This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

client roaming to prefered radio caused radius authentication event which failed

client roaming to prefered radio caused radius authentication event which failed

M_Nees
Contributor III

ā€Ž07-27-2016 06:14 PM

Currently i have a very strange problem.
We use EAP-TLS 802.1x Authentication for a internal SSID for notebooks. EWC is installed at the headquarter. 2x AP 3705 installed on the affected branch - we use V9.21.07. NAC Gateway 6.2.0.x installed also in the headquarter and is the RADIUS proxy to the NPS on the Windows AD 2008 Server. This working well over the last years.
Now we change the WAN connection of this branch from MPLS to VPN with IPSec. After this change a lot of internal WLAN clients which connected before without problems are rejected from the NAC Gateway. All other branches working well. At wired switches we use only MAC Auth which is also not affected.

Error:
802.1x (identify) - Authentication became stale

After some troubleshooting i realized that if the client roam within the AP to its prefered radio for that roaming event a radius request is triggered. The the first request (to the first radio) is always possitive (accepted) and then the AP internal switch to the prefered radio triggers a RADIUS request which is always rejected - with the above error message.

For a temporary solution i disable radio 1! And then all client can login without problems!

This is very strange.

First question:
Why do an switch from radio 2 to radio 1 trigger a radius event. Can i disable this new login request in the AP / EWC config?
Second Question:
If this request is needed why does it become stale and will be rejected?


Thanks for any advices.
Regards
0 Kudos
22 REPLIES 22

Ronald_Dvorak
Honored Contributor

ā€Ž07-27-2016 06:39 PM

I assume radio preference is enabled and that is the reason the client is switching between radio 1&2 - correct ?

I also vote for a MTU problem.

0 Kudos

M_Nees
Contributor III

ā€Ž07-27-2016 06:28 PM

Hi Zdenek,

i check the MTU from headquarter to the AP with a "ping -f -l 1400 IP-of-the-AP" which is working fine with MTU of 1400. Also test with lower MTU which have no possitive effects.

Within the internal SSID is use 802.1x Privacy - no MAC Auth.

i can not understand why an inter AP roaming will trigger a complete new authentication request ? And why is the request will on the second run ? The first run to the first radio is always accepted ?

Regards
0 Kudos

Zdeněk_Pala
Extreme Employee

ā€Ž07-27-2016 06:22 PM

Hi I would guess the issue is with MTU = check the config for your APs and your VPN If I remember well the MACauthentication on the EWC does have option to configure if you want the reauth to happen or not. Go to the Wlan service => authentication. Regards
Regards Zdeněk Pala
0 Kudos
GTM-P2G8KFN