ACS - "Authetication session invalidat­ed"

Unanswered Question
Feb 11th, 2009

Hi folks,

I regularly get these messages from my ACS box, which is (among other things) supporting 802.1x / PEAP authentication for my wireless users.

Note that the misspelling of "authentication" is intentional - e.g. the typo is in the syslog coming out of ACS

Cisco_ACS_3_x_02 1 2 1432610766 Caller-ID=00-22-69-zz-xx-yy,NAS-IP-Address=­10.x.y.100,AAA Server=acssvr1,User-Name=DOMAIN\username,NAS-Port=1,Messa­ge-Type=Authen failed,Authen-Failure-Code=Authetication session invalidated­,Date=02/11/2009,Time=14:23:19,Group-Name=Default Group,Author-Data=,Real N­ame=,Description=,ExtDB Info=EXTERNALDB,Access Device=RemoteOfficeWLAN1,Priv-lvl=,Prox­y-IP-Address=,Source-NAS=,Network Device Group=Wireless Controllers,EAP Typ­e=25,EAP Type Name=MS-PEAP,

Perhaps I'd be better off cross-posting this to the wireless forum, but I figured I should start here first.

So my question is: is the ACS invalidating the session, is it part of PEAP, or is it something on the wireless controller thats forcing the re-auth? Is this cause for concern or further investigation, or should I tune it out (in my MARS box, which is firing alerts for "Failed AAA authentication")

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ansalaza Fri, 02/13/2009 - 12:38

I consider that there is not enough information to tell if this is a false alarm.

On ACS server go to System Config > Service control > logging > Full > Restart

Check the Failed Attempts on ACS, look for the same time frame in these other logs: RDS.log & Auth.log.

What Service Pack are the Windows XP users running?

Are you doing PEAP Machine/User or just PEAP User authentication?

Do you have users reporting any issues?

aneelaka Fri, 03/06/2009 - 15:46

there is session time-out that can be configured on ACS and controller, turn-off session timeout on ACS.

Actions

This Discussion