https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497164#M300573 <P>Are you having any issue? Try increasing the Time out setting.</P> Mon, 18 Sep 2023 14:10:45 GMT aleabrahao 2023-09-18T14:10:45Z https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497163#M300572 <P>I am seeing 802.1X radius timeouts in the event log. I have increased the timeout to 10 seconds and they persist. packet captures on the radius server don't indicate problem neither do packet captures on the core switch at site that sits between the APs and the Radius server.</P><P>Interestingly radius timeouts only occur with EAP-TLS. Corporate SSID using 802.1x EAP_TLS experience RADIUS timeouts but Guest which also uses the same radius server for authenticating guest users doesn't experience timeouts</P><P>Packet captures on site show 802.1x users authenticating successfully but approx 1 sec after receiving the RADIUS ACCPET message you the client disassociate with the reason being RADIUS timeout. I can't see even seen on my capture what message is sent to the radius server after RADIUS ACCEPT</P> Mon, 18 Sep 2023 13:33:49 GMT https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497163#M300572 russell.sage 2023-09-18T13:33:49Z https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497164#M300573 <P>Are you having any issue? Try increasing the Time out setting.</P> Mon, 18 Sep 2023 14:10:45 GMT https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497164#M300573 aleabrahao 2023-09-18T14:10:45Z https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497165#M300574 <P>I have increased to the maximum of 10 secs. I have a change planned to upgrade the AP's in one network to 29.7 as per Meraki TAC suggestion but I don't see it fixing anything.</P> Mon, 18 Sep 2023 14:25:20 GMT https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497165#M300574 russell.sage 2023-09-18T14:25:20Z https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497166#M300575 <P>Okay, but are you having some kind of issue or is it just a concern about the content of the logs?</P> Mon, 18 Sep 2023 14:35:28 GMT https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497166#M300575 aleabrahao 2023-09-18T14:35:28Z https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497167#M300576 <P>So the customer reported random users having connectivity issues. The Windows NLA feature would indicate that they had loss network connectivity which coincided with events in the log. </P><P>The bit I am trying to get my head round is that I don't get timeouts on the Guest network which users the same radius servers but they don't user eap-tls.</P> Mon, 18 Sep 2023 14:41:56 GMT https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497167#M300576 russell.sage 2023-09-18T14:41:56Z https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497168#M300577 <P>What does the event log say on the client? What reason does it give for disconnecting?</P><P>It might be the client is refusing the connection after it is accepted. Perhaps the client does not like the RADIUS server certificate or something like that.</P> Mon, 18 Sep 2023 20:34:33 GMT https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497168#M300577 Philip D'Ath 2023-09-18T20:34:33Z https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497169#M300578 <P>I would have to check with the customer. In the Meraki log it says client disassociates with Radius Timeout error. But this tends to happen 1 second after the client has successfully authenticated. The customer brough it to us as they are seeing Windows NLA icon on their task bar. I don't think the two are related but customer is keen to get to the bottom of the timeouts.</P><P>Meraki have recommended a firmware upgrade to 29.7 on the AP's. Planned for later this week. I have run numerous packet captures across the estate and can't see how their can be a timeout with the setting at 10 seconds. </P> Mon, 18 Sep 2023 20:51:28 GMT https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497169#M300578 russell.sage 2023-09-18T20:51:28Z https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497170#M300579 <P>I don't think you are having an actual timeout - I believe one end (either the client or the RADIUS server) is refusing to respond to a message, which looks like a timeout from a packet capture perspective.</P><P>But I suspect on either the client or the RADIUS server, there will be additional information.</P> Mon, 18 Sep 2023 20:54:19 GMT https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497170#M300579 Philip D'Ath 2023-09-18T20:54:19Z https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497171#M300580 <P>The interesting thing is this that this only occurs on eap-tls - guest access also uses the radius server but we don't see radius timeouts but that use PEAP and the Cisco ISE internal user database for authentication. So it could be an eap-tls issue on ISE or the client. Do you know what message would be sent after a radius accept message as I would expect that to be final message</P> Mon, 18 Sep 2023 21:08:35 GMT https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497171#M300580 russell.sage 2023-09-18T21:08:35Z https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497172#M300581 <P>&gt;<SPAN>The interesting thing is this that this only occurs on eap-tls</SPAN></P><P>Perhaps they haven't been configured to trust the root CA certficate.</P><P>Perhaps they require a minimum of a SHA2 signed root CA certificate and it is only SHA1 signed.</P><P>&gt;<SPAN>what message would be sent after a radius accept message as I would expect that to be final message</SPAN></P><P>Hard to say. Could be COA. Could be an additional or secondary challenge. Need to check client log to see what it is saying.</P> Mon, 18 Sep 2023 21:31:05 GMT https://community.cisco.com/t5/wireless/802-1x-radius-timeout/m-p/5497172#M300581 Philip D'Ath 2023-09-18T21:31:05Z