02-11-2009 12:01 PM - edited 03-10-2019 04:20 PM
Hi folks,
I regularly get these messages from my ACS box, which is (among other things) supporting 802.1x / PEAP authentication for my wireless users.
Note that the misspelling of "authentication" is intentional - e.g. the typo is in the syslog coming out of ACS
Cisco_ACS_3_x_02 1 2 1432610766 Caller-ID=00-22-69-zz-xx-yy,NAS-IP-Address=Â10.x.y.100,AAA Server=acssvr1,User-Name=DOMAIN\username,NAS-Port=1,MessaÂge-Type=Authen failed,Authen-Failure-Code=Authetication session invalidatedÂ,Date=02/11/2009,Time=14:23:19,Group-Name=Default Group,Author-Data=,Real NÂame=,Description=,ExtDB Info=EXTERNALDB,Access Device=RemoteOfficeWLAN1,Priv-lvl=,ProxÂy-IP-Address=,Source-NAS=,Network Device Group=Wireless Controllers,EAP TypÂe=25,EAP Type Name=MS-PEAP,
Perhaps I'd be better off cross-posting this to the wireless forum, but I figured I should start here first.
So my question is: is the ACS invalidating the session, is it part of PEAP, or is it something on the wireless controller thats forcing the re-auth? Is this cause for concern or further investigation, or should I tune it out (in my MARS box, which is firing alerts for "Failed AAA authentication")
02-13-2009 12:38 PM
I consider that there is not enough information to tell if this is a false alarm.
On ACS server go to System Config > Service control > logging > Full > Restart
Check the Failed Attempts on ACS, look for the same time frame in these other logs: RDS.log & Auth.log.
What Service Pack are the Windows XP users running?
Are you doing PEAP Machine/User or just PEAP User authentication?
Do you have users reporting any issues?
03-06-2009 03:46 PM
there is session time-out that can be configured on ACS and controller, turn-off session timeout on ACS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide