Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WLC 5508 cannot have similar user logged twice !

Dear Support Community,

I was having users on a Cisco WLC 440x controllers. Some service accounts were logged several time with the same AD-Account.

Since I migrated them on the new controller (5508), it seems that we cannot have the same AD user logged several time.

I changed the Radius server with the one we were using on the old 440x but situation seems to be same,

I checked the error message when trying to start a second similar connection they looks like :

*Dot1x_NW_MsgTask_4: Aug 24 14:04:51.558: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client xxxxxxxxxxx

*Dot1x_NW_MsgTask_4: Aug 24 14:04:51.558: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447

Authentication aborted for client xxxxxxxxxxx

If I move back to the other 440x similar logins are allowed without any problems.

Could you tell me where I should look to fix this ?

Thanks for your help,

Regards

P.S. We use certificates with users.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

WLC 5508 cannot have similar user logged twice !

Make sure Max Concurrent Logins for a username is set to 0 for unlimited.  You can set this with a value from 1-8.

-Scott
*** Please rate helpful posts ***
7 REPLIES
Hall of Fame Super Silver

WLC 5508 cannot have similar user logged twice !

Make sure Max Concurrent Logins for a username is set to 0 for unlimited.  You can set this with a value from 1-8.

-Scott
*** Please rate helpful posts ***

WLC 5508 cannot have similar user logged twice !

besides what scott says, I just wanted you to give a look into the footnote in the screenshot that Scott provided.

When using 802.1x security make sure max-login-ignore-identity-response is disabled

You can enable/disable max-login-ignore-identity-response from Security->Local EAP->General. The concurrent login configuration won't work until you disable this feature.

HTH

Amjad

You want to say "Thank you"?
Don't. Just rate the useful answers,
that is more useful than "Thank you".

Rating useful replies is more useful than saying "Thank you"
New Member

Amjad -

Amjad -

Without the max-login-ignore-identity response disabled my AP's would not join. That additional step fixed the problem. 

Hi esturao,

Hi esturao,

I am glad to hear that your issue is fixed.

Rating useful replies is more useful than saying "Thank you"
New Member

For me, this was under

For me, this was under ADVANCED EAP, not (security -> local eap -> general)

and yes this has solved the problem for us. Why have one setting when you can have two!

New Member

WLC 5508 cannot have similar user logged twice !

Thanks both of you for this information,

It was set to 1, changing it  to 0 did the thing,

Regarding the remark from Amjad, it is currently set to enable (Max-Login Ignore Identity Response) but concurrent logins are working...

Good day

New Member

Hello,I wonder if someone

Hello,

I wonder if someone could clarify this feature for me?  In order to limit guest logins to one login at a time per user account, you must set this option to 1.  We also have a couple of WLAN's that have 802.1x enabled, and if I set this option to 1, then our 802.1x are also limited to 1 login at a time.  Is there a way to enforce only 1 login per local guest account, but still allow multiple logins for 802.1x users?

 

Dan.

6266
Views
8
Helpful
7
Replies
CreatePlease to create content