07-05-2012 02:16 PM - edited 03-10-2019 07:16 PM
07-06-2012 05:32 PM
Marco,
Please use this as a reference:
http://www.cisco.com/en/US/products/ps9911/products_tech_note09186a0080bb8100.shtml#radius11013
n an ACS 5.3 deployment, users fail dot1x authentication. The database used is an Active Directory. The RADIUS failure code is shown here:
RADIUS Request dropped: 11013 RADIUS packet already in the process
The ACS has ignored this request because it is a duplicate of another packet that is currently being processed. This can occur because of any of these:
The Average RADIUS Request Latency statistic is close to or exceeds the client RADIUS request timeout of the client.
External identity store can be very slow.
The ACS has been overloaded.
Perform these steps in order to resolve:
Increase the client RADIUS request timeout of the client.
Use a faster or additional external identity store.
Follow the ways to reduce the overload on ACS.
Thanks,
Tarik Admani
07-19-2012 08:22 AM
Hi tarik,
how can i do that ?
Increase the client RADIUS request timeout of the client.
Use a faster or additional external identity store.
Follow the ways to reduce the overload on ACS
07-19-2012 08:47 AM
Marco,
1. First we will have to see what the radius timeout values are set for on the network device. Also we need to identify if there is a relation to which network device(s) are generating this message and then try to increase the timeout values. For that device, if there is some latency some devices come with a default 5 second timer some up to 15.
2. If you are using AD where are the domain controllers with respect to the ACS, is there a firewall or any policing polices that the ACS is subject to in its path to the DCs? If not, how many domain controllers do you have and how many are local to the ACS itself? Are your "sites" configured properly with the DC infrastructure so that when ACS queries the domain it is receving domain controllers that are located closest to it? Also what version of ACS are you running? if you are on ACS 5.3 then installing the latest patch will help fix some critical AD issues.
3. How many authentications do you see on average when this issue occurs, what authentication mechanism are you using (eap-tls or peap), these authentication protocols are different in the way they operate and when it comes to authentications per second EAP-TLS does consume more processing power then the PEAP.
Thanks,
Tarik admani
Tarik Admani
*Please rate helpful posts*
07-19-2012 09:17 AM
Hi tarik,
this is the port configuration in the switch
interface FastEthernet0/12
switchport mode access
switchport voice vlan 10
authentication port-control auto
authentication host-mode multi-domain
authentication violation protect
authentication event fail action authorize vlan 11
authentication event fail retry 2 action authorize vlan 11
authentication event no-response action authorize vlan 11
authentication periodic
authentication timer reauthenticate 60
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 3
spanning-tree portfast
end
thank
03-24-2016 10:44 PM
aaa accounting update newinfo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide