Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.4 with RSA SecurID EAP Method

Hi all,

I'm having issues authenticating against an RSA server for token authentication through my ACS 1121 (5.4) using a wireless supplicant.

RADIUS authentication log on the ACS shows: 5411 EAP session timed out. I think this may possibly de due to the EAP method used, currently using PEAP & EAP-GTC (tunnel protocol).

I have created an access policy for my RSA server and currently allowing the following EAP protocols:

PEAP:

     Allow EAP-GTC

EAP-FAST:

     Allow EAP-GTC

I'm not sure (possibly because of the EAP method) that the ACS is even talking to the RSA server as it has yet to download the node secret from it either.

Any suggestions would be very helpful!

Thanks.

2 REPLIES
Silver

ACS 5.4 with RSA SecurID EAP Method

Hi Nix,

This looks like a client issue:

http://www.cisco.com/image/gif/paws/113485/acs5x-tshoot.pdf#page=24&zoom=auto,0,387

Problem: Error "5411 EAP session timed out"

5411 EAP session timed out error messages are received on ACS 5.x.

Solution

EAP session timeouts are quite common with PEAP where the supplicant restarts authentication after the

initial packet goes out to the RADIUS server and, most of the time, are not indicative of a problem.

The flow that is commonly seen is:

Supplicant −−−−−−−−−−−−− Authenticator −−−−−−−−−−−−−− ACS

Connect

<−−−−−−−−−−−−−−−−−−Request for Identity

−−−−−−−−−−−−−−−−−−−−−−−> Response Identity −−−−−−−−−−−−−>

<−−−−−−−−−−−−−−   EAP Challenge <−−−−−−−−−−−−−−−−EAPOL−Start

−−−−−−−−−−−−−>

normal

flow ending in successful authentication.......

In the end the authentication is successful. However, there is a thread left open on the ACS due to the abrupt

restart of the EAP session from the supplicant which causes a successful authentication followed by the EAP

session timeout message. Many times this is due to the driver level of the machine. Make sure that the

NIC/Wireless drivers are up to date on the client machine. You can capture on the client and filter on EAP ||

EAPOL in order to see what the client receives or sends when connecting.

Can you check client configuration?

What supplicant software are you using?

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
New Member

ACS 5.4 with RSA SecurID EAP Method

Hi Edward,

Thank you very much for replying.

I have continued to work further on this (turns out there was a rule missing for my RSA access service that generated the EAP timeout) and am now able to get an authentication prompt. However, authentication is failing at the RSA server with:

User “x” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SystemDomain”.

I also see a lot of errors for 11013 RADIUS packet already in the process, which makes me think I should possibly increase the time-out value?

The client details are as follows:

Client machine: Windows 7

Supplicant: SecureW2

Supplicant Config: PEAP/EAP-GTC

Thank you.

940
Views
0
Helpful
2
Replies
CreatePlease login to create content