12-15-2020 02:24 AM
Hi All,
Anyone here encountered seeing multiple EAP Start in a single user endpoint? We are using certificate-based authentication.
I noticed it in the details section of the RADIUS Live logs that one of my user endpoint have multiple "Received RADIUS Access-Request" before it can get fully authenticated.
Is this normal and why is it like that?
Thanks
Solved! Go to Solution.
12-17-2020 04:45 PM
12-15-2020 02:07 PM
Please provide the relevant Authentication Details. Hard to comment without actual messages.
Also helps to know the actual endpoint type/OS and supplicant configuration if available.
12-16-2020 05:29 AM - edited 12-16-2020 05:34 AM
Hi @thomas , I attached here the detailed log "steps" from the RADIUS Live Logs. Unfortunately, I cannot post the whole log due to security reasons but this log was a successful authentication but as you can see in files that I attached, it has multiple RADIUS Access-Request entry just for a single endpoint.
I would like to know if this is normal or is there an EAP or RADIUS timeout issue somewhere?
I am currently, using a certificate-based authentication and checked against our AD. I am not sure if this is normal if certificate-based authentication is being used.
Thank you
12-16-2020 04:14 PM
Thank you, that is a start. You should not be receiving so many requests so quickly that they have not had a chance to finish!
Next step is to look at your network device configuration.
Most likely culprit is 802.1X timeout is extremely low (1 second ?) which is obviously bad.
Our best practice recommendation is described under Authentication Timer Settings:
c9300-Sw(config-if)#dot1x timeout tx-period 7 c9300-Sw(config-if)#dot1x max-reauth-req 3
If that is not it then what endpoint type?
What are the supplicant settings?
Are all of your endpoints of this type doing this or just this one?
12-17-2020 08:42 AM
Hi @thomas , thank you for your feedback. By the way, my NAD is a WLC. What would be the best practice EAP timeout settings for WLC to use?
12-17-2020 04:45 PM
See the post for Top Six Important Cisco WLC settings for ISE integration
01-05-2021 02:01 PM
Hi @fatalXerror
That's normal EAP behaviour I thought - it's a very chatty protocol- each time the Radius server sends the suppliant an EAP Challenge, the supplicant responds with an Access-Request packet.
The RFCs are not that easy to digest as Rasika's excellent posting here https://mrncciew.com/2013/03/03/eap-overview/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide