Folks, I am receiving an ACS error message. "NAS duplicated authentication attempt".
I get this error only with one client device. An HP Procurve M111 Wireless Bridge. This error message effectively denies authentication to the client.
The client is configured for WPA/PEAP. Sometimes it works ok. I do not see the error message and client stays connected. Some period of time later it randomly shows up again and the client is denied access.
Can anyone help me determine what may be causing this error? From what I read on CCO, it means the client is basically sending EAP-Requests too quickly. So what can I do?
1 - Is there a way to soften this on the ACS so it does not deauthenticate due to multiple authentication requests?
2 - Is there a something I can do on the controller? I.E The Radius server timeout value (current set at default of 2?).
Any input is appreciated. I am only seeing the problem with one client. All other clients using WPA/PEAP (~200) are not having issues.
In RADIUS each request has a unique ID (basically a counter per device) and ACS knows which IDs are currently being processed in the pipeline. You device is re-sending before ACS has had a chance to finish and respond.
Such duplicates are discarded by ACS - however it should still eventually reply with a proper result for the original request. Maybe that is still coming too late, ie after the device has re-tried several times.
Increasing the device timeout would definitely be the starting point.
Are you saying to increase the Radius Server Timeout value on the controller from 2 seconds (the default) to something higher? Just want to clarify what timeout value you are referring too when you say "Increasing the device timeout".
Would it be the controller that is sending the duplicates because of this value or the client device?
Just trying to get my head around what all the timers are and what role they play in the process.
Yes. Make the timeout on the controller longer. If you were to look in the CSRadius service log (on ACS with max debug on) you'll see inbound requests and responses being sent. You could use this log to confirm exactly how long its taking ACS to reply.
Depending on which backend authentication db you have in place 2 seconds probably isnt long enough, AD can take longer than this. The internal ACS db will authenticate in milliseconds so that shouldnt ever cause a timeout.
The client timeout is a different story! This controls how long the client will wait for the controller to respond.
about a ACS Timer being too short as a possible cause for this error "NAS Duplicated Authentication Attempt". However, it only mentions "ACS Timeout" being too short with no instructions on where the parameter is located and where to change it.
Any information on ACS timers that may be contributing to this problem is appreciated.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...