cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8776
Views
5
Helpful
19
Replies

Client drops - Tuning EAP timers?

emily00001
Beginner
Beginner

I have had some clients complaining (laptop users) about being dropped from the WiFi and this appears to correlate with the events in the WLC log for DOT1X-4-MAX_EAPOL_KEY_RETRANS for those clients.

Drops are more frequent when the network and neighbours networks are under load during the day.

What would your advice be on tuning this? I based my settings off a guide found here:

https://supportforums.cisco.com/document/46101/eap-timers-wireless-lan-controllers

The way I interpret this is that the settings present a bit of a tradeoff between the risk of being dropped and the time it takes to get back in if you are dropped.

We have a WLC 2500 with 2700 APs running 7.6.130.0.

Below are the current settings that we have set:

 

Edit: Table did not paste correctly

Local Auth Active Timeout1 (in secs) "300"

Identity Request Timeout (in secs) "5"

Identity request Max Retries "12"

Dynamic WEP Key Index "0"

Request Timeout (in secs) "30"

Request Max Retries "2"

Max-Login Ignore Identity Response "enable"

APOL-Key Timeout (in milliSeconds) "1000"

EAPOL-Key Max Retries "2"

EAP-Broadcast Key Interval(in secs) "3600"

 

 
2 Accepted Solutions

Accepted Solutions

There are know issues with Apple on controller code v7.6.100.0-v7.6.120.0.  There are current stability issue with Yosemite and iOS code.  You can find more info on Apple forms regarding that. 

-Scott

-Scott
*** Please rate helpful posts ***

View solution in original post

I wouldn't upgrade to v8.0.x, but that's me. Look at optimizing your wireless to be honest and know of what client devices have issues, because there is only so much you can do to help with stability. The fix would be by the manufacture of the NIC drivers. 

-Scott

-Scott
*** Please rate helpful posts ***

View solution in original post

19 Replies 19

Sebastian Helmer
Contributor
Contributor

Cisco best practise is a Identity Request Timeout of 30 sec

I would try that first..I also configure a retry of 5 than 2..try it step by step

 

http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html#pgfId-379881

Identity Request Timeout of 30 seconds is default and we also experienced the drop problem when running that. We also had retry of 2 the default then.

Since laptops are what I'm getting most reports of dropping I would assume that the drop is not due to slow response and that timeout shouldn't be a factor in such a situation and I would assume that it happens as a consequence of interference? We're in a pretty crowded and central spot.

I don't think it's your timers. You can look at the stats on the WLC for the radius and if you see low milliseconds and not a lot of retries, then it's not that. Understanding what is really happening is the key. Going to the area where the complaints are and seeing it for yourself eliminates users providing you with bad info. Can it be interference from other wireless, sure it can, but you need to make sure that's the issue and not your WLAN configuration. 

-Scott

-Scott
*** Please rate helpful posts ***