cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
750
Views
2
Helpful
7
Replies

"NAS Duplicated Authetication attempt " from ACS

aravindas
Level 1
Level 1

Hi guys ,

I am facing some problem with my Wireless solution .

My wireless soultion contains a WLC and 10-15 AP's.

1)I am using DNS methods for getting the WLC ip address for the AP's (mapping the FQDN

CISCO-LWAPP-CONTROLLER.aja.win.ml.com to the WLC ip address on the DNS server ).And this is working fine for me .

2)When i am trying to connect my laptop to the Wirless network i am getting the PC's MAC listed on the WLC and it is

trying to authenticate from the ACS as well

3)But i am seeing the ACS logs the following error :" NAS duplicated authentication attempt " and it keep on going .

I realy stuck here since i am not sure what is this meant by .So please help me out if some one

got this problem some where before .

7 Replies 7

aravindas
Level 1
Level 1

Hi Guys ,

Any one faced such issues then please update the soulution for the same .

Scott Fella
Hall of Fame
Hall of Fame

How do you have the WLC setup. When you setup your remote client in ACS, you used the management IP address correct?

-Scott
*** Please rate helpful posts ***

Its managemnet ip address .

Also i got the follwoing debugging output for the authetication process from the WLC ..

Okay so let's go over how the WLC is setup. First make sure your wireless vlans are not part of any existing wired vlans. How doyou have the authentication setup on th eWLAN SSID? How did you setup your policy in your radius server?

-Scott
*** Please rate helpful posts ***

Please extend the EAP time outs in your CLI from 2 seconds to 12. This should solve your problem. The response is taking longer than 2 seconds to get back to the controller so the controller resends the authentication request over and over thus giving you a duplicate request error. Here is how to do it. I like 12 seconds in case you are using login credentials that require typing.

It is good idea to change the RADIUS timeout to 5 seconds. The default of 2 seconds is acceptable for a fast RADIUS failover, but probably not enough for Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication, or if the RADIUS server has to contact external databases (Active Directory, NAC, SQL, and so forth).

This is how to verify:

(Cisco Controller) >show radius summary

Vendor Id Backward Compatibility............ Disabled

Credentials Caching......................... Disabled

Call Station Id Type........................ IP Address

Administrative Authentication via RADIUS.... Enabled

Aggressive Failover......................... Disabled

Keywrap..................................... DisabledAuthentication Servers

!--- This portion of code has been wrapped to several lines due to spatial

!--- concerns.

Idx Type Server Address Port State Tout RFC3576

--- ---- ---------------- ------ -------- ---- -------

1 N 10.48.76.50 1812 Enabled 2 Enabled

IPSec -AuthMode/Phase1/Group/Lifetime/Auth/Encr

------------------------------------------------

Disabled - none/unknown/group-0/0 none/noneThis is how to configure:

config radius auth retransmit-timeout 1 12

Hi Dennis ,

Thanks for the reply .

I tried this on my WLC still not able to authenticate .

Aravind a s

Hi Dennis ,

I had applied the patch on my Laptop for this authetication issue (reference KB885453).

I seeing some changes on the ACS's logs now .

Before installing the patch it was continously failing saying "NAS duplicated authentication attempt "

I thing we have to get :"Re-key OK" also for the sucessfull authetication .That i am not seeing on the logs .

10/24/2007 13:30:47 Authen OK AYA\user wireless 00-1B-77-95-62-AE 29 11.106.51.1

10/24/2007 13:28:37 Authen OK AYA\user wireless 00-1B-77-95-62-AE 29 11.106.51.1

10/24/2007 13:26:26 Authen OK AYA\user wireless 00-1B-77-95-62-AE 29 11.106.51.1

10/24/2007 13:26:09 Authen OK host/ESINLTECH00710.aya.win.sl.com wireless 00-1B-77-95-62-AE 29 11.106.51.1

Thanks

Aravind A S

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: