ads

Style6

Style3[OneLeft]

Style3[OneRight]

Style4

Style5[ImagesOnly]

Style2

Disable Juniper Ports

Problem:  

How to shutdown a Juniper switchport or interface.  This simple JUNOS task frustrates Cisco-minded folks.  So where does JUNOS hide the shutdown command?

Solution:  

"Disable" is the JUNOS command for "shutdown".  Examples:

     Disable:        root@host> set interface ge-0/0/1 disable
     Enable  root@host> del set interface ge-0/0/1 disable

That's it!

Clear BGP Sessions

Problem: 

How to reset BGP peering and re-announce BGP routes.  Inbound traffic is supposed to traverse through the preferred ISP.  However, traffic splits between different ISPs after maintenance or short outages.

Solution: 

Clear BGP sessions to update BGP routes after an outage or maintenance.

Command: 

     clear bgp neighbor soft

This processes re-announces BGP routes to upstream neighbors. Clear a BGP session whenever inbound/outbound policy changes are made; or after outages or maintenance.

Before: 

After:

That's it!

Troubleshoot Wi-Fi Legacy Data Rates

Summary:

How to troubleshoot smartphone or tablet that can't connect to Wi-Fi network due to legacy data rates (e.g., 802.11a, 802.11b and 802.11g).

Problem:

Staff member's personal smartphone won't connect to the guest Wi-Fi network.  All other devices connect to wireless network without issues.

Problem Device:
  • Older Kyocera Android phone.  
  • Problem device only connects with 2.4GHz radios.

Topology:

Multiple access point and wireless controller.  Single 2.4GHz SSID broadcast throughout the office.  Recent changes were made to roaming, data rates/ cell size, and power tuning (background).  Independent BSSIDs broadcast on separate radios: 802.11na and 802.11ng.    Legacy 802.11b data rates are disabled. The network continues support for 802.11G data rates (i.e., 54 Mbps):
set service-profile Guest_2.4 transmit-rate 11g mandatory 12,24.0,36.0,48.0,54.0 disabled 1.0,2.0,5.5,6.0,9.0,11.0,18.0 beacon-rate 24.0 multicast-rate AUTO

Solution:

  1. Identify client session:
    
    *WLC# sh sessions network verbose
    
    Name:               last-resort-Guest 2.4GHz-570
    
    SSID:               Guest 2.4GHz
    
    MAC:                6c:xx:xx:xx:xx:xx
    
    AP/Radio:           1/1
    
    State:              DEASSOCIATED
    
    Device type:        android-generic (AAA)
    
    Radio type:         802.11ng
    
    Last packet rate:   6.0 Mb/s
    
    Last packet RSSI:   -49 dBm
    
    Last packet SNR:    46
    
    Session interpretation:
    • Session state is deassociated.  
    • Excessive of roaming attempts.  
    • Good signal strength and SNR.  
    • Last packet rate is only 6.0 Mb/s. 
    Data indicates the phone probably uses legacy wireless standards -it's old!

  2. Enable log tracing to debug connection attempts:
    *WLC#set log trace enable severity debug
    *WLC#set trace dot1x level 10 mac
    *WLC#set trace sm level 10 mac
    *WLC#sh log trace
    SM Apr 14 13:45:08.197931 DEBUG SM-EVENT: Cannot set ipaddr for 6c:76:60:59:9e:6a
    SM Apr 14 13:45:08.743477 DEBUG sm_do_flood_announce: 6c:76:60:59:9e:6a flood announce
    SM Apr 14 13:45:16.176513 DEBUG SM-EVENT: (4601) rssi -69, rate code 0x0018, idle 48 secs
    SM Apr 14 13:45:16.176661 DEBUG SM-EVENT: (4601) idle timer 132755 left, reset to 132000 ms
    SM Apr 14 13:45:16.177599 DEBUG SM-EVENT: (4556) rssi -56, rate code 0x0018, idle 9 secs
    SM Apr 14 13:45:16.177756 DEBUG SM-EVENT: (4556) idle timer 150259 left, reset to 171000 ms
    SM Apr 14 13:45:16.179532 DEBUG SM-EVENT: (5415) rssi -76, rate code 0x0018, idle 20 secs
    SM Apr 14 13:45:16.179653 DEBUG SM-EVENT: (5415) idle timer is tracking (160258 to go)
    SM Apr 14 13:45:16.180066 DEBUG SM-EVENT: (4551) rssi -63, rate code 0x0018, idle 6 secs
    SM Apr 14 11:12:44.674414 DEBUG SM-DOT11: sm_dot11_handle_deassociate: ev type 5 (good), token 0, mac 6c:76:60:59:9e:6a
    SM Apr 14 11:12:44.674576 DEBUG SM-STATE: (2462) mac 6c:76:60:59:9e:6a, flags 1801800028834dh, to change state ACTIVE -> DEASSOCIATED, by sm_dot11_handle_deassociate
    Log Interpretation:
    • SM=Session Management.
    • SM-DOT11=World Mode Multi-Domain Operation.  The DOT11D option makes access points advertise local settings, such as frequencies and power levels.
    • Rate code 0x0018 = 11Mb per Multi-band Atheros Wi-Fi (MADwifi) 5212.
    The deassociation was based on DOT11D.  In other words, due to AP frequency or power level restrictions.

  3. Check the configuration for frequency or power restrictions:
    set service-profile Guest_2.4 transmit-rate 11g mandatory 12,24.0,36.0,48.0,54.0 disabled 1.0,2.0,5.5,6.0,9.0,11.0,18.0 beacon-rate 24.0 multicast-rate AUTO
    Snap!  The service profile indicates that devices must connect at a minimum, 12Mbps -normally good policy.  However, we have a single client that can only connect at 6Mbps.

Available Options:

  1. Remove 6Mbps from the list of disabled data rates.  N.B., Legacy devices on the BSSID has a negative impact for the entire wi-fi network. Is one person worth the trouble?  It certainly is if that person is your boss!
  2. Create a dedicated legacy SSID -diplomatic solution.
  3. Ask the employee to get rid of the stone-age device!   Suggest or provide a modern device that handles 802.11na!
 Thant's It!

References:

http://www.cisco.com/web/techdoc/wireless/access_points/online_help/eag/123-02.JA/1400BR/h_ap_network-if_802-11_c.html
http://web.mit.edu/freebsd/head/sys/dev/ath/ath_hal/ar5212/ar5212_phy.c

Fix iPhone Wi-Fi Problems: Part I

Executive Summary:

How to fix iPhone Wi-Fi problems.  Why can't that shiny new iPhone stay connected to the wireless network?  FYI, it's probably not your IT department's fault.  There are steps, however, that can be made to improve the overall connection.  Target audience is for IT professionals but this information is helpful for all end-users.












Problem:

Complaints of poor iPhone (Wi-Fi) performance. iPhones are inconsistently kicked off the Wi-Fi.  iPhones may only connect at low data rates.  End-uses are frustrated when iPhones and iPads disconnect.

Topology:

Corporate Wi-Fi uses Juniper wireless controllers and access point (APs).  Most smart phones connect to dedicated guest network. Wireless network seems to work well for most Android and Windows devices. Majority of problems are with iPhones and iPads.  N.B., topology is similar to Cisco controllers.  Topology is also similar, to a lesser extent, to personal wireless systems.

Symptoms:

iPhones and iPads experience disconnects, delays, packet drops, or total loss from Wi-Fi network. In other instances, Apple devices consistently connect to 802.11n networks at 24Mbps.

Cause:

Aggressive roaming causes most Wi-Fi problems for iPhones and iPads.  Roaming occurs when multiple APs broadcast identical SSIDs.  These Apple devices are quick to jump ship compared to other clients (e.g., Android). Excessive roaming causes wireless drops, slow data rates, and poor battery life.  What's more, all roaming decisions are made by wireless client (i.e., iPhone) –not the wireless AP or controller.

Additional factors can also influence wireless grief:  iPhone standby settings; spectrum preference; legacy rates; encryption; and signal strength -too much or too little.

Influencing Factors: 


  1.  Power save handler. iPhones enter standby/ sleep mode based on application activity. iPhones generally disconnect Wi-Fi in standby mode. End-users should understand this behavior is by design (à la Apple). It is not a limitation of their corporate Guest network.
  2. Roaming. Clients may disconnect if the roaming process takes too long.
  3. Spectrum preference. iPhones prefer the 2.4GHz spectrum over the 5Ghz spectrum. Wireless clients work best on the 5GHz spectrum. Consider disabling 2.4GHz radios from the APs.
  4. Data Rates. Legacy 2.4GHz data rates (e.g., 802.11b and 802.11g) harm 802.11n wireless networks. Disable 802.11b and consider disabling 802.11g (i.e., adjust roaming cell size). Wireless networks realize 30% to 50% increases in throughput after disabling 1,2,5.5, and 11 Mbps data rates.
  5. Encryption and Ciphers. WPA and TKIP caps/limits Wi-Fi networks to 54Mbps. Juniper recommends only implementing WPA2 with CCMP cipher for 802.11n transmissions. Pre-shared key is acceptable. 802.1X (i.e., WPA2-Enterprise) is better.
  6. Range. Signal strength affects client roaming decisions. 802.11b (2.4GHz) has nearly twice the range of 802.11a (5GHz). Adjust radio power levels (i.e., transmit power) so that 5GHz RSSI is great than the 2.4GHz RSSI. For example, set 2.4GHz to 4 dBm; and set 5GHz to 12dBm. 

Power Save:

Apple IOS devices (e.g., iPhones and iPads) use standby/ sleep mode to improve battery life. The phone enters standby five minutes after it locks (i.e., requires PIN to unlock). Active sessions (e.g., web download) transition to standby after thirty minutes.

In most situations, the iPhone disconnects Wi-Fi after it enters standby. It makes sense –who enjoys one hour power? Non-persistent Wi-Fi becomes less of an issue because most devices automatically reconnect when unlocked. N.B., auto-connect introduces security risks via Man-in-the-Middle (MMTM) –we’ll save that discussion for another day.

In some circumstances, there are exceptions to Apple’s non-persistent Wi-Fi policy. For example, some applications use a background task handler (e.g., Exchange ActiveSync) that keeps Wi-Fi connected at all times. Other users experience persistent Wi-Fi while streaming music via Spotify or Pandora.

Provide a power source (i.e., plug it in) or entirely disable the screen lock (also not recommended) are alternate methods for Wi-Fi persistence.

Roaming Rates

Normally, iPhones roam between APs within a few milliseconds. However, in some circumstances clients may take up-to five seconds to complete –ay caramba! Most APs disconnect the session after three minutes. End-users without auto-connect require manual reconnection. Either way, it’s best to keep roaming to a minimum.

Spectrum Preference:

iPhones often prefer the 2.4GHz over 5Ghz spectrum. This 2.4GHz preference is not necessarily by design. The preference results from a combination of roaming thresholds, dual-band APs, and imprecise interpretation of the RSSI signals.

Why does spectrum matter? 2.4 GHz only provides three non-overlapping channels: 1, 6, and 11. In addition, the majority of wireless devices operate on the 2.4GHz spectrum. In contrast, the 5 GHz spectrum provides 23 non-overlapping channels. Relatively few devices use the 5GHz spectrum.

For example, a quick wireless scan shows a total of 81 neighbor APs within range of my office.


This scan shows 86% of my neighbors transmit on the 2.4GHz spectrum; compared to only 13% on the 5GHz spectrum.



This data also shows only six 5GHz channels are in use. That leaves us with 16 pure unused virgin 5GHz channels for unadulterated throughput! Contrast that with the surrounding APs (all 70 of them) saturating the only three 2.4GHz channels: 1, 6, and 11. Additionally, microwaves and cordless phones operate on the same 2.4GHz spectrum.

What is the actual impact of an entire office building sharing the same three channels? Expect a wide range of clients and usage in large office buildings. Neighbor APs share the limited bandwidth across wireless channels. 802.11g radios provide roughly 300Mbps of total throughput. Wi-Fi bandwidth increases (per SSID) with 802.11ng and MIMI antennas. These innovations may further reduce neighbors’ throughput by up to 90%.


Table 1. 
Comparison of Wi-Fi Rates and Channels
Standard
802.11a
802.11b
802.11g
802.11ng
802.11na
Spectrum
(5GHz)
(2.4GHz)
(2.4GHz)
(2.4GHz)
(5GHz)
Max Speeds
54 Mbps
11Mbps
54Mbps
300Mbps
 300Mbps
Range
50 feet
100 feet
100 feet
50 feet
 50 feet
Non-overlapping Channels
24
3
3
3
24

Spectrum Throughput

Data can transmit roughly twice as far over the 2.4GHz spectrum compared to the 5GHz spectrum. The range is impressive but it’s not necessarily better. For example, it’s prudent to keep wireless beacons confined to the office perimeter (i.e., security).

Additionally, 2.4GHz has a negative impact on client data rates and roaming. Sticky clients (e.g., Android) may connect from the parking lot at 1Mb connection rate. These clients may be stuck with low connection rates throughout the day because of their low roaming aggressiveness. Recall the negative impact legacy rates have on the entire network. Likewise, non-sticky clients may experience unnecessary roams. Also, consider the negative impact of signal noise. Wi-Fi works better when it doesn’t detect every neighbor on the block.

RSSI, SNR, and Throughput:

Data transmission rates (i.e., throughput) can be estimated in relation to RSSI and Signal Noise Ratio (SNR). RSSI is the RF signal strength. Large RSSIs represent strong signal strength. For example, -60 dBm is greater than -70 dBm.
SNR is an expression of signal strength minus signal noise. SNR generates a positive number expressed in decibels (dB). For example, SNR is 20 if the RSSI value is -75db and Noise value is -95db. In general, SNR above 20 dB is an acceptable level for transmission.

Table 2.  Legacy Data Rates Estimates.
Rate (Mb/s)
1
2
5.5
11
6
9
12
18
24
36
48
54
SNR (dB)
4
6
8
10
4
5
7
9
12
16
20
21
Signal level (dBm)
-81
-79
-77
-75
-81
-80
-78
-76
-73
-69
-65
-64

Table 3.  802.11ng (2.4GHz) Data Rate Estimates.
2.4GHz Rate (Mb/s)
(20MHz)
14.4
28.9
43.3
57.8
86.7
115.6
130
144.4
SNR (dB)
11
14
16
19
23
27
28
29
Signal level (dBm)
-82
-79
-77
-74
-70
-66
-65
-64

Table 4.  802.11na (5GHz) Data Rate Estimates.
5 GHz Rate (Mb/s)
(40MHz)
30
60
90
120
180
240
270
300
SNR (dB)
11
14
16
19
23
27
28
29
Signal level (dBm)
-79
-76
-74
-71
-67
-63
-62
-61

iPhone Roaming Process:

iPhone roaming algorithm is based on AP signal strength and client activity:

  1. iPhone compares current BSSID (based on radio Mac) and other available AP BSSID signal levels.
  2. The roaming decision based on client activity: (a) idle session (phone in pocket) or (b) active session (e.g., web surfing). iPhone searches for a better signal level in both 2.4GHz and 5GHz bands.
     (a.) Idle clients search for new BSSIDs when current signal strength is -70dB or less (e.g. -71dB).

  • iPhone roams when it locates another AP with a signal at least +12dB better.
  • iPhone scans in 90 second intervals until its current signal strength improves (e.g., -69 dB) or it locates a different BSSID with 12dB stronger signal strength. 
     (b.)  Active client attempts to locate a stronger signal if current signal strength is -70dB or less.

  • iPhone chooses new BSSID if it has +8dB or greater RSSI.
  • iPhone continues to scan in 90 second intervals until current signal improves or locates a different BSSID at least 8 dB or better. 
Extenuating factors also influence iPhone roaming decisions: (a) Different spectrum signals and (b) client detection imprecision.

The 2.4GHz signal is roughly 7dB higher than the 5GHz signal. Physical attributes of BSSID antenna accounts for the difference in signal strength -it is not a limitation of the AP. By itself, the +7dB difference between RSSI strength is not enough to initiate roaming. Recall, the iPhone only initiates roaming after it identifies a BSSID  with RSSI at least +8dB or greater.

Wireless roaming reaches critical mass the client does not measure RSSI accurately (i.e. client imprecision).  This imprecision accounts for an additional plus or minus 4dBs. In other words, iPhones generally prefer 2.4GHz radios over 5GHz radios

Encryption and Ciphers

WPA and TKIP slows Wi-Fi traffic connection rates to a maximum 54Mbps. These standards are superseded by WPA2 encryptions and CCMP cipher. Do not enable WPA2 and WPA simultaneously. Likewise, do not enable WPA2 and CCMP and TKIP.

*Read the following post for specific fixes, recommendations, and best practices.

References: 

http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-0/iPhone_roam/b_iPhone-roaming.html
http://kb.juniper.net/InfoCenter/index?page=content&id=KB20295&actp=search&viewlocale=en_US&searchid=1301446020120
http://www.greatwhitewifi.com/2015/07/12/fixing-hallway-fi-vol-1/
http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-the-quot-beacon-rate-quot-profile-work/ta-p/179242
http://kb.juniper.net/InfoCenter/index?page=content&id=KB28153&actp=search&viewlocale=en_US&searchid=1373982600826
https://en.wikipedia.org/wiki/IPhone
http://www.juniper.net/documentation/en_US/network-director1.5/topics/concept/wireless-encryption-and-ciphers.html
http://blogs.cisco.com/wireless/wi-fi-taxes-digging-into-the-802-11b-penalty
http://www.cisco.com/c/en/us/td/docs/wireless/technology/apdeploy/8-0/Cisco_Aironet_3700AP.html
https://www.wireless.att.com/support_static_files/KB/KB3895.html
http://kb.juniper.net/InfoCenter/index?page=content&id=KB20248&actp=search&viewlocale=en_US&searchid=1456780940943
https://www.youtube.com/watch?v=tihSXW6Yg1M

Fix iPhone Wi-Fi Problems: Part II




Summary

   Folks get frustrated when Wi-Fi doesn't work with their iPhones and iPads.  There are times when iPhones can't connect, frequently disconnect, or experience poor data rates.  

   The previous post examines six different wireless problems associated with iPhones and iPads:  Standby settings; spectrum preference; legacy rates; encryption; and signal strength.

   This post provides specific solutions that resolve iPhone Wi-Fi problems.  It includes Juniper wireless controller (WLC) configuration examples.  However, these recommendations generally apply to all wireless systems (e.g., Cisco, Aruba, etc.).  These practices also apply to personal wireless systems at the home.  

Recommendation 1:  Influence Roaming.

   iPhones prefer the 2.4GHz band due to differences in transmission and client imprecision.   Both factors cause unnecessary roaming between dual bands on a single AP.
Best Practices:
  1.  Use 5GHz for most situations.

       Disable 2.4Ghz radio; or implement band segregation that dedicates unique SSID per spectrum (e.g., Pub-2.4 and Pub-5GHz).

       Dynamic auto power transmission (tx-power) does not influence single-AP roaming when bands are segregated by SSIDs.  However, do consider how power impacts the long range of 802.11bg networks (e.g., sticky client syndrome).  Far reaching 11bg signals also introduce security vulnerabilities.  Long distance range is not always desirable.
  2.  Take precautions to limit dual-band roaming for situation where band segregation is not possible.  Influence iPhone 5GHz preference via signal strength.  Keep 2.4GHz RSSI 11dBs lower than the 5Ghz RSSI. Insufficient 5GHz coverage is the exception.
  3.  Load-Balancing is for high density user base situations. Disable load balancing if it’s not necessary. By all means, use load balancing for locations with heavy use. Make sure there are sufficient APs within the proximity of each client.

Recommendation 2:  Controlling Data Rates/ Cell Size.

   Nearby 802.11bg networks can decrease 2.4GHz channel throughput by 90% (another reason to tone down power levels). This is especially troublesome considering there are only three non-overlapping 2.4GHz channel,  Legacy data rates may further reduce network throughput. 5GHz is the preferred band.
Best Practices:
  1.  Disable 1, 2, 5.5, and 11 Mbps rates for 802.11a, 802.11g, 802.11na, and 802.11ng.  Set Mandatory and Beacon rates to 24Mbps on all bands except 801.11b.
  2.  Use RF detection rules to disable 802.11b clients –this requires Ringmaster.

       Alternately, set the radio type to 11ng. This approach disables 802.11b and strictly uses transmit rates defined in the service profile.

       Also consider disabling 802.11g by changing the 20MHz channel width to 40HMz. There are still a number of devices that use 802.11g –exercise with caution.
  3. Only use WPA2 RSN (i.e., AES) encryption with CCMP ciphers –no TKIP!

Recommendation 3:  Transmission Power Tuning.

   APs in close proximity to other APs may transmit overlapping cells. Overlapping cells can cause excessive iPhone roaming.
Best Practices:
  1.  Conduct site-survey to determine best coverage. Use auto-power tuning in lieu of site-survey.
  2.  Reduce power transmission rates from each AP. Avoid overlapping signals at -70 dBm (i.e., iPhone roaming). Acceptable overlapping target is approximately -81 dBm.

       802.11b (2.4GHz) has nearly twice the range of 802.11a (5GHz). Adjust radio power levels so that 5GHz RSSI is greater than the 2.4GHz RSSI. For example, set 2.4GHz to 4dBm; and set 5GHz to 12dBm.

       Some folks recommend disabling auto-power tuning. However, auto-tuning is a good alternative to simply jacking-up power rates to maximum transmission. Estimating static transmit maximums should work fine as well.

Juniper WLC iPhone Optimization Commands:

   These steps segregates dual-band radios by assigning unique SSIDs to each radio.  N.B., We can't use the GUI for this advanced configuration.
 Table 1.  Dual-Band Segregation Example.
SSIDRadio1 (2.4GHz)Radio2 (5GHz)
SSID1 Contoso_2.4GHz
 SSID2 Contoso_5GHz

1.   Create service profiles for 2.4GHz band.
*WLC# set service-profile contoso_2.4 11n mode-ng enable
*WLC# set service-profile contoso_2.4 11n mode-na disable
2.   Set 2.4GHz transmission rates.

     We cannot disable 11b transmission rates here. We essentially disable 11b later on when we assign radio type (11n/g vs 11b) in the radio-profile. Ignore 802.11b transmission rates (for now) and set mandatory 802.11g rates.
set service-profile sp_contoso_2.4 transmit-rate 11a mandatory 24.0,36.0,48.0,54.0 disabled 6.0,9.0,12.0,18.0 beacon-rate 24.0 multicast-rate AUTO
set service-profile sp_contoso_2.4 transmit-rate 11b mandatory 11.0 disabled 1.0,2.0,5.5 beacon-rate 11.0 multicast-rate AUTO
set service-profile sp_contoso_2.4 transmit-rate 11g mandatory 24.0,36.0,48.0,54.0 disabled 1.0,2.0,5.5,6.0,9.0,11.0,12.0,18.0 beacon-rate 24.0 multicast-rate AUTO
set service-profile sp_contoso_2.4 transmit-rate 11ng mandatory 24.0,36.0,48.0,54.0 disabled 1.0,2.0,5.5,6.0,9.0,11.0 beacon-rate 24.0 multicast-rate AUTO
Set 2.4 GHz 11n mode:
set service-profile sp_contoso_2.4 11n mode-ng required
set service-profile sp_contoso_5GHz 11n mode-na disable
3.   Create 5GHz service profile.

Set 11n mode for 5Ghz profile:
set service-profile sp_contoso_5GHz 11n mode-na required
set service-profile sp_contoso_5GHz 11n mode-ng disable

Set 5Ghz transmissions.
set service-profile sp_contoso_5GHz transmit-rate 11a mandatory 24.0,36.0,48.0,54.0 disabled 6.0,9.0,12.0,18.0 beacon-rate 24.0 multicast-rate AUTO
4.   Create 5GHz Radio Profile
set radio-profile rp_contoso_5GHz rate-enforcement enable
set radio-profile rp_contoso_5GHz service-profile sp_contoso_5GHz
5.   Create 2.4GHz Radio Profile
set radio-profile rp_contoso_2.4 rate-enforcement enable
set radio-profile rp_contoso_2.4 service-profile sp_contoso_2.4
set radio-profile rp_contoso_2.4 preamble-length short

6.   Optionally set power for RF transmission.

     Dedicating radios to SSIDs allows for relaxed power management -it's not entirely necessary. Consider auto-power tuning. It’s not as good as a site survey but it’s better than blasting tx-power at maximum output.
set radio-profile Shoreland_2.4 power-policy max-coverage 7.  Assign radio profiles to specific APs/Radios.

     We assign radio 1 with auto transmit power.
set ap 3 radio 1 radio-profile Shoreland_2.4 radiotype 11ng tx-power auto 8.  Optionally set channel width to 40MHz to effectivly prevent legacy devices from connecting.
set radio-profile Shoreland_2.4 11n channel-width-na 40MHz  9.  Assign service profile to APs' 5GHz radios.
set ap 3 radio 2 radio-profile Shoreland_Guest radiotype 11na tx-power auto 10.  Assign other SSIDs as needed.  Add CORP-802.1x to new radio-profile -otherwise it won't broadcast.
set radio-profile Shoreland_2.4 service-profile Shoreland_VLAN1_MF
set radio-profile Shoreland_Guest service-profile Shoreland_VLAN1_MF
Let's see if it works:
#reset ap 3

#sh ap status verbose

Radio 1 Type: 802.11ng(2x3), State: configure succeeded [Enabled]
Antenna type: INTERNAL
Operational channel: 6 (Auto) Operational power: 4
Load balance: disabled
RFID reports: Inactive
BSSID1: 00:26:3e:xx:xx:xx, SSID: Contoso 2.4GHz
Radio 2 Type: 802.11na(2x3), State: configure succeeded [Enabled]
Antenna type: INTERNAL
Operational channel: 165,-- (Auto) Operational power: 18
Load balance: disabled
RFID reports: Inactive
BSSID1: 00:26:3e:xx:xx:xx, SSID: Contoso 5.4

That’s It!
---------

Juniper Troubleshooting Commands:

Review session data on the wireless controllers. Check client roaming. Look for short connection durations; and roams between the 2.4GHz and 5GHz radios:

CONTROLLER# sh sessions network verbose
CONTROLLER# sh service-profile Public
CONTROLLER# sh ap status verbose
Things to look for:

Roaming history: Check for short connection durations; and roams between the 2.4GHz and 5GHz radios.
Confirm the device information: Device type, Last RSSI, last packet rate.

Roaming history:
Switch AP/Radio Association time Duration
--------------- ----------- ----------------- -------------------
10.10.10.2 2/1 03/11/16 16:11:20 00:04:10
10.10.10.2 2/2 03/11/16 16:10:10 00:01:10
10.10.10.2 2/1 03/11/16 16:02:27 00:07:43
10.10.10.2 2/2 03/11/16 15:52:33 00:09:54
10.10.10.2 2/1 03/11/16 15:39:17 00:13:16
10.10.10.2 2/2 03/11/16 15:33:22 00:05:55
The above example shows frequent roams between the same AP.

-Confirm the device information: Device type, Last RSSI, last packet rate.
Device type: iphone (AAA)
Radio type: 802.11ng
Last packet rate: 24.0 Mb/s
Last packet RSSI: -69 dBm
Review the service-profile:

*CONTROLLER# sh service-profile Shoreland_Guest

11n attributes
11n Mode (na): enabled
11n Mode (ng): enabled
Guard Interval: short
Frame aggregation mode: all
MSDU Max length: 4k
MPDU Max length: 64k
TxBF: disabled
Is the 2.4GHz band (i.e., 11ng) enabled?
Crypto
RSN-IE
Authentication: PSK
Encryption: RSN
Cipher: CCMP
Pre-shared-key: xxxxxxxxxxxxxxxxxxxxxxxxxx
Also, Check encryption and cipher setting. Does it use WPA or Robust Security Network (RSN)? Or both? N.B., in general, WPA uses Temporal Key Integrity Protocol (TKIP), and RSN uses Advanced Encryption Standard (AES) with the Counter Mode CBC MAC Protocol (CCMP) cipher.

Juniper recommends WPA2 (i.e., RSN) and CCMP. It does not recommend combinations of WPA, WPA2, TKIP, and CCMP. Authentication can either be pre-shared key or 802.1x. Use 802.1x for the corporate network and PSK for the Guest network.

Pay attention to the 802.11 settings as well.  

References: 

http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-0/iPhone_roam/b_iPhone-roaming.html
http://kb.juniper.net/InfoCenter/index?page=content&id=KB20295&actp=search&viewlocale=en_US&searchid=1301446020120
http://www.greatwhitewifi.com/2015/07/12/fixing-hallway-fi-vol-1/
http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-the-quot-beacon-rate-quot-profile-work/ta-p/179242
http://kb.juniper.net/InfoCenter/index?page=content&id=KB28153&actp=search&viewlocale=en_US&searchid=1373982600826
https://en.wikipedia.org/wiki/IPhone
http://www.juniper.net/documentation/en_US/network-director1.5/topics/concept/wireless-encryption-and-ciphers.html
http://blogs.cisco.com/wireless/wi-fi-taxes-digging-into-the-802-11b-penalty
http://www.cisco.com/c/en/us/td/docs/wireless/technology/apdeploy/8-0/Cisco_Aironet_3700AP.html
https://www.wireless.att.com/support_static_files/KB/KB3895.html
http://kb.juniper.net/InfoCenter/index?page=content&id=KB20248&actp=search&viewlocale=en_US&searchid=1456780940943
https://www.youtube.com/watch?v=tihSXW6Yg1M