ACS Error messages

c.fuller · ‎11-06-2009

Hello -

I am receiving the following two ACS failed attempts logs for wireless clients connecting to WLAN using WPA1/PEAP.

"NAS duplicated authentication attempt"

"EAP-TLS or PEAP authentication failed during SSL handshake"

I am seeing these messages for many clients. Same clients show both messages at times.

The clients fail authentication and then will succeed at random.

I am seeing constant flow of these at all times though.

I wonder if the ACS is overwhelmed as we have added 770 new clients that use WPA/PEAP recently. It is these clients that most often show up in the log. But other clients show up too.

I have the ACS Radius Authentication server timeout set to the max (30 secs) on the WLCS...

Does anyone know what these messages indicate?

How can I determine if the ACS svr is overwhelmed? Is there a way to quantify it's load? For example, how many requests per second can it handle? etc....

Are there any design guides on redundant/HA ACS designs for 1000s of clients?

Any input is appreciated.

Thanks

darpotter · ‎11-09-2009

The RADIUS protocol includes a message-id field so that the server can spot re-sent packets.

When you see the 1st message it means ACS is seeing message ids that it thinks are currently processing (it has a list of open ids)

I was going to say the most likely cause is an overly aggressive re-try timeout in the WLCS... but you've got that set to 30 seconds which should be enough.

Looks to me like something in the ACS backend is hanging which is then causing a cascade of errors like you are seeing.

The 2nd message is a result of incoming packets being dropped by ACS. It will result in EAP conversations with bits missing or out of sequence.

Can you back off so that just a few clients are authenticated correctly then increase the number?