Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Wireless PEAP 802.1x ACS 5 timed out

Hi:

Can anyone throw any light on this track:I see many errors in the ACS 5.1(or 5.3) :5411 EAP session timed out..Becasue I checked the "remember my username and password everytime login" in the wireless network properties, and I can succeed to login finally. but in the ACS will see many errors like ”5411 EAP session timed out“

(Cisco Controller) >debug client 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Sending EAP-Request/Identity to mobile 58:1f:aa:8f:ea:44 (EAP Id 1)

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAPOL EAPPKT from mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received Identity Response (count=1) from mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 EAP State update from Connecting to Authenticating for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 dot1x - moving mobile 58:1f:aa:8f:ea:44 into Authenticating state

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Entering Backend Auth Response state for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Processing Access-Challenge for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Entering Backend Auth Req state (id=218) for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 WARNING: updated EAP-Identifer 1 ===> 218 for STA 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Sending EAP Request from AAA to mobile 58:1f:aa:8f:ea:44 (EAP Id 218)

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAPOL EAPPKT from mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAP Response from mobile 58:1f:aa:8f:ea:44 (EAP Id 218, EAP Type 25)

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Entering Backend Auth Response state for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Processing Access-Challenge for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Entering Backend Auth Req state (id=219) for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Sending EAP Request from AAA to mobile 58:1f:aa:8f:ea:44 (EAP Id 219)

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAPOL EAPPKT from mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAP Response from mobile 58:1f:aa:8f:ea:44 (EAP Id 219, EAP Type 25)

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Entering Backend Auth Response state for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Processing Access-Challenge for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Entering Backend Auth Req state (id=220) for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Sending EAP Request from AAA to mobile 58:1f:aa:8f:ea:44 (EAP Id 220)

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAPOL EAPPKT from mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAP Response from mobile 58:1f:aa:8f:ea:44 (EAP Id 220, EAP Type 25)

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Entering Backend Auth Response state for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Processing Access-Challenge for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Entering Backend Auth Req state (id=221) for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Sending EAP Request from AAA to mobile 58:1f:aa:8f:ea:44 (EAP Id 221)

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAPOL EAPPKT from mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAP Response from mobile 58:1f:aa:8f:ea:44 (EAP Id 221, EAP Type 25)

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Entering Backend Auth Response state for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Processing Access-Challenge for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Entering Backend Auth Req state (id=222) for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Sending EAP Request from AAA to mobile 58:1f:aa:8f:ea:44 (EAP Id 222)

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAPOL EAPPKT from mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAP Response from mobile 58:1f:aa:8f:ea:44 (EAP Id 222, EAP Type 25)

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Entering Backend Auth Response state for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Processing Access-Challenge for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Entering Backend Auth Req state (id=223) for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Sending EAP Request from AAA to mobile 58:1f:aa:8f:ea:44 (EAP Id 223)

Fri Apr 13 16:10:06 2012: 58:1f:aa:8f:ea:44 802.1x 'timeoutEvt' Timer expired for station 58:1f:aa:8f:ea:44

Fri Apr 13 16:10:06 2012: 58:1f:aa:8f:ea:44 Retransmit 1 of EAP-Request (length 69) for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:10:11 2012: 58:1f:aa:8f:ea:44 Association received from mobile on AP 00:18:74:f9:d3:70

Fri Apr 13 16:10:11 2012: 58:1f:aa:8f:ea:44 STA - rates (8): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0

Fri Apr 13 16:10:11 2012: 58:1f:aa:8f:ea:44 STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0

Fri Apr 13 16:10:11 2012: 58:1f:aa:8f:ea:44 Processing RSN IE type 48, length 20 for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:10:11 2012: 58:1f:aa:8f:ea:44 Received RSN IE with 0 PMKIDs from mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:10:11 2012: 58:1f:aa:8f:ea:44 0.0.0.0 8021X_REQD (3) Initializing policy

Fri Apr 13 16:10:11 2012: 58:1f:aa:8f:ea:44 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

Fri Apr 13 16:10:11 2012: 58:1f:aa:8f:ea:44 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

Fri Apr 13 16:10:11 2012: 58:1f:aa:8f:ea:44 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:18:74:f9:d3:70

Fri Apr 13 16:10:11 2012: 58:1f:aa:8f:ea:44 apfPemAddUser2 (apf_policy.c:212) Changing state for mobile 58:1f:aa:8f:ea:44 on AP 00:18:74:f9:d3:70 from Associated to Associated

Fri Apr 13 16:10:11 2012: 58:1f:aa:8f:ea:44 Stopping deletion of Mobile Station: (callerId: 48)

Fri Apr 13 16:10:11 2012: 58:1f:aa:8f:ea:44 Sending Assoc Response to station on BSSID 00:18:74:f9:d3:70 (status 0)

Fri Apr 13 16:10:11 2012: 58:1f:aa:8f:ea:44 apfProcessAssocReq (apf_80211.c:3888) Changing state for mobile 58:1f:aa:8f:ea:44 on AP 00:18:74:f9:d3:70 from Associated to Associated

Fri Apr 13 16:10:11 2012: 58:1f:aa:8f:ea:44 dot1x - moving mobile 58:1f:aa:8f:ea:44 into Connecting state

thanks very much!

2 REPLIES
Hall of Fame Super Silver

Wireless PEAP 802.1x ACS 5 timed out

In your ACS, you should only have only have enabled the protocols that you are using which looks like PEAP MSchapv2.

-Scott
*** Please rate helpful posts ***
Silver

Wireless PEAP 802.1x ACS 5 timed out

Your WLC is basically seeing the same timeout that ACS is.

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Entering Backend Auth Req state (id=223) for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Sending EAP Request from AAA to mobile 58:1f:aa:8f:ea:44 (EAP Id 223)

Fri Apr 13 16:10:06 2012: 58:1f:aa:8f:ea:44 802.1x 'timeoutEvt' Timer expired for station 58:1f:aa:8f:ea:44

Fri Apr 13 16:10:06 2012: 58:1f:aa:8f:ea:44 Retransmit 1 of EAP-Request (length 69) for mobile 58:1f:aa:8f:ea:44

Fri Apr 13 16:10:11 2012: 58:1f:aa:8f:ea:44 Association received from mobile on AP 00:18:74:f9:d3:70

The WLC sent the EAP Request to the mobile at 16:09:36 and waited 30 seconds.  It then sends the request again at 16:10:06, still no response for the client but 5 seconds later the client goes and does a new Association (starting over).

So I would start by decreasing your EAP Timers  (config advanced eap eap-request-timeout .......  [syntax might be a little different]?). The Eap-Request timer is 30 seconds and you could get away with it only being a few seconds (honestly even 1 second is fine in my opiinion).  NOTE: we are talking about eap-request, not eap-identity-request.....

The big question is if your client is just truely ignoring the eap-request or if it is not reaching the client......    Either way, you might see a world of difference by decreasing the timeout (so a new one gets to the client before it sits there in limbo for 30 seconds)

903
Views
0
Helpful
2
Replies