cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

client roaming to prefered radio caused radius authentication event which failed

client roaming to prefered radio caused radius authentication event which failed

M_Nees
Contributor III
Currently i have a very strange problem.
We use EAP-TLS 802.1x Authentication for a internal SSID for notebooks. EWC is installed at the headquarter. 2x AP 3705 installed on the affected branch - we use V9.21.07. NAC Gateway 6.2.0.x installed also in the headquarter and is the RADIUS proxy to the NPS on the Windows AD 2008 Server. This working well over the last years.
Now we change the WAN connection of this branch from MPLS to VPN with IPSec. After this change a lot of internal WLAN clients which connected before without problems are rejected from the NAC Gateway. All other branches working well. At wired switches we use only MAC Auth which is also not affected.

Error:
802.1x (identify) - Authentication became stale

After some troubleshooting i realized that if the client roam within the AP to its prefered radio for that roaming event a radius request is triggered. The the first request (to the first radio) is always possitive (accepted) and then the AP internal switch to the prefered radio triggers a RADIUS request which is always rejected - with the above error message.

For a temporary solution i disable radio 1! And then all client can login without problems!

This is very strange.

First question:
Why do an switch from radio 2 to radio 1 trigger a radius event. Can i disable this new login request in the AP / EWC config?
Second Question:
If this request is needed why does it become stale and will be rejected?


Thanks for any advices.
Regards
22 REPLIES 22

Oppertunistic Keying is enabled already on this WLAN Service.

Zdeněk_Pala
Extreme Employee
If your MTU is 1400, what value you have at your AP?
Regards Zdeněk Pala

Hi Zdenek,

i testet with "ping -f -l 1400". So an MTU of 1400 Bytes are going through the network - so i configured the AP also with MTU = 1400.

Do i something wrong ?

Zdeněk_Pala
Extreme Employee
I would try to capture (packet capture) the authentication packets to see why the authentication became stale => I expect that some packets are being lost. The question is where = client to ap, or AP to controller, or controller to radius server. (Can be configured as SITE = AP to radius server directly).
Regards Zdeněk Pala

M_Nees
Contributor III
Yes radio preference on the client is enabled.

But the fact that after disabling radio 1 - to avoid the inter AP roaming the problem is solved speaks against the MTU problem!
I also check the possible MTU size with different "ping -f -l max-packet-size"

Are there any suggestions how to find the root cause ?
GTM-P2G8KFN