Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

User credentials expire every few minutes


I'm currently working on a test implementation of Cisco NAC with McAfee.

Everything works, the client is put into the right VLAN, etc.

But unfortunately, every few minutes (it happens in all the VLANs so it's not a specific VLAN problem or so) the Trust Agents closes the connection and the user needs to re-entry his credentials (name and password).

In the ACS logs on "failed attempts", the following appears:

message-type: authen failed

auth-failure-code: could not connect to external policy server - timeout error.

reason: a token was not returned from a policy. policy = ePO (this is the external ePo server policy).

Another strange thing is that, although several users are succesfully logged-in, there aren't any users shown at Reports > logged-in users...

I'm working with an internal ACS database for the user credentials.

Does anyone know what could cause this?


Re: User credentials expire every few minutes

A bit fuzzy on the detail but I remember NAC has an audit feature that can authenticate someone and allow connection but then work in the background. It does this by granting a short session timeout which forces a re-authentiation.

If you can increase the logging level in CSRadius so you can see the outbound attributes. If you see a timeout of around 120 seconds this could be it.

REgarding the logged on user list... this was designed around dial. authen... acct start... acct stop. If you RADIUS messages not in that order it stops working. Baically it tries to track the status of each device port and gets upset if it gets conflicting messages.


Re: User credentials expire every few minutes

First of all, thank you for your reply.

About the time-outs, it wasn't the audit feature because i do not use an audit service (yet).

However, on the "external posture validation server" page, I've raised the time-out parameter and this seems to help a lot. Now it rarely times out.

About the logged-on user list, thank you for letting me know, I understand what you're saying but I have no idea how to change the order of those RADIUS messages. But it's not that important that they aren't shown, I was just wondering why ;-)