https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829850#M227199 <HTML><HEAD></HEAD><BODY><P>I don't know anything about your environment, but we have a problem at our headoffice with 5411 EAP Session Timeout. We suspect that it's because we have two VLAN, one for clients and one for servers. The DHCP-server is in the server VLAN and we use "ip helper" on the client VLAN to relay dhcp-requests between VLANs. We found two articles on this indicating that this might be a problem;</P><P></P><P><A class="jive-link-external-small" href="http://support.microsoft.com/kb/2459530" rel="nofollow">http://support.microsoft.com/kb/2459530</A></P><P><A class="jive-link-external-small" href="http://support.microsoft.com/kb/938449" rel="nofollow">http://support.microsoft.com/kb/938449</A></P><P></P><P>The symptoms is that the client hangs on the "Welcome"-screen for a long time, or the clients are being assigned the guest vlan. On the ACS we see "5411 EAP Session timeout..".</P><P></P><P>We're gonna test it out by placing a dhcp-server in our client VLAN and remove the "ip helper" command for that VLAN.</P></BODY></HTML> Tue, 22 May 2012 10:17:44 GMT bvj197222 2012-05-22T10:17:44Z https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829849#M227162 <P>Hi all,</P><P></P><P>We're having trouble trying to deploy 802.1x authentication on a brand new site.</P><P>Our primary and secondary ACS are located in Paris and the new site located in Toulouse, France.</P><P>Both sites are connected through the WAN.</P><P>Everytime a computer/user connects to this new site in Toulouse, ACS 5.2 sends a "5411 EAP session timeout" error message.</P><P></P><P>Any pieces of advice greatly appreciated,</P><P></P><P>Best Regards,</P><P></P><P>Laurent</P> Mon, 11 Mar 2019 01:44:50 GMT https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829849#M227162 Laurent BOURHIS 2019-03-11T01:44:50Z https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829850#M227199 <HTML><HEAD></HEAD><BODY><P>I don't know anything about your environment, but we have a problem at our headoffice with 5411 EAP Session Timeout. We suspect that it's because we have two VLAN, one for clients and one for servers. The DHCP-server is in the server VLAN and we use "ip helper" on the client VLAN to relay dhcp-requests between VLANs. We found two articles on this indicating that this might be a problem;</P><P></P><P><A class="jive-link-external-small" href="http://support.microsoft.com/kb/2459530" rel="nofollow">http://support.microsoft.com/kb/2459530</A></P><P><A class="jive-link-external-small" href="http://support.microsoft.com/kb/938449" rel="nofollow">http://support.microsoft.com/kb/938449</A></P><P></P><P>The symptoms is that the client hangs on the "Welcome"-screen for a long time, or the clients are being assigned the guest vlan. On the ACS we see "5411 EAP Session timeout..".</P><P></P><P>We're gonna test it out by placing a dhcp-server in our client VLAN and remove the "ip helper" command for that VLAN.</P></BODY></HTML> Tue, 22 May 2012 10:17:44 GMT https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829850#M227199 bvj197222 2012-05-22T10:17:44Z https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829851#M227226 <HTML><HEAD></HEAD><BODY><P>Hi and thanks for your input <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_macro_emoticon" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN> !</P><P></P><P>I'm currently testing the hotfix mentionned in the first article.</P><P>I'll let you know after intensive testing.</P><P></P><P>Thx again,</P><P></P><P>Laurent</P></BODY></HTML> Tue, 22 May 2012 14:14:08 GMT https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829851#M227226 Laurent BOURHIS 2012-05-22T14:14:08Z https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829852#M227251 <HTML><HEAD></HEAD><BODY><P>Looking forward to see if the patch helps. We're also testing out the patch mentioned in KB2459530, and have installed it on two computers. The problem with 5411 EAP... comes and goes in our organisation. It's not persistent on one computer. So we have to test this patch for some time to see if it helps.</P></BODY></HTML> Wed, 23 May 2012 06:23:35 GMT https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829852#M227251 bvj197222 2012-05-23T06:23:35Z https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829853#M227279 <HTML><HEAD></HEAD><BODY><P>Be sure I'll let you know ASAP.</P><P>Just for my information, do you have the GPO "Always Wait for Network" disabled ?</P></BODY></HTML> Wed, 23 May 2012 07:20:56 GMT https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829853#M227279 Laurent BOURHIS 2012-05-23T07:20:56Z https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829854#M227294 <HTML><HEAD></HEAD><BODY><P> Yes, we have disabled that GPO because it causes a 10-20 sec (sometimes longer) delay for the user..</P></BODY></HTML> Wed, 23 May 2012 07:46:47 GMT https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829854#M227294 bvj197222 2012-05-23T07:46:47Z https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829855#M227303 <HTML><HEAD></HEAD><BODY><P>Hello Laurent,</P><P></P><P>any news? We have checked out the patch in our environment and it did not work. </P></BODY></HTML> Thu, 05 Jul 2012 08:59:29 GMT https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829855#M227303 bvj197222 2012-07-05T08:59:29Z https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829856#M227315 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P></P><P>We are still struggling even after applying the MS patch. After a bit of research, we found that the issue is related to the PC being connected behind an IP phone. I also found a document related to our problem : <A href="http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000357">http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000357</A></P><P>I do not know your configuration, but I have one question : is your ACS pointing to Active Directory for authentication ?</P></BODY></HTML> Thu, 05 Jul 2012 11:38:48 GMT https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829856#M227315 Laurent BOURHIS 2012-07-05T11:38:48Z https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829857#M227322 <HTML><HEAD></HEAD><BODY><P> Yes, it is pointing to Active Directory for authentication. It works fine for our branch offices, which have the client and server (for dhcp) on the same vlan. The ACS is on a separate vlan, protected by firewall, at head office. Our problem is clients at the head office, which are on a different VLAN than the server providing DHCP. There is also a firewall between those to VLANs. Our problem occurs randomly every now and then, on various computers. We are considering placing the dhcp-server on the same VLAN as the clients to verify if that is the problem. </P></BODY></HTML> Tue, 10 Jul 2012 13:10:42 GMT https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829857#M227322 bvj197222 2012-07-10T13:10:42Z https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829858#M227329 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>There arent any policiing policies that might be dropping this traffic when other traffic is priortized? I dont think moving the dhcp server on the same vlan will affect anything since dhcp traffic isnt forwarded until eap success is handed to the client. The default timer for the eap session if using peap is around 120 seconds. Also are you experiencing this on mac osx clients by any chance or is this affecting windows machines?</P><P></P><P>thanks</P><P>Tarik Admani</P><P></P><P>Message was edited by: Tarik Admani</P></BODY></HTML> Wed, 11 Jul 2012 06:03:53 GMT https://community.cisco.com/t5/network-access-control/5411-eap-session-timeout-with-acs-in-the-wan/m-p/1829858#M227329 Tarik Admani 2012-07-11T06:03:53Z