Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1811
Views
0
Helpful
4
Replies

EAP Issue

fatalXerror
Level 5
Level 5

‎07-31-2019 03:38 AM

Hi,

I was searching the internet that maybe lead me for EAP timers best practices for WLC because currently some of the endpoints is having issue connecting and based on ISE logs, it shows "Endpoint Abandoned EAP Session and Started New" and I believed it is because of some timers that we need to tweak.

I suspect it is because of the WLC EAP timers located in Security > EAP Advanced because endpoint is having a hard time to response fast enough ISE. Do you which are the best practice value that we need to enter in that parameters.

Thanks

0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎07-31-2019 05:01 AM

Hi,

Checkout this Cisco Live presentation (page 87), it covers the WLC radius configuration and best practices amongst other things. Potentially increasing the RADIUS Server Timeout from default 2 secs to 5 secs might help with your issue.

 

HTH

 

 

0 Helpful

fatalXerror
Level 5
Level 5
In response to Rob Ingram

‎07-31-2019 05:31 AM

Hi @Rob Ingram, all settings I saw in the Cisco Live slides are the same in my deployment. I am suspecting it is an endpoint issue but I cannot point out where in the endpoint it is, either the OS or the driver. 

The thing is, most of them are able to connect with no issues but they have the same OS and driver version installed.

Do you have any idea where to look at for this endpoint?

Thanks a lot.

0 Helpful

Nidhi
Cisco Employee
Cisco Employee
In response to fatalXerror

‎07-31-2019 09:52 AM

It could also be a supplicant issue !

I suggest taking captures to analyze this and also please raise a TAC case. 

Thanks,

Nidhi 

0 Helpful

Arne Bier
VIP
VIP
In response to fatalXerror

‎07-31-2019 07:06 PM

The RADIUS timers from the BRKSEC presentation may be a red herring - tuning from 2 to 5 seconds just makes the WLC more tolerant when expecting an ACK from the RADIUS server.  5 Seconds is a long time.  And this applies to all RADIUS requests, not just EAP. I'd be wary of tuning this too long - more than 5 seconds doesn't make sense in a typical enterprise.

 

The EAP protocol layer has its own timers.  And this is potentially where the issue lies.  example from a Cisco WLC

 

eap-tuning.png

 

Apart from the fact that if a supplicant stops communicating back to ISE during an EAP session establishment, then ISE will also finally give up and throw a warning.  I think this is quite normal, e.g. when a client walks out of the building and out of range of the WiFi.  If however you are stationary and in clear sight of the AP, then this of course is not normal.  

 

0 Helpful
Customers Also Viewed These Support Documents