User credentials expire every few minutes

Unanswered Question
Apr 20th, 2007
User Badges:
  • Bronze, 100 points or more


I'm currently working on a test implementation of Cisco NAC with McAfee.

Everything works, the client is put into the right VLAN, etc.

But unfortunately, every few minutes (it happens in all the VLANs so it's not a specific VLAN problem or so) the Trust Agents closes the connection and the user needs to re-entry his credentials (name and password).

In the ACS logs on "failed attempts", the following appears:

message-type: authen failed

auth-failure-code: could not connect to external policy server - timeout error.

reason: a token was not returned from a policy. policy = ePO (this is the external ePo server policy).

Another strange thing is that, although several users are succesfully logged-in, there aren't any users shown at Reports > logged-in users...

I'm working with an internal ACS database for the user credentials.

Does anyone know what could cause this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Tue, 04/24/2007 - 02:39
User Badges:
  • Silver, 250 points or more

A bit fuzzy on the detail but I remember NAC has an audit feature that can authenticate someone and allow connection but then work in the background. It does this by granting a short session timeout which forces a re-authentiation.

If you can increase the logging level in CSRadius so you can see the outbound attributes. If you see a timeout of around 120 seconds this could be it.

REgarding the logged on user list... this was designed around dial. authen... acct start... acct stop. If you RADIUS messages not in that order it stops working. Baically it tries to track the status of each device port and gets upset if it gets conflicting messages.

Anonymous (not verified) Tue, 04/24/2007 - 23:17
User Badges:

First of all, thank you for your reply.

About the time-outs, it wasn't the audit feature because i do not use an audit service (yet).

However, on the "external posture validation server" page, I've raised the time-out parameter and this seems to help a lot. Now it rarely times out.

About the logged-on user list, thank you for letting me know, I understand what you're saying but I have no idea how to change the order of those RADIUS messages. But it's not that important that they aren't shown, I was just wondering why ;-)


This Discussion