Trouble with dot1x timeout reauth-period on WGB

Unanswered Question
Nov 7th, 2009

I have two Cisco 1231 access points, one is running as a WGB to provide network connectivity to a few devices. Every time the "dot1x timeout reauth-period" expires the WBG is de-authenticated and forced to reconnect. This is causing connectivity issues for the systems behind the WGB. All workstation based clients work as expected.

They APs are configured to use WPA2 PSK with AES.

The log messages on the root AP are as follows:

Nov 7 15:45:17.509: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station yyyy.yyyy.yyyy Reason: Previous authentication no longer valid

Nov 7 15:45:17.678: %DOT11-6-ASSOC: Interface Dot11Radio0, Station WGB-AP yyyy.yyyy.yyyy Reassociated KEY_MGMT[WPAv2 PSK]

Logs on the WGB are as follows:

Nov 7 15:45:17.208: %DOT11-4-UPLINK_DOWN: Interface Dot11Radio0, parent lost: EAP authentication failed 16

Nov 7 15:45:17.258: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP xxxx.xxxx.xxxx [None WPAv2 PSK]

Nov 7 15:45:17.308: %DOT11-4-UPLINK_DOWN: Interface Dot11Radio0, parent lost: EAP authentication failed 16

Nov 7 15:45:17.367: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP xxxx.xxxx.xxxx [None WPAv2 PSK]

Nov 7 15:45:17.408: %DOT11-4-UPLINK_DOWN: Interface Dot11Radio0, parent lost: EAP authentication failed 16

Nov 7 15:45:17.464: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP xxxx.xxxx.xxxx [None WPAv2 PSK]

Nov 7 15:45:17.508: %DOT11-4-UPLINK_DOWN: Interface Dot11Radio0, parent lost: Received deauthenticate (2) not valid

Nov 7 15:45:17.508: %DOT11-4-MAXRETRIES: Packet to client xxxx.xxxx.xxxx reached max retries, removing the client

Nov 7 15:45:17.510: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down

Nov 7 15:45:17.676: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP xxxx.xxxx.xxxx [None WPAv2 PSK]

Nov 7 15:45:17.677: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up

I'm sure I'm missing something simple but I can't seem to find out what it is.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Robert.N.Barrett_2 Tue, 11/24/2009 - 04:46

If you have configured the timer, then this is the behavior you should expect.  If you're looking for how to change the timer, you can use the CLI command on your main AP:

dot1x reauth-period {seconds}

Enter the interval in seconds that the access point waits before forcing an authenticated client to reauthenticate.

Enter the

server keyword to configure the access point to use the reauthentication period specified by the authentication server. If you use this option, configure your authentication server with RADIUS attribute 27, Session-Timeout. This attribute sets the maximum number of seconds of service to be provided to the client before termination of the session or prompt. The server sends this attribute to the access point when a client device performs EAP authentication.

Note

If you configure both MAC address authentication and EAP authentication for an SSID, the server sends the Session-Timeout attribute for both MAC and EAP authentications for a client device. The access point uses the Session-Timeout attribute for the last authentication that the client performs. For example, if a client performs MAC address authentication and then performs EAP authentication, the access point uses the server’s Session-Timeout value for the EAP authentication. To avoid confusion on which Session-Timeout attribute is used, configure the same Session-Timeout value on your authentication server for both MAC and EAP authentication.

Actions

This Discussion