cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
699
Views
0
Helpful
5
Replies

ACS Error Message

c.fuller
Level 1
Level 1

Folks, I am receiving an ACS error message. "NAS duplicated authentication attempt".

I get this error only with one client device. An HP Procurve M111 Wireless Bridge. This error message effectively denies authentication to the client.

The client is configured for WPA/PEAP. Sometimes it works ok. I do not see the error message and client stays connected. Some period of time later it randomly shows up again and the client is denied access.

Can anyone help me determine what may be causing this error? From what I read on CCO, it means the client is basically sending EAP-Requests too quickly. So what can I do?

1 - Is there a way to soften this on the ACS so it does not deauthenticate due to multiple authentication requests?

2 - Is there a something I can do on the controller? I.E The Radius server timeout value (current set at default of 2?).

Any input is appreciated. I am only seeing the problem with one client. All other clients using WPA/PEAP (~200) are not having issues.

5 Replies 5

darpotter
Level 5
Level 5

The timeout of 2 (2 seconds ?) is way too low.

In RADIUS each request has a unique ID (basically a counter per device) and ACS knows which IDs are currently being processed in the pipeline. You device is re-sending before ACS has had a chance to finish and respond.

Such duplicates are discarded by ACS - however it should still eventually reply with a proper result for the original request. Maybe that is still coming too late, ie after the device has re-tried several times.

Increasing the device timeout would definitely be the starting point.

Are you saying to increase the Radius Server Timeout value on the controller from 2 seconds (the default) to something higher? Just want to clarify what timeout value you are referring too when you say "Increasing the device timeout".

Would it be the controller that is sending the duplicates because of this value or the client device?

Just trying to get my head around what all the timers are and what role they play in the process.

Thanks

Chuck

Yes. Make the timeout on the controller longer. If you were to look in the CSRadius service log (on ACS with max debug on) you'll see inbound requests and responses being sent. You could use this log to confirm exactly how long its taking ACS to reply.

Depending on which backend authentication db you have in place 2 seconds probably isnt long enough, AD can take longer than this. The internal ACS db will authenticate in milliseconds so that shouldnt ever cause a timeout.

The client timeout is a different story! This controls how long the client will wait for the controller to respond.

Interesting, I also have seen this error using credentials that are in the Secure ACS dB, requiring no backend authentication process to AD.

In regards to timers on the ACS. Is there a timer on the ACS that I can tweak, other than the "PEAP Session Timeout" under Global Authentication screen?

I read in this document

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/trouble/guide/Ch2.html#wp1041296

about a ACS Timer being too short as a possible cause for this error "NAS Duplicated Authentication Attempt". However, it only mentions "ACS Timeout" being too short with no instructions on where the parameter is located and where to change it.

Any information on ACS timers that may be contributing to this problem is appreciated.

Chuck

Contact the TAC. They may have a tool that will allow to adjust this time. It may be a db setting that is not available in the GUI. Check with them.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: