Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2618
Views
5
Helpful
6
Replies

Multiple Multiple RADIUS Access-Request

Go to solution
fatalXerror
Level 5
Level 5

‎12-15-2020 02:24 AM

Hi All,

Anyone here encountered seeing multiple EAP Start in a single user endpoint? We are using certificate-based authentication.

I noticed it in the details section of the RADIUS Live logs that one of my user endpoint have multiple "Received RADIUS Access-Request" before it can get fully authenticated.

Is this normal and why is it like that?

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions
6 Replies 6

Go to solution
thomas
Cisco Employee
Cisco Employee

‎12-15-2020 02:07 PM

Please provide the relevant Authentication Details. Hard to comment without actual messages.

Also helps to know the actual endpoint type/OS and supplicant configuration if available.

0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to thomas

‎12-16-2020 05:29 AM - edited ‎12-16-2020 05:34 AM

Hi @thomas , I attached here the detailed log "steps" from the RADIUS Live Logs. Unfortunately, I cannot post the whole log due to security reasons but this log was a successful authentication but as you can see in files that I attached, it has multiple RADIUS Access-Request entry just for a single endpoint.

I would like to know if this is normal or is there an EAP or RADIUS timeout issue somewhere? 

I am currently, using a certificate-based authentication and checked against our AD. I am not sure if this is normal if certificate-based authentication is being used.

Thank you

Preview file
27 KB
Preview file
766 KB
0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to fatalXerror

‎12-16-2020 04:14 PM

Thank you, that is a start. You should not be receiving so many requests so quickly that they have not had a chance to finish!

Next step is to look at your network device configuration.

Most likely culprit is 802.1X timeout is extremely low (1 second ?) which is obviously bad.

Our best practice recommendation is described under Authentication Timer Settings:

c9300-Sw(config-if)#dot1x timeout tx-period 7
c9300-Sw(config-if)#dot1x max-reauth-req 3

If that is not it then what endpoint type?

What are the supplicant settings?

Are all of your endpoints of this type doing this or just this one?

 

0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to thomas

‎12-17-2020 08:42 AM

Hi @thomas , thank you for your feedback. By the way, my NAD is a WLC. What would be the best practice EAP timeout settings for WLC to use?

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to fatalXerror

‎01-05-2021 02:01 PM

Hi @fatalXerror 

 

That's normal EAP behaviour I thought - it's a very chatty protocol- each time the Radius server sends the suppliant an EAP Challenge, the supplicant responds with an Access-Request packet. 

The RFCs are not that easy to digest as Rasika's excellent posting here https://mrncciew.com/2013/03/03/eap-overview/

 

 

0 Helpful
Customers Also Viewed These Support Documents