asking how to measure the response from Clearpass and AD (thank you again for the answers). 

 

Moving to TLS seems a good approach. Would you have same SSID or diffrent SSID to onboard the devices? So, TLS would be faster because user credentials dont have to be validated. Once, a client have a valid certificate when Clearpass will validate it without AD? 

 

Thank you

Nils. 

When you look in the show logs for a user in the access tracker i found the following:

Service Categorization time = 4 ms

Policy Evaluation time = 23 ms

Request processing time = 104 ms

So, it took 131ms for the user to authenticate? I want to make sure I am interpreting the log correctly. 

 

Thank you

Nils

 

Looking just at the first and last log timestamps in the access tracker log it will be 104 ms. What is a avg end-to-end request processing? For example anything above 600 ms is a problem? 

100-150ms is a decent average.

---

The student mentioned ramdomly the wireless connection will stop working, wifi icon spin, and they have to input credentials again.

---

Were the credentials cached in the client?  Probably and if so, you should look for a rogue device impersonating your SSID, or less menacingly, someone thought it would be a good idea to turn on some sort of WiFi repeater, some brands of which seem to not realize that they cannot relay WPA-enterprise and do something weird by broadcasting a WPA-personal version of your beacon or some crap... never did figure out what exactly those peices of garbage thought they were doing.

 

We disabled all wired ports in the dorm. However, i will do a quick survey tomororw see i i can find any unknown bssid under -75dB. 

It wouldn't need a wired port to cause problems.

 

Could even be one of your own, if you have an AP accidentally in an old group that didn;t get the message to convert to WPA-Enterprise.  Or maybe an old one from a previous hardare deployment that got forgotten.

 

Point is I've only ever seen a re-prompt for creds when something like this was going on... or outright AAA rejects but you'd be able to see those.

 

---

@nilslau03 wrote:

Thank you for the responses!

 

I was refering to the Clearpass Authentication Source Cache. If it is caching only the attributes then a client have to go through a full 802.1x authentication. In short, the user credentials username/password are verified every time?. I have OKC with validate PMKID enable. 

 

Is there a command in the controller tha show you if the user took advantage of the OKC feature? 

 

The dorm building consit of 5 floors. Each floor have 25 dorm rooms. We have an AP-325 in every room of the buildling. Both bands are enable with 20Mhz channels. The power level for 5Ghz band is (min 9 max 18), and for 2.4Ghz (min 6 max 9). Mode aware and Client match is disable. 

 

I verified the DHCP pool. We have a /20 with 1 hr lease time. From the controller we dont have more than 2,500 users connected at night (busiest time). 

 

The student mentioned ramdomly the wireless connection will stop working, wifi icon spin, and they have to input credentials again. I asked if it happened stationary or when walking around. It seems it happen the most when moving around. 

 

I walked the bulding and my Iphone did not ask me to authenticate when moving from floor to floor, so i suspecting is a client specific issue. However, i want to rule out the connection between Clearpass and AD. A reason why i was asking how to measure the response from Clearpass and AD (thank you again for the answers). 

 

Moving to TLS seems a good approach. Would you have same SSID or diffrent SSID to onboard the devices? So, TLS would be faster because user credentials dont have to be validated. Once, a client have a valid certificate when Clearpass will validate it without AD? 

 

Thank you

Nils. 

---

You need to reduce your variables.  Is this happening to all users?  If not, like Tcappalli said, it is probably RF.  I would start with the Dashboard> Performance> AP chart and give us the print screen of the Channel Quality, Noise Floor, Channel Busy and Interference.  Of all of your issues, RF is the most variable and that needs to be looked at first.  Min 9 and max 18 is too large of a difference.  The difference between the min and max should not be more than 6 for even coverage.