Re: 5411 EAP session timeout with ACS in the WAN

Laurent BOURHIS · ‎01-20-2012

Hi all,

We're having trouble trying to deploy 802.1x authentication on a brand new site.

Our primary and secondary ACS are located in Paris and the new site located in Toulouse, France.

Both sites are connected through the WAN.

Everytime a computer/user connects to this new site in Toulouse, ACS 5.2 sends a "5411 EAP session timeout" error message.

Any pieces of advice greatly appreciated,

Best Regards,

Laurent

bvj197222 · ‎05-22-2012

I don't know anything about your environment, but we have a problem at our headoffice with 5411 EAP Session Timeout. We suspect that it's because we have two VLAN, one for clients and one for servers. The DHCP-server is in the server VLAN and we use "ip helper" on the client VLAN to relay dhcp-requests between VLANs. We found two articles on this indicating that this might be a problem;

http://support.microsoft.com/kb/2459530

http://support.microsoft.com/kb/938449

The symptoms is that the client hangs on the "Welcome"-screen for a long time, or the clients are being assigned the guest vlan. On the ACS we see "5411 EAP Session timeout..".

We're gonna test it out by placing a dhcp-server in our client VLAN and remove the "ip helper" command for that VLAN.

Laurent BOURHIS · ‎05-22-2012

Hi and thanks for your input !

I'm currently testing the hotfix mentionned in the first article.

I'll let you know after intensive testing.

Thx again,

Laurent

bvj197222 · ‎05-22-2012

Looking forward to see if the patch helps. We're also testing out the patch mentioned in KB2459530, and have installed it on two computers. The problem with 5411 EAP... comes and goes in our organisation. It's not persistent on one computer. So we have to test this patch for some time to see if it helps.

Laurent BOURHIS · ‎05-23-2012

Be sure I'll let you know ASAP.

Just for my information, do you have the GPO "Always Wait for Network" disabled ?

bvj197222 · ‎05-23-2012

Yes, we have disabled that GPO because it causes a 10-20 sec (sometimes longer) delay for the user..

bvj197222 · ‎07-05-2012

Hello Laurent,

any news? We have checked out the patch in our environment and it did not work.

Laurent BOURHIS · ‎07-05-2012

Hi,

We are still struggling even after applying the MS patch. After a bit of research, we found that the issue is related to the PC being connected behind an IP phone. I also found a document related to our problem : http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000357

I do not know your configuration, but I have one question : is your ACS pointing to Active Directory for authentication ?

bvj197222 · ‎07-10-2012

Yes, it is pointing to Active Directory for authentication. It works fine for our branch offices, which have the client and server (for dhcp) on the same vlan. The ACS is on a separate vlan, protected by firewall, at head office. Our problem is clients at the head office, which are on a different VLAN than the server providing DHCP. There is also a firewall between those to VLANs. Our problem occurs randomly every now and then, on various computers. We are considering placing the dhcp-server on the same VLAN as the clients to verify if that is the problem.

Tarik Admani · ‎07-10-2012

Hi,

There arent any policiing policies that might be dropping this traffic when other traffic is priortized? I dont think moving the dhcp server on the same vlan will affect anything since dhcp traffic isnt forwarded until eap success is handed to the client. The default timer for the eap session if using peap is around 120 seconds. Also are you experiencing this on mac osx clients by any chance or is this affecting windows machines?

thanks

Tarik Admani

Message was edited by: Tarik Admani