Friends, I got a problem.
We run ACS 5-2-0-26-10. Some clients gets the error message "5411 EAP Session Timeout", and the clients are assigned guest LAN. If I reboot and log in again, still the same. However, if I reboot and log in with another user, it's back on the corporate network. Then I can log off and log in the user again, everything works fine. I haven't been able to find out why this happens. It's the machine authentication that fails, we have set our ACS to accept either user or machine ID. I also found out that if the user waits for about 20 minutes they're back on the corporate network. However I haven't found any timers that is set to this interval. I can't debug using Wireshark, because this is users that needs their computer right away, and I haven't been able to re-create the problem in lab neither.
Our port config;
switchport access vlan 320
switchport mode access
ip arp inspection limit rate 15 burst interval 5
authentication control-direction in
authentication event fail action authorize vlan 666
authentication event server dead action authorize vlan 320
authentication event no-response action authorize vlan 666
authentication event server alive action reinitialize
authentication port-control auto
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout quiet-period 20
dot1x timeout tx-period 10
storm-control broadcast level 5.00
storm-control multicast level 30.00
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
ip dhcp snooping limit rate 10
Global;
dot1x system-auth-control
dot1x guest-vlan supplicant
dot1x critical eapol
Any help I can get is highly appreciated!