https://community.cisco.com/t5/network-access-control/multiple-multiple-radius-access-request/m-p/4259372#M564333 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/26555">@thomas</a>&nbsp;, I attached here the detailed log "steps" from the RADIUS Live Logs. Unfortunately, I cannot post the whole log due to security reasons but this log was a successful authentication but as you can see in files that I attached, it has multiple RADIUS Access-Request entry just for a single endpoint.</P><P>I would like to know if this is normal or is there an EAP or RADIUS timeout issue somewhere?&nbsp;</P><P>I am currently, using a certificate-based authentication and checked against our AD. I am not sure if this is normal if certificate-based authentication is being used.</P><P>Thank you</P> Wed, 16 Dec 2020 13:34:10 GMT fatalXerror 2020-12-16T13:34:10Z https://community.cisco.com/t5/network-access-control/multiple-multiple-radius-access-request/m-p/4258630#M564312 <P>Hi All,</P><P>Anyone here encountered seeing multiple EAP Start in a single user endpoint? We are using certificate-based authentication.</P><P>I noticed it in the details section of the RADIUS Live logs that one of my user endpoint have multiple "Received RADIUS Access-Request" before it can get fully authenticated.</P><P>Is this normal and why is it like that?</P><P>Thanks</P> Tue, 15 Dec 2020 10:24:19 GMT https://community.cisco.com/t5/network-access-control/multiple-multiple-radius-access-request/m-p/4258630#M564312 fatalXerror 2020-12-15T10:24:19Z https://community.cisco.com/t5/network-access-control/multiple-multiple-radius-access-request/m-p/4259069#M564323 <P>Please provide the relevant Authentication Details. Hard to comment without actual messages.</P> <P>Also helps to know the actual endpoint type/OS and supplicant configuration if available.</P> Tue, 15 Dec 2020 22:07:25 GMT https://community.cisco.com/t5/network-access-control/multiple-multiple-radius-access-request/m-p/4259069#M564323 thomas 2020-12-15T22:07:25Z https://community.cisco.com/t5/network-access-control/multiple-multiple-radius-access-request/m-p/4259372#M564333 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/26555">@thomas</a>&nbsp;, I attached here the detailed log "steps" from the RADIUS Live Logs. Unfortunately, I cannot post the whole log due to security reasons but this log was a successful authentication but as you can see in files that I attached, it has multiple RADIUS Access-Request entry just for a single endpoint.</P><P>I would like to know if this is normal or is there an EAP or RADIUS timeout issue somewhere?&nbsp;</P><P>I am currently, using a certificate-based authentication and checked against our AD. I am not sure if this is normal if certificate-based authentication is being used.</P><P>Thank you</P> Wed, 16 Dec 2020 13:34:10 GMT https://community.cisco.com/t5/network-access-control/multiple-multiple-radius-access-request/m-p/4259372#M564333 fatalXerror 2020-12-16T13:34:10Z https://community.cisco.com/t5/network-access-control/multiple-multiple-radius-access-request/m-p/4259726#M564355 <P>Thank you, that is a start. You should not be receiving so many requests so quickly that they have not had a chance to finish!</P> <P>Next step is to look at your network device configuration.</P> <P>Most likely culprit is 802.1X timeout is extremely low (1 second ?) which is obviously bad.</P> <P>Our best practice recommendation is described under <A href="https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_self">Authentication Timer Settings</A>:</P> <PRE>c9300-Sw(config-if)#dot1x timeout tx-period 7 c9300-Sw(config-if)#dot1x max-reauth-req 3</PRE> <P>If that is not it then what endpoint type?</P> <P>What are the supplicant settings?</P> <P>Are all of your endpoints of this type doing this or just this one?</P> <P>&nbsp;</P> Thu, 17 Dec 2020 00:14:33 GMT https://community.cisco.com/t5/network-access-control/multiple-multiple-radius-access-request/m-p/4259726#M564355 thomas 2020-12-17T00:14:33Z https://community.cisco.com/t5/network-access-control/multiple-multiple-radius-access-request/m-p/4260211#M564370 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/26555">@thomas</a>&nbsp;, thank you for your feedback. By the way, my NAD is a WLC. What would be the best practice EAP timeout settings for WLC to use?</P> Thu, 17 Dec 2020 16:42:39 GMT https://community.cisco.com/t5/network-access-control/multiple-multiple-radius-access-request/m-p/4260211#M564370 fatalXerror 2020-12-17T16:42:39Z https://community.cisco.com/t5/network-access-control/multiple-multiple-radius-access-request/m-p/4260432#M564378 <P>See the post for <A href="https://community.cisco.com/t5/security-documents/top-six-important-cisco-wlc-settings-for-ise-integration/ta-p/3643795" target="_blank" rel="noopener">Top Six Important Cisco WLC settings for ISE integration</A>&nbsp;</P> Fri, 18 Dec 2020 00:45:44 GMT https://community.cisco.com/t5/network-access-control/multiple-multiple-radius-access-request/m-p/4260432#M564378 Greg Gibbs 2020-12-18T00:45:44Z https://community.cisco.com/t5/network-access-control/multiple-multiple-radius-access-request/m-p/4267414#M564581 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/303946">@fatalXerror</a>&nbsp;</P> <P>&nbsp;</P> <P>That's normal EAP behaviour I thought - it's a very chatty protocol- each time the Radius server sends the suppliant an EAP Challenge, the supplicant responds with an Access-Request packet.&nbsp;</P> <P>The RFCs are not that easy to digest as Rasika's excellent posting here&nbsp;<A href="https://mrncciew.com/2013/03/03/eap-overview/" target="_blank">https://mrncciew.com/2013/03/03/eap-overview/</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 05 Jan 2021 22:01:33 GMT https://community.cisco.com/t5/network-access-control/multiple-multiple-radius-access-request/m-p/4267414#M564581 Arne Bier 2021-01-05T22:01:33Z