03-12-2019 02:38 PM - edited 03-12-2019 02:53 PM
Bear with me because this issue is a bit hard to explain. The high level synopsis is that in the lab we're seeing some strange behavior for our IoT devices when we turn on MBA with Windows NPS as the backend RADIUS server (though we don't think NPS is part of the problem, we see it when using the built in RADIUS server as well).
Internet <--> USG Pro4 <--> [various USW] <--> [NanoHD's]
^--> Windows NPS --> MAC accounts in Active Directory with no group policy applied to them other than "Deny logon locally/as a service/etc". We're logging accounting data to a SQL Server, and all clients are authenticating correctly, no errors are being logged (I can share that table data if anyone thinks it's helpful).
Configuration for NanoHD's
- WPA Personal for encryption
- Block LAN to WAN Multicast disabled (for now)
- Fast roaming is on
- GTK rekeying is on
- Multicast enhancement is on
- !! Connect high performance to 5ghz is ON
Configuration for RADIUS Profile:
- RADIUS assigned VLAN for both wired and wireless is on (we're configuring this via NPS policies)
- Accounting and Interim Update are both on
Assume everything is setup correctly and functioning perfectly (no errors or alerts in the Controller software, clients are authenticating fine, etc...we've triple checked all of this), this is more of a "why is it doing this type of question). Also assume all of these clients are wireless, and not wired (we haven't gotten to that part of the pilot yet).
We're in the lab building out a reasonably sized test network for proof of concepts before widely deploying Unifi hardware, we have about 50 wireless clients of various types, and when we had them strictly on a WPA2 Personal SSID with the above parameters, the split between 2.4ghz and 5ghz clients was what we expected: All clients capable of 5ghz connections were using 5ghz, and clients not capable of 5ghz were using 2.4ghz, about a 70/30 split with the majority using 5ghz.
As soon as we introduce MBA, clients start falling back to 2.4ghz for seemingly no reason at all (5ghz clients are no longer connecting to 5ghz). The only events we see in the Controller are the normal "x connected to y, x roamed to y" etc. No latency events, no problems at all (this is a very tightly controlled lab, we haven't introduced any kind of "chaos" yet). **ALL** of these clients are wireless, we haven't started testing 801.x stuff for our IoT devices that will be wired.
The split is about 50/50 2.4/5.0 with MBA on, down from our expected 5ghz clients use 5ghz, and 2.4ghz clients use 2.4ghz, and again nothing changes other than ticking the MBA stuff in Controller. Devices don't move, AP's don't change. We've done channel scans, we've removed AP's, and left to its own, 5ghz devices start falling back to 2.4ghz.
Questions and Concerns:
- Why are more clients falling back to 2.4ghz when MBA is introduced? We can reliably make this happen simply by introducing MBA, with nothing else changing at all. What would make this happen, e.g. how does Unifi decide "oh, well, this 5ghz device needs to be on 2.4gzh)?
- How does Unifi determine what clients honor the "connect high performance to 5ghz" setting?
- Is there anything we should be looking at on the Windows NPS side of things? So far the policies are very simple, just "use windows groups to authenticate" etc. Nothing complicated at all.
Really we're just trying to understand the fallback so we can plan appropriately (e.g. set stakeholder expectations for certain types of devices or whatever it is that is triggering the fallback, though some of the devices that are falling back are not acceptable due to SLA requirements, so we're fairly concerned about those...high value devices like tablets are falling back, but again it seems to be random).