So are you saying that the OSCP/CRL checking is done every time you connect to a new AP and this is causing up to a 30 second delay for people?
Just want to make sure I understand it. ------------------------ Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438 On Thu, Dec 5, 2013 at 12:14 PM, Marcelo Lew <[email protected]> wrote: > Yes on both. > > It is unclear to me however why a Mac would check crl when roaming between > WAPs. Seems like a bug to me. > > > > [image: email signature] > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > [email protected]] *On Behalf Of *Osborne, Bruce W > (Network Services) > *Sent:* Thursday, December 05, 2013 7:20 AM > > *To:* [email protected] > *Subject:* Re: [WIRELESS-LAN] Eapol-Rate-Optimization > > > > Are you sure the CRL server is accessible from the client? Turning off > that check sound like added security risk. > > > > *From:* Marcelo Lew [mailto:[email protected] <[email protected]>] > *Sent:* Wednesday, December 4, 2013 11:32 AM > *Subject:* Re: Eapol-Rate-Optimization > > > > We also tried “EAPOL-rate-opt”. It did help with the Mac roaming issue, > but it adds too much overhead and affects throughput quite a bit. We are > on 6.3.1.1, and I still see the issue (testing on Macbook running > Mavericks). Only fix that worked (per user fix) for us, is unchecking OCSP > and CRL under keychain/preferences/certificates. > > > > > > Marcelo > > > > Marcelo Lew > > Wireless Network Architect & Engineer > > University Technology Services > > University of Denver > > Desk: (303) 871-6523 > > Cell: (303) 669-4217 > > Fax: (303) 871-5900 > > Email: [email protected] > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ > mailto:[email protected]<[email protected]>] > *On Behalf Of *Jeff Kell > *Sent:* Tuesday, December 03, 2013 7:44 PM > *To:* [email protected] > *Subject:* Re: [WIRELESS-LAN] Eapol-Rate-Optimization > > > > On 12/3/2013 9:34 PM, Wright, Don wrote: > > Just curious, have any Aruba shops tried enabling "EAPOL rate > optimization" to try helping with the Apple roaming/dropping issue? It's a > new setting in 6.1 and while it didn't help in my testing, I've heard > others have had success with it. Would someone care to update with details? > > > We have had issues with MacOS devices and roaming. Three "variables" were > suggested - OKC, PMKID, and EAPOL-rate-opt. > > We had OKC / PMKID both enabled, no EAPOL-rate-opt, and "interval between > ID requests" at 30 seconds. Wandering around a well-covered building with > a MacOS laptop pinging a fixed target and it would disassociate / > reassociate / reauthenticate with significant delay in between; Windows > laptop did not have this issue (maybe drop a packet or two between roaming > targets). We tried disabling OKC by itself, but it seemed to make no > difference. This was discussed on the list before so I'll not repeat the > whole issue. > > We tried the EAPOL-rate-opt, and we would drop a handful of pings, but > essentially keep a connection intact. So yes, it did appear to help. It's > not 100% still (is anything wireless ever 100%?) but was a solid > improvement over the previous case. > > We're still "grabbing at straws" to improve the mobility, and hoping > perhaps the "sticky client" voodoo in 6.3 might help the issue as well. > > Jeff > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
<<image001.jpg>>
