Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Problem with a lot of logins per user

We are using 2 (4 controllers) WiSM version 5.2.178.0 Controllers with WPA2/CCKM 802.1x EAP-MSCHAPv2 using freeradius v2 and eDirecvtory as backend.

About 500 1142 AP:s and 2400 clients.

The clients are running unmanaged Windows 7.

Clients are authenticating about 10- 20 times in a minute.

This causes heavy load on the Radius/eDirectory servers.

The clients having Atheros AT9285 wifi card without CCX support.

Our users also complains about having to reconnect frequently.

Any ideas how to reduce radius logins?

Henrik Hartelius

*Sep 14 16:37:59.825: c4:46:19:61:57:58 Unable to compute a valid PMKID from dot1x PMK cache for mobile c4:46:19:61:57:58

*Sep 14 16:37:59.825: c4:46:19:61:57:58 Found an entry in the global PMK cache for station c4:46:19:61:57:58

*Sep 14 16:37:59.825: CCKM: AA (6)

*Sep 14 16:37:59.825:      [0000] fc fb fb d8 7a a0

*Sep 14 16:37:59.825: CCKM: SPA (6)

*Sep 14 16:37:59.825:      [0000] c4 46 19 61 57 58

*Sep 14 16:37:59.825: CCKM: AA (6)

*Sep 14 16:37:59.825:      [0000] fc fb fb d8 7a a0

*Sep 14 16:37:59.825: CCKM: SPA (6)

*Sep 14 16:37:59.825:      [0000] c4 46 19 61 57 58

*Sep 14 16:37:59.825: c4:46:19:61:57:58 Unable to compute a valid PMKID from global PMK cache for mobile c4:46:19:61:57:58

*Sep 14 16:37:59.825: c4:46:19:61:57:58 85.188.98.23 RUN (20) Change state to START (0) last state RUN (20)

*Sep 14 16:37:59.825: c4:46:19:61:57:58 85.188.98.23 START (0) Initializing policy

*Sep 14 16:37:59.825: c4:46:19:61:57:58 85.188.98.23 START (0) Change state to AUTHCHECK (2) last state RUN (20)

*Sep 14 16:37:59.825: c4:46:19:61:57:58 85.188.98.23 AUTHCHECK (2) Change state to 8021X_REQD (3) last state RUN (20)

*Sep 14 16:37:59.825: c4:46:19:61:57:58 85.188.98.23 8021X_REQD (3) Plumbed mobile LWAPP rule on AP fc:fb:fb:d8:7a:a0 vapId 6 apVapId 1

*Sep 14 16:37:59.825: c4:46:19:61:57:58 apfPemAddUser2 (apf_policy.c:210) Changing state for mobile c4:46:19:61:57:58 on AP fc:fb:fb:d8:7a:a0 from Associated to Associated

2 REPLIES

Re: Problem with a lot of logins per user

If the client does not use CCX, then you should not be using CCKM as the keying method, you should use 802.1x.  But from what I am seeing, the client is not sending a valid PMK, so we can't fast roam them, they have to do a full AAA authenticaiton.  My other normal suggestion would be to check for updated drivers but as they are "unmanaged, this may not be feasible

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Community Member

Re: Problem with a lot of logins per user

I have checked 802.1x and CCKM under Wlan security, is that a problem?

It seems like the clients are roaming a lot, and what I understand, if I don't have CCXv4 support on the clients,

CCKM don't working and the client have to do a full 802.1x authentication including radius requests, whenever it's roaming. I'm I right?

411
Views
0
Helpful
2
Replies
CreatePlease to create content