"NAS Duplicated Authetication attempt " from ACS

Unanswered Question
Oct 22nd, 2007

Hi guys ,

I am facing some problem with my Wireless solution .

My wireless soultion contains a WLC and 10-15 AP's.

1)I am using DNS methods for getting the WLC ip address for the AP's (mapping the FQDN

CISCO-LWAPP-CONTROLLER.aja.win.ml.com to the WLC ip address on the DNS server ).And this is working fine for me .

2)When i am trying to connect my laptop to the Wirless network i am getting the PC's MAC listed on the WLC and it is

trying to authenticate from the ACS as well

3)But i am seeing the ACS logs the following error :" NAS duplicated authentication attempt " and it keep on going .

I realy stuck here since i am not sure what is this meant by .So please help me out if some one

got this problem some where before .

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
aravindas Mon, 10/22/2007 - 17:38

Hi Guys ,

Any one faced such issues then please update the soulution for the same .

Scott Fella Mon, 10/22/2007 - 18:52

How do you have the WLC setup. When you setup your remote client in ACS, you used the management IP address correct?

aravindas Mon, 10/22/2007 - 23:19

Its managemnet ip address .

Also i got the follwoing debugging output for the authetication process from the WLC ..

Scott Fella Tue, 10/23/2007 - 04:31

Okay so let's go over how the WLC is setup. First make sure your wireless vlans are not part of any existing wired vlans. How doyou have the authentication setup on th eWLAN SSID? How did you setup your policy in your radius server?

dennischolmes Tue, 10/23/2007 - 06:25

Please extend the EAP time outs in your CLI from 2 seconds to 12. This should solve your problem. The response is taking longer than 2 seconds to get back to the controller so the controller resends the authentication request over and over thus giving you a duplicate request error. Here is how to do it. I like 12 seconds in case you are using login credentials that require typing.

It is good idea to change the RADIUS timeout to 5 seconds. The default of 2 seconds is acceptable for a fast RADIUS failover, but probably not enough for Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication, or if the RADIUS server has to contact external databases (Active Directory, NAC, SQL, and so forth).

This is how to verify:

(Cisco Controller) >show radius summary

Vendor Id Backward Compatibility............ Disabled

Credentials Caching......................... Disabled

Call Station Id Type........................ IP Address

Administrative Authentication via RADIUS.... Enabled

Aggressive Failover......................... Disabled

Keywrap..................................... DisabledAuthentication Servers

!--- This portion of code has been wrapped to several lines due to spatial

!--- concerns.

Idx Type Server Address Port State Tout RFC3576

--- ---- ---------------- ------ -------- ---- -------

1 N 1812 Enabled 2 Enabled

IPSec -AuthMode/Phase1/Group/Lifetime/Auth/Encr


Disabled - none/unknown/group-0/0 none/noneThis is how to configure:

config radius auth retransmit-timeout 1 12

aravindas Tue, 10/23/2007 - 19:30

Hi Dennis ,

Thanks for the reply .

I tried this on my WLC still not able to authenticate .

Aravind a s

aravindas Tue, 10/23/2007 - 21:40

Hi Dennis ,

I had applied the patch on my Laptop for this authetication issue (reference KB885453).

I seeing some changes on the ACS's logs now .

Before installing the patch it was continously failing saying "NAS duplicated authentication attempt "

I thing we have to get :"Re-key OK" also for the sucessfull authetication .That i am not seeing on the logs .

10/24/2007 13:30:47 Authen OK AYA\user wireless 00-1B-77-95-62-AE 29

10/24/2007 13:28:37 Authen OK AYA\user wireless 00-1B-77-95-62-AE 29

10/24/2007 13:26:26 Authen OK AYA\user wireless 00-1B-77-95-62-AE 29

10/24/2007 13:26:09 Authen OK host/ESINLTECH00710.aya.win.sl.com wireless 00-1B-77-95-62-AE 29


Aravind A S


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode