This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forÂ
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (IQE)
- Re: Experience with PPSK Cloud Authentication on I...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Experience with PPSK Cloud Authentication on IQ Engine based Wifi APs
Experience with PPSK Cloud Authentication on IQ Engine based Wifi APs
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
Saturday
Hi all,
Currently I wanted to ask everyone what their experience is with PPSK Cloud based Authentication via ExtremeCloudIQ.
Our experience is that since the start of 2025 last year, the feature is starting to become unusable.
We are utilizing this feature because we are automatically creating a PPSK password for every employee at our customers with a sort of sync between XIQ and M365 Entra ID.
The cloud feature is good for our situation so we do not have to push a config change to every AP every time a user PPSK password gets created or deleted.
Over the year we are continuously incurring issues and created several cases at GTAC to have this issue investigated and eventually resolved.
Issues we are experiencing are that PPSK-based WiFi authentication stops working randomly for devices or specific passwords, devices intermittently cannot connect at all, and newly created passwords are not working at all.
Errors we are seeing on the XIQ Side:
- PPSK Rejected by Guest Access
- Guest Access Unreachble
- Undefined error/unknown problem.
- Slow Authentication
Most of the time we are troubleshooting for a few weeks, and eventually something on the cloud side gets corrected (if I have understood it correctly) or a firmware update is being suggested. (last time from 10.8.3.0 to 10.8.4.0)
Our data centers that have XIQ tenants within them are ES, NL-GCP, and IE.
APs/XIQ are not reporting any CAPWAP delays or connectivity issues.
Question to the community: How is your experience with PPSK Cloud based Authentication and are others possibly experiencing the same behauviour?
Thank you and kind regards,
Sjoerd
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
yesterday
We've used PPSK for many years now, at least 7 years or more. We've had many issues over those years. Generally it works well.
One of the longest running problems is related to the cloud instance not recognizing the PPSK's user group when presented for auth. This results in dumping the user in the default vlan. In our case, Guest vlan. So valid internal clients have no access to internal resources.
Early on, maybe late 2018 we had a case with engineering and captured traffic returning from cloud with a non matching attribute. So the user got dumped to Guest. We never got resolution on that as the problem was very sporadic. It still pops up to this day. The only "fix" is to reboot all AP's at a site simultaneously. That way the radius cache data is dumped. Otherwise the cache just moves to the next AP that gets elected. This raises one of my biggest complaints. I should be allowed to PIN 2 AP's and keep them as the permanent RADSEC AP's. This at least gives you a place to start troubleshooting. Then you can monitor the traffic on those 2 AP's exclusively without chasing your tail. As well, these AP's could be used exclusively as RADSEC AP's by turning off the radios and sticking them in the MDF. I appreciate the redundancy of the design Extreme has, however it proves very problematic.
Lately we've seen an issue where the AP's client certificate becomes corrupt. By corrupt, I mean the cloud rejects the AP's radius request. This will affect an entire site. The "fix" is, and at the request of Extreme, use "Actions - Reset client IDM certificate". Select every AP at a site and execute the command. This will generally resolve the auth issue. These certs are supposed to be good for 1 year, but we see this issue repeat often. It has happened repeatedly at sites where all the certs have been recently regenerated. This was a huge issue for us in the spring. It has quieted down, but we still randomly experience it as late as this fall.
We generate our PPSK's with the API tool via our MDM servers, JAMF and SCCM. We are a very large district with 30k clients and 2200+ AP's across 40+ sites. the handout process works fine. No issue there.
I was told (won't mention names) from an internal source that the certificate issue (which may be your problem as well?) is a result of the front end caching engine (can't remember the name) that Extreme uses on the cloud instances. It keeps the back end DB in sync with the customer traffic, requests, analytics, etc.
We do not see CAPWAP issues either. All our issues appear to be with cloud communications. My network and firewall are very structured and strait forward. For client traffic, we have a single 100g WAN interface where all the AP traffic is whitelisted. All AP subnets have individual NAT's and each location has it's own public IP. Still we have problems. I regularly monitor my firewall for denied traffic to Extreme from our AP subnets. I never find anything blocked.
All this to say, we will need to move away from PPSK to move onto wifi6. I haven't crossed that bridge yet.
