RE: Frequent reassociations/reauthentications in 802.1x WLAN

[David France]

We are using WPA, TTLS/PAP and our APs are Cisco 1230's and 1240's with IOS code. The clients are 90% Macintosh OS 10.4.x. Regarding constant reassociation, I have found that a painstaking approach with 2.4Ghz channel selection, and AP power settings and data rates, plus using the Mac platform has minimized endless reassociation thus far. Our experience is that some PCs demonstrate the behavior, and we try to adjust wireless interface settings, then suggest a different wireless card. The Intel Macs with OS 10.4.7 display strange behavior including some caching of radio environment and a tendency to associate with APs that do not have the best signal/noise ratio.  I've just received word from Apple that the newest OS update 10.4.8 has wireless bugfixes for Intel Macs and supports EAP-FAST. The suggestion seems to be that Apple views EAP-FAST as superior to TTLS, which it may be if your authentication infrastructure supports MsCHAPv2. Regarding roaming, the client controls roaming, though the Cisco LWAPP implementation includes Aggressive Load-balancing. I have not seen this at work, however, because we were able to get PCs employing TTLS/PAP to roam adequately between APs on a single Cisco LWAPP controller, but not Macintoshes. Cisco has not been very helpful in defining or resolving the issue thus far. Regarding roaming latency, for us a small amount of packet loss is common when roaming between IOS APs, but this seems acceptable so far. For instance, I have been able to maintain a VPN session when roaming between IOS APs. We offer wireless connectivity as a convenience primarily, and suggest wired networking for reliable, high bandwidth use. Since we're located in downtown Chicago, where 2.4Ghz WLANs abound, we cannot make performance guarantees for wireless. -------------------- David France Network Administrator The Art Institute of Chicago Date:    Wed, 27 Sep 2006 16:15:51 -0400 From:    Shumon Huque <[EMAIL PROTECTED]> Subject: Frequent reassociations/reauthentications in 802.1x WLAN We rolled out a WPA/802.1x authenticated WLAN to our student residences this semester. We're using EAP-TTLS with PAP as  the inner authentication protocol. The EAP servers are a set  of centralized RADIUS servers that perform Kerberos5 password  verification to our KDCs in the backend. We've noticed several problems that we didn't observe when  we had it running on a much smaller scale in our own offices. A large number of users seem to be repeatedly authenticating, some of them as frequently as every 30 seconds or every few minutes. Some debugging revealed that these users are frequently oscillating their associations between a number of different access points. A smaller number of users keep reassociating with the same access point. This is causing a very large load on the authentication server infrastructure, which we've temporarily worked around by load balancing the APs across additional  RADIUS servers.  However, we're also assuming that this is causing lots of user  visible performance problems due to roaming latency (scan, reassociate, authenticate, 802.11i handshake, DHCP address  acquisition etc). Surprisingly, not many users have complained.  Perhaps they are only browsing the web or using other non- interactive apps which can tolerate delay. Or they might  simultaneously have a wired ethernet connection. Is frequent reassociation the normal behavior in a dense deployment of APs? I can understand that it might be for highly mobile stations like wireless VoIP phones. But our  environment is composed of mostly stationary wireless laptops  in student rooms. My assumption was that roaming  typically  happened when a user moves towards a stronger signal AP and  at some configured signal quality threshold, the station started scanning for a better AP. Am I wrong? Or is this more likely something in our radio environment or insufficient coverage etc? Our wireless LAN engineers are currently investigating this, but I'd be interested to hear the experience of others. Do we need a fast roaming solution to deal with this? Having access points and stations able to cache the PMK (Pairwise Master Key) would probably help the best, as that would allow them to often establish a secure association without conducting  a heavyweight authentication dialog with the RADIUS server. But I'm not sure if access points or typical endstations support this.  TLS session resumption will probably help a bit also (if supported). We use cisco aironet 1200/1100 access points. The clients are mostly PCs running SecureW2, Macs running with the built-in EAP-TTLS/802.1x support in Mac OS X, and a smaller number of Linux machines. Thanks for any advice! --- Shumon Huque 3401 Walnut Street, Suite 221A, Network Engineering Philadelphia, PA 19104-6228, USA. Information Systems & Computing (215)898-2477, (215)898-9348 (Fax) University of Pennsylvania / MAGPI. E-mail: shuque -at- isc.upenn.edu ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ------------------------------ ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.