ACS Authentication Limit

Unanswered Question
Aug 24th, 2007

Hi all, We currently are running 400 laptops that all utilize the same username to authenticate to our wireless network and we randomly see authentication issues. We are running verson 11.1 of the Intel client and we have a mix of LWAPP and Autonomous AP deployments. We have mostly 1242 AP's. Is there any kind of limit imposed by ACS or anything else that would be causing the random authentication failures we are seeing. We have to reboot the laptop for the authentication to work again once this happens. Our laptops are auto-login as is the wireless authentication. Is this a best practice or should we be auto-logging the wireless in with a seperate account for each laptop? Thanks for any opinions.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
rseiler Thu, 08/30/2007 - 12:45

Best practice would be to use unique user names per laptop.


You haven't included important details such as authentication or encryption that you are using on this wireless network.


Assuming you are using WPA1/WPA2 with PEAP-MSCHAPv2 via ACS to MS AD then you would need the following Microsoft hotfixes installed to fix several Microsoft RADIUS and wireless zero config issues:


KB917021

KB885453


Also, I would recommend WPA2, PEAP-MSCHAPv2, and 802.1x + CCKM on the controller WLAN (SSID) if you can control the configuration on the laptops. Fast secure roaming using CCKM is much less processor intensive on the ACS server. If you don't use fast secure roaming (CCKM) then every roam between access points is a full re-auth through ACS. This will require the Intel client and NOT Microsoft zero config.


Most likely you are killing the ACS server with re-authentications.

wackerk24 Thu, 08/30/2007 - 19:33

Thanks for your comments. We are running WPA with LEAP via ACS 3.3 to MS AD. We disable CCKM because we were having problems with the Intel client supporting this feature correctly. I was under the impression that in the LWAPP environment during a roam the controller already knew the client was authenticated and didn't have to do a re-authenticate? Also in our autonomous environment we run WDS servers which are supposed to do the same thing so the client doesn't have to do a full reauthentication. Please correct me if I'm misunderstanding. Thanks again for your help!

rseiler Thu, 08/30/2007 - 20:57

If you are not using CCKM on the client, then you are not fast roaming. This is regardless of autonomous with an WDS server or centralized (LWAPP). Without CCKM, the AP or controller is not participating in the auth and cannot cache the credentials.


This is a common misconception.


Microsoft zero config has *no* support for fast roaming, so you will need to use the Intel ProSet client and confirm that 'Cisco CCX Extensions' and CCKM is enabled.


I don't believe any client but Cisco's ADU supports fast roaming with LEAP. In most cases you will need to run WPA2/PEAP-MSCHAPv2 and CCKM (NOT 802.1x) with the Intel client.


Note that if you enable WPA1+WPA2 and/or 802.1x+CCKM on the LWAPP controller then you will most likely *not* negotiate CCKM with the client. For the SSID that you want fast roaming, enable WPA2 only and use CCKM (only).


I am assuming that you are running OS version 4.0.206 or higher on the controller and at least an Intel 2200BG with ProSet 10.0 or higher.

wackerk24 Fri, 08/31/2007 - 05:23

Thanks for your comments. We are running version 4.1.171.0 on the controllers and Intel 2915/3945 with ProSet 11.1 or higher. So would you recommend on the SSID I want fast roaming to work I only enable WPA2 and CCKM without using LEAP at all? Thanks for all and any feedback.

rseiler Thu, 08/30/2007 - 21:08

Some additional comments:


How many access points do you have? How many are LWAPP and how many are IOS?


How many WDS server do you have? How many LWAPP controllers?


Can the IOS APs 'see' the LWAPP APs (or vice versa)?


This can potentially be a problem. Note that there is no fast roaming support between WDS servers, regardless of running CCKM. Roaming between multiple LWAPP controllers only works with a correct mobility group configuration, and CCKM.


A WDS server only supports 32 APs with the radio enabled, or 64 as standalone.

wackerk24 Fri, 08/31/2007 - 05:34

In our LWAPP environment we have 197 AP's and there are no IOS based AP's at this location. We have 2 WISM (4 controllers) running only 2 of these currently. First floor is on controller 1, 2nd floor on controller 2, 3rd floor on controller 1 and so on. There are five floors plus a basement. In our Autonomous campus we have 75 AP's and 2 WDS servers. Our LWAPP controllers are in the same mobility group but we do have CCKM disabled because we were taking a sleu of errors via syslog when we had this enabled previously.

rseiler Thu, 08/30/2007 - 21:13

What hardware is the ACS 3.3 server running on (CPU/SDRAM/OS) and what *exactly* is the version (see the login page)?


ACS 3.3 is quite old (7 years) and has been patched no less than 13 times. Hopefully you are running ACS 3.3(13) or higher.

wackerk24 Fri, 08/31/2007 - 05:48

We are running ACS 3.3(1) Build 16.

Server Specs:

Server 2000

2GB of RAM

1.2Ghz Intel


These servers are due for replacement but I'm waiting for ACS 5 which is slotted for November/December timeframe.

Rob Huffman Fri, 08/31/2007 - 05:01

Hi Richard,


Some really great info in this thread! 5 points for your continued good work here :)


Thanks,

Rob

wackerk24 Wed, 09/05/2007 - 11:49

We are currently testing the Cisco CB21ABG card with ADU 3.6, WPA+TKIP+CCKM as well as Intel 3945 WPA+TKIP+CCKM. Thus far testing is going well and we aren't experiencing the disconnects we were previously while roaming. We are extending the testing today to a nursing unit with 18 laptops to see if we still get good results. After speaking with Cisco the only supported configuration for fast secure roaming is the above config. They don't support WAP2+AES+CCKM. I will report back with results once I get them. On a side note we are still seeing the CB21ABG card doing a full reauthenticate against ACS every once in a while. CCKM is working correctly 90% of the time but still not 100%. This is another issue were still working with Cisco on.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode