Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
481
Views
0
Helpful
2
Replies

User credentials expire every few minutes

admin_2
Level 3
Level 3

‎04-20-2007 03:22 AM - edited ‎03-10-2019 03:06 PM

Hello,

I'm currently working on a test implementation of Cisco NAC with McAfee.

Everything works, the client is put into the right VLAN, etc.

But unfortunately, every few minutes (it happens in all the VLANs so it's not a specific VLAN problem or so) the Trust Agents closes the connection and the user needs to re-entry his credentials (name and password).

In the ACS logs on "failed attempts", the following appears:

message-type: authen failed

auth-failure-code: could not connect to external policy server - timeout error.

reason: a token was not returned from a policy. policy = ePO (this is the external ePo server policy).

Another strange thing is that, although several users are succesfully logged-in, there aren't any users shown at Reports > logged-in users...

I'm working with an internal ACS database for the user credentials.

Does anyone know what could cause this?

Labels:
0 Helpful
2 Replies 2

darpotter
Level 5
Level 5

‎04-24-2007 02:39 AM

A bit fuzzy on the detail but I remember NAC has an audit feature that can authenticate someone and allow connection but then work in the background. It does this by granting a short session timeout which forces a re-authentiation.

If you can increase the logging level in CSRadius so you can see the outbound attributes. If you see a timeout of around 120 seconds this could be it.

REgarding the logged on user list... this was designed around dial. authen... acct start... acct stop. If you RADIUS messages not in that order it stops working. Baically it tries to track the status of each device port and gets upset if it gets conflicting messages.

0 Helpful

Not applicable
In response to darpotter

‎04-24-2007 11:17 PM

First of all, thank you for your reply.

About the time-outs, it wasn't the audit feature because i do not use an audit service (yet).

However, on the "external posture validation server" page, I've raised the time-out parameter and this seems to help a lot. Now it rarely times out.

About the logged-on user list, thank you for letting me know, I understand what you're saying but I have no idea how to change the order of those RADIUS messages. But it's not that important that they aren't shown, I was just wondering why ;-)

0 Helpful
Customers Also Viewed These Support Documents