Strange happenings with 4.1.185

cbaser007 · ‎10-15-2007

Since moving to 4.1.185 I've started seeing a lot of these messages in my log:

MAX_EAP_IE_RETRIES_REACHED: Reached Max EAP-Identity Request retries (21) for STA00:19:7e:42:a4:fc

AND

Oct 15 14:31:01.055 dtl_net.c:1210 DTL-1-ARP_POISON_DETECTED: STA [00:11:f5:1b:93:15, 0.0.0.0] ARP (op 1) received with invalid SPA 172.XX.XXX.XXX/TPA 172.XX.XXX.X

I also get some clients that, although still connected to the AP, aren't able to ping their gateway or get anywhere else. The have to do a "repair" with Windows WZC to get working again. Anyone got any ideas?

Scott Fella · ‎10-15-2007

Well for your error, enter this in the CLI: config advanced eap identity−request−timeout 30

For your clients, that is weird to hear from a code upgrade to 4.1.185. When windows fails the way you are saying, it is due to the client and I know there is an MS hotfix for that. Can't really tell you what it is because i don't know the exact hotfix. If I find it i will post it.

-Scott
*** Please rate helpful posts ***

dennischolmes · ‎10-16-2007

What is happening is that the clients are trying to do an authentication request. That request is proxied and handed up to the authentication authority (RADIUS). If the the controller does not get the response in the alotted time it will resend the request. After a certain number of requests it will fail giving you this error. The default setting for this response time is 2 seconds. Two seconds in not enough time for the transaction to take place in several different EAP configurations. Cisco suggests you move to 12 but I agree with the other poster. 30 is good number. This is quite frequently the problem when users have to type in a name and password. I am betting that when you upgraded code it reset the value for EAP timeouts back to 2 seconds. That is probably why you are seeing it now.