ACS 5.2 - 5411 EAP Session Timeout

bvj197222 — Mon, 11 Mar 2019 02:06:24 GMT

Friends, I got a problem.

We run ACS 5-2-0-26-10. Some clients gets the error message "5411 EAP Session Timeout", and the clients are assigned guest LAN. If I reboot and log in again, still the same. However, if I reboot and log in with another user, it's back on the corporate network. Then I can log off and log in the user again, everything works fine. I haven't been able to find out why this happens. It's the machine authentication that fails, we have set our ACS to accept either user or machine ID. I also found out that if the user waits for about 20 minutes they're back on the corporate network. However I haven't found any timers that is set to this interval. I can't debug using Wireshark, because this is users that needs their computer right away, and I haven't been able to re-create the problem in lab neither.

Our port config;

switchport access vlan 320

switchport mode access

ip arp inspection limit rate 15 burst interval 5

authentication control-direction in

authentication event fail action authorize vlan 666

authentication event server dead action authorize vlan 320

authentication event no-response action authorize vlan 666

authentication event server alive action reinitialize

authentication port-control auto

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout quiet-period 20

dot1x timeout tx-period 10

storm-control broadcast level 5.00

storm-control multicast level 30.00

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

ip dhcp snooping limit rate 10

Global;

dot1x system-auth-control

dot1x guest-vlan supplicant

dot1x critical eapol

Any help I can get is highly appreciated!

topic ACS 5.2 - 5411 EAP Session Timeout in Network Access Control

ACS 5.2 - 5411 EAP Session Timeout