Extreme Networks

cg_keehn · ‎08-29-2018

We installed AP230 access points in all of our classrooms last year. Things worked great for the most part, with only the occasional issue every once in a while where a client here or there would not connect. After the start of this year, I believe we found the cause of that, though now it is much more pronounced.

We added another 300 chromebooks to the school for this year (Total of close to 2000 clients now), and in addition I updated the way they connect to the wifi. At the device level before login, each chromebook connects with a generic device account. Once the user signs in I'm doing VLAN steering so that students get placed on one VLAN, staff on another.

Things worked great in testing, during a training session we had for one of our grades, and for a little bit the first day. Then suddenly devices were unable to connect, acting like the password was wrong. After working with support we narrowed down the issue. I had one AP configured as a RADIUS server, and there is a maximum number of 512 entries in the radius cache. Once it hit that point, it started to deny logins with the error: "radiusd[2153]: add RADIUS cache user=username failed because the number exceeds maximum 512"

To fix the issue support had me configure a couple other APs as radius servers (Advanced/Common Objects/IP Objects) and tag those as Radius1, Radius2, etc. We then modified the config on groups of APs, tagging a portion with each of those tags to split up the traffic. That has helped a good bit, but there have still been some instances of us hitting the 512 limit on the newly setup Radius APs.

I was hoping when one had an issue like that it would use the others as a failover. Is this the right way to do this, or is there a better way? (Radius Proxy?)

cg_keehn · ‎08-30-2018

Just an update on this, I talked to support more yesterday and the suggested solution was an external radius server. Doesn't seem there's a way to have it failover to a second if the limit is hit. It's something I can do when I have some time.

I was looking around some more and saw the setting to disable radius caching under Advanced Configuration - Authentication - Aerohive AAA Server Settings - Database Settings. Being a single building, the caching isn't doing that much for us anyway. I disabled it to see how things worked. I'll report back.

View solution in original post

cg_keehn · ‎02-05-2019

Gianluca,

Disabling the cache didn't do anything. I don't know if there is a bug or if I don't understand how it works, but after quite a bit of back and forth, there was never a solution for using the built in RADIUS without continuing to run into this issue besides adding more radius APs. I ended up adding the NPS role to a Windows server and have used it since. It's worked perfectly that way.

Sorry I couldn't be more help.

Mike

AnonymousM · ‎02-05-2019

Hi Michael,

we have the same behaviour and probably the same issue.

How does it work without the cache?

I will open a case to Aerohive...

Thanks

Gianluca

cg_keehn · ‎08-30-2018

Just an update on this, I talked to support more yesterday and the suggested solution was an external radius server. Doesn't seem there's a way to have it failover to a second if the limit is hit. It's something I can do when I have some time.

I was looking around some more and saw the setting to disable radius caching under Advanced Configuration - Authentication - Aerohive AAA Server Settings - Database Settings. Being a single building, the caching isn't doing that much for us anyway. I disabled it to see how things worked. I'll report back.

Extreme Networks

What is the proper way to set up multiple APs for RADIUS?

What is the proper way to set up multiple APs for RADIUS?