"NAS Duplicated Authetication attempt " from ACS

Unanswered Question
Oct 22nd, 2007
User Badges:

Hi guys ,

I am facing some problem with my Wireless solution .


My wireless soultion contains a WLC and 10-15 AP's.

1)I am using DNS methods for getting the WLC ip address for the AP's (mapping the FQDN

CISCO-LWAPP-CONTROLLER.aja.win.ml.com to the WLC ip address on the DNS server ).And this is working fine for me .


2)When i am trying to connect my laptop to the Wirless network i am getting the PC's MAC listed on the WLC and it is

trying to authenticate from the ACS as well


3)But i am seeing the ACS logs the following error :" NAS duplicated authentication attempt " and it keep on going .


I realy stuck here since i am not sure what is this meant by .So please help me out if some one

got this problem some where before .

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
aravindas Mon, 10/22/2007 - 17:38
User Badges:

Hi Guys ,

Any one faced such issues then please update the soulution for the same .



Scott Fella Mon, 10/22/2007 - 18:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

How do you have the WLC setup. When you setup your remote client in ACS, you used the management IP address correct?

aravindas Mon, 10/22/2007 - 23:19
User Badges:

Its managemnet ip address .


Also i got the follwoing debugging output for the authetication process from the WLC ..





Attachment: 
Scott Fella Tue, 10/23/2007 - 04:31
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Okay so let's go over how the WLC is setup. First make sure your wireless vlans are not part of any existing wired vlans. How doyou have the authentication setup on th eWLAN SSID? How did you setup your policy in your radius server?

dennischolmes Tue, 10/23/2007 - 06:25
User Badges:
  • Gold, 750 points or more

Please extend the EAP time outs in your CLI from 2 seconds to 12. This should solve your problem. The response is taking longer than 2 seconds to get back to the controller so the controller resends the authentication request over and over thus giving you a duplicate request error. Here is how to do it. I like 12 seconds in case you are using login credentials that require typing.


It is good idea to change the RADIUS timeout to 5 seconds. The default of 2 seconds is acceptable for a fast RADIUS failover, but probably not enough for Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication, or if the RADIUS server has to contact external databases (Active Directory, NAC, SQL, and so forth).


This is how to verify:


(Cisco Controller) >show radius summary

Vendor Id Backward Compatibility............ Disabled

Credentials Caching......................... Disabled

Call Station Id Type........................ IP Address

Administrative Authentication via RADIUS.... Enabled

Aggressive Failover......................... Disabled

Keywrap..................................... DisabledAuthentication Servers



!--- This portion of code has been wrapped to several lines due to spatial

!--- concerns.


Idx Type Server Address Port State Tout RFC3576

--- ---- ---------------- ------ -------- ---- -------

1 N 10.48.76.50 1812 Enabled 2 Enabled


IPSec -AuthMode/Phase1/Group/Lifetime/Auth/Encr

------------------------------------------------

Disabled - none/unknown/group-0/0 none/noneThis is how to configure:


config radius auth retransmit-timeout 1 12


aravindas Tue, 10/23/2007 - 19:30
User Badges:

Hi Dennis ,

Thanks for the reply .

I tried this on my WLC still not able to authenticate .


Aravind a s

aravindas Tue, 10/23/2007 - 21:40
User Badges:

Hi Dennis ,

I had applied the patch on my Laptop for this authetication issue (reference KB885453).

I seeing some changes on the ACS's logs now .

Before installing the patch it was continously failing saying "NAS duplicated authentication attempt "


I thing we have to get :"Re-key OK" also for the sucessfull authetication .That i am not seeing on the logs .




10/24/2007 13:30:47 Authen OK AYA\user wireless 00-1B-77-95-62-AE 29 11.106.51.1

10/24/2007 13:28:37 Authen OK AYA\user wireless 00-1B-77-95-62-AE 29 11.106.51.1

10/24/2007 13:26:26 Authen OK AYA\user wireless 00-1B-77-95-62-AE 29 11.106.51.1

10/24/2007 13:26:09 Authen OK host/ESINLTECH00710.aya.win.sl.com wireless 00-1B-77-95-62-AE 29 11.106.51.1


Thanks

Aravind A S

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode