Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

7.0.230 and Dropping EAP Response Maximum simultaneous user limit reached

Hi Guys,

upgraded my 3 WLC 5508s to 7.0.230 (from 7.0.116) yesterday.

We got odd random issues with devices where they appear to get authenticated on Radius (Microsoft IAS reports that they authenticate OK) but we get strange messages back on the WLC, that I haven't noticed before, like -

"Dropping EAP Response,Maximum simultaneous user limit reached"

and

"EAP Id request from AP client failed as maximum 802 1x retries reached"

(Not sure if the above messages are an indication of the problem or just as a result of the problem)

Booting the device and/or the Controller seems to resolve the issue for a while for SOME clients but not others.

Seen it happen on Windows Laptops and iPhones.

It happens more on Windows Laptops that need to Computer Authenticate using Radius (ie most don't work even though they are the same model of laptop etc. as the odd ones that do work).

See the attached text file for an example of the Log Analysis file from the Client Troubleshooting utility on WCS.

This is from a Windows Laptop trying to use Computer Authentication to authenticate before it gets a DHCP IP Address.

At the end of the log we get -

Radius packet received. Access-Accept received from RADIUS server 172.31.1.45, receiveId = 5

Received Access-Accept from the RADIUS server for the client.

Dropping EAP Response,Maximum simultaneous user limit reached.

Received EAPOL start message from client.

Received EAP Response from the client.

EAP Id request from AP client failed as maximum 802 1x retries reached.

De-authentication sent to client. slot 0 (claller 1x_auth_pae.c:3091)

Which appears to say that the Radius Authentication has been accepted(?) but then the controller drops the client.

Moving back to using 7.0.116 made the problem go away.

Regards,

Jen.

Jennifer Wilson

Senior Networks Officer

University of Central Lancashire

  • Security and Network Management
15 REPLIES

7.0.230 and Dropping EAP Response Maximum simultaneous user limi

Jen:

It seems your Radius is configured to allow only one session per user. For whatever reason the Radius thinks that the usre that is trying to authenticate is already authenticated from somewhere else using same username and when it tries to authenticate again it sees it is already authenticated and prevents it from connecting again.
This could be real (where another machine is really using same username) or fake (for some reason the WLC/Radius are seeing the client twice although it is only connecting from one place).

You can troubleshoot further by disabling (or increasing) the max session allowed on radius and testing with same clients again.

The max 801.1x retries reached are appearing frequently in almost every WLC I have. I have no users reporting any issue so I don't care about those messages unless only a user reports something.

I have upgraded all my 20 WLCs 2 days ago. But this max retries message was appearing on 7.0.116.0 as well and still appearing now (with 7.0.230.0). I am using ACS as radius and I have the max session disabled on the radius.

Hope this helps.

Amjad

Rating useful replies is more useful than saying "Thank you"
Cisco Employee

Re: 7.0.230 and Dropping EAP Response Maximum simultaneous user

there is a new bug for this (if i am not wrong) which is still in the process of being verified..

The situation which breaks the auth process is where clients are configured for both machine authentication and user authentication...

I would suggest opening a TAC case for this or downgrade to 7.0.220.0... The issue seems to be affectig 7.0.230.0 and 7.2.103

Sent from Cisco Technical Support iPhone App

New Member

7.0.230 and Dropping EAP Response Maximum simultaneous user limi

Viten, OK, the potential bug makes more sense. If you get to know the bug id can you post it here?

Amjad, Not aware that Microsoft IAS Radius has a session limit (although the AD/policy settings may be imposing one).

Thanks, All.

7.0.230 and Dropping EAP Response Maximum simultaneous user limi

Jen:

do you have "Max-Login Ignore Identity Response" enabled or disabled?

This can be found under security-> Local EAP -> General in GUI.

If it is enabled please disable it and try if it is still happening. You may try enabling it also if it is disabled.

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

7.0.230 and Dropping EAP Response Maximum simultaneous user limi

Amjad, it's set to enabled on the 7.0.116 WLCs.

The write up for that field would make sense but I'm not expecting to use Local EAP as I'm using other Radius servers.

It would also need to mean that the above field doesn't really work in 7.0.116 but does in 7.0.230?

I'll need to have a play with it on test as I'm leaving our Live stuff on 7.0.116 for now.

Jen.

7.0.230 and Dropping EAP Response Maximum simultaneous user limi

Jen:

The timers uner the local eap affects all 802.1x communication (even with radius server).

I don't know why they put it under "Local EAP" in GUI but in CLI you can simply have the info by the command "show advanced eap". It was added later to GUI and put under "Local EAP" but with earlier versions it was only available on the CLi with the command mentioned.

I am not sure about different versions. I am not sure if this was exist with 7.0.116 (I think it was but not sure). but in earlier versoins like 7.0 (I think) it was not there.

a try to modify that field won't harm.

Hope there will be positive feedback.

Amjad

Rating useful replies is more useful than saying "Thank you"

7.0.230 and Dropping EAP Response Maximum simultaneous user limi

Hi Amjad,

    Yesterday, May 21, I've updated 2 WLC form codes 7.0.98 to 7.2.103. Two Wlans configured at both controller are in use with a single AD user account to authenticate all devices connected to those WLANs. At troubleshooting window in WCS, I notice the Dropping EAP Response, Maximum simultaneous user limit reached error message, and half of devices couldn't connect to network.

     Looking at max-login-ignore-identity-response option (at cli by config advanced eap command) I got the description of command:

Configure to ignore the same username count reaching max in the EAP identity response.

     So, I presume this option when enabled, it will ignore any field at EAP exchange messages with radius containing such information of a maximum user reached, making the user authenticated at network. But, at my scenario, with this option enabled or not, I still getting the Dropping EAP message and the user can't connect to WLAN.

     I think the problem it's associated to another config option or behavior changed to 7.2x core software, so I opened a TAC case and any news from that I'll updating you guys at this forum.

Alexsandro Reimann.

Rate if it helps!

7.0.230 and Dropping EAP Response Maximum simultaneous user limi

Hi Alex,

Actually I just figured out that when max-login-ignor-identity-response is enabled you can have up to 8 concurrent logins using same username:

'''snip'''

config advanced eap max-login-ignore-identity-response {enable | disable}—When enabled, this command limits the number of devices that can be connected to the controller with the same username. You can log in up to eight times from different devices (PDA, laptop, IP phone, and so on) on the same controller. The default value is enabled

'''snip'''

Reference: http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html

Note this is from WLC perspective. From radius perspective however, if max number of sessions is limited to 2 for example, the third try will be rejected by the radius.

Because your problem happens although the radius shows passed authentication, I think your problem happens during the 4-way-handshake process that happens after the accept message form the radius.

We'll be waiting for your TAC progress.
They'll of course ask for debug client and debug aaa to investigate further.

Thank you for your update.

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

7.0.230 and Dropping EAP Response Maximum simultaneous user limi

hi Alexsandro,

  I am experiencing the same issue on wlc 7.2.111.3. Do you have any update from TAC if this is a bug and if there is a fix for this ?

regards

Joe

3977
Views
0
Helpful
15
Replies
This widget could not be displayed.