802.1X auth errors .... (or .... ?)

@CraigBeck ... Putting my faith in you here, aswell as the other experts.

Dived into a rather strange issue today, which I had not too much time onsite to troubleshoot - so while waiting for next opportunity to look at this, maybe some others have had these issues;
 -On all 802.1X secured networks, random disconnection issues arise. Clients are disconnected for no particular reason, then reconnects automatically. From the NPS logs we see only reauthentication, which is successfull. Wireless Controller logs show no deauth for that client, only successful reauths.

This is, very very most super unlikely RF problem, as the issues is organization wide, for both dense and sparse deployments - in RF-crowded environments, and RF-uncrowded enviroments - with no neighbouring APs. This also happens to all types of clients (Win7, Win8, OsX, iOS, Androids ++)

The only common is NPS server and wireless controller --- logs OK for both.
Win2008R2 NPS
Aruba 7210 controller ... which I really is supposed to be on top of --- any ideas 802.1X auth-wise?

btw; one lead might be the Pairwise Master Key ---- which we're looking in to
LVL 23
Jakob DigranesSenior ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
@jakob - I'll try my best :-)

I'll assume you're using WPA.  I think you're looking at the right thing by investigating the PMK... It sounds to me like the client is reauthenticating due to the rekeying timeout coming before the EAP session is expired, or (less likely IMO) the GTK is being rotated due to a client disconnection.  Either will probably result in a reauthentication.

I'd try to disable the session timeout on the SSID and see if that helps.

The NPS will only log authentication attempts so I don't expect to see any deauth messages in there.  I'd head to the controller for that.  Can you do a client debug at the controller to see what happens just before a client reauths?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jakob DigranesSenior ConsultantAuthor Commented:
Thanks --- will look into this over the weekend. A lot of holidays and constitution days in Norway, so rather low speed the last week. Will keep you posted !
Jakob DigranesSenior ConsultantAuthor Commented:
looks like it was solved during some radio settings tweaking - most likely timeouts and disconnects leading to continous re-auths ...

thanks !!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.