cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
296
Views
10
Helpful
6
Replies
Beginner

Cisco WLC 2504: how to see EAP timeout / retry counts

I'm troubleshooting an issue where a Macbook client loses all connectivity suddenly even though the Wi-Fi icon shows it's still connected.

 

An Omnipeek capture still shows 802.11 frames between the Macbook and the AP during the period of the connectivity loss. I suspect that the connection fails after an 802.1x timeout re-auth "event" because if I disable the session timeout on the WLAN, the problem goes away, but I still need to get some proof. When I have the session timeout enabled, the connectivity drops, the client waits another re-auth period and the connectivity comes back. I have SKC on the WLAN disabled (not sure if that means that PKC / OKC is also disabled or not).

 

I was thinking that maybe the issue is occurring because the EAP parameters might need to be fine tuned. I see the following EAP Parameters in the WLAN settings under Security > AAA Servers:

 

EAPOL Key timeout

EAPOL Key Retries

Identity Request Timeout

Identity Request Retries

Request Timeout

Request Retries

 

Is there a Cisco WLC show command to see counters for how often each of these EAP timeouts and retries have happened? I did a debug client command, but I haven't seen any dot1x EAP timeouts or retry messages (yet).

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Cisco WLC 2504: how to see EAP timeout / retry counts

I just wanted to report back with the answer:

 

show ap stats wlan <AP-Name>

 

This will show you per-AP and per-WLAN statistics:

 

(Cisco Controller) >show ap stats wlan APXXXX.XXXX.XXXX

WLAN 1
EAP Id Request Msg Timeouts................... 0
EAP Id Request Msg Timeouts Failures.......... 0
EAP Request Msg Timeouts...................... 0
EAP Request Msg Timeouts Failures............. 0
EAP Key Msg Timeouts.......................... 0
EAP Key Msg Timeouts Failures................. 0

(Cisco Controller) >

 

To clear the EAP retry statistics:

 

clear stats ap wlan <AP-Name>

6 REPLIES 6
Hall of Fame Community Legend

Re: Cisco WLC 2504: how to see EAP timeout / retry counts

sh advanced eap
Beginner

Re: Cisco WLC 2504: how to see EAP timeout / retry counts

Hi Leo,

Thanks for your response. I think the values listed under the command are the EAP parameter default values, and not the actual EAP statistics, correct?

 

(Cisco Controller) show>advanced eap


EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 1000
EAPOL-Key Max Retries............................ 2
EAP-Broadcast Key Interval....................... 3600

(Cisco Controller) show>

Cisco Employee

Re: Cisco WLC 2504: how to see EAP timeout / retry counts

 

Only when using Local EAP authentication, there are related statistics.

 

(wireless-vwlc-2) >show local-auth statistics

Local EAP authentication DB statistics:
Requests received ............................... 0
Responses returned .............................. 0
Requests dropped (no EAP AVP) ................... 0
Requests dropped (other reasons) ................ 0
Authentication timeouts ......................... 0
Request reject (max active EAP context reache.... 0
EAP abort ....................................... 0
EAP delete ...................................... 0
Number of Active EAP context..................... 0

Authentication statistics:
Method Success Fail
------------------------------------
Unknown 0 0
LEAP 0 0
EAP-FAST 0 0
EAP-TLS 0 0
PEAP 0 0

Local EAP credential request statistics:

--More-- or (q)uit
Requests sent to LDAP DB ........................ 0
Requests sent to File DB ........................ 0
Requests failed (unable to send) ................ 0
Authentication results received:
Success ....................................... 0
Fail .......................................... 0

Certificate operations:
Local device certificate load failures .......... 0
Total peer certificates checked ................. 0
Failures:
CA issuer check ............................... 0
CN name not equal to identity ................. 0
Dates not valid or expired .................... 0

 

Beginner

Re: Cisco WLC 2504: how to see EAP timeout / retry counts

I just wanted to report back with the answer:

 

show ap stats wlan <AP-Name>

 

This will show you per-AP and per-WLAN statistics:

 

(Cisco Controller) >show ap stats wlan APXXXX.XXXX.XXXX

WLAN 1
EAP Id Request Msg Timeouts................... 0
EAP Id Request Msg Timeouts Failures.......... 0
EAP Request Msg Timeouts...................... 0
EAP Request Msg Timeouts Failures............. 0
EAP Key Msg Timeouts.......................... 0
EAP Key Msg Timeouts Failures................. 0

(Cisco Controller) >

 

To clear the EAP retry statistics:

 

clear stats ap wlan <AP-Name>

Contributor

Re: Cisco WLC 2504: how to see EAP timeout / retry counts

some additional basic check, you might know already:

default radius server timeout is 2 sec, increase it to 5-10 seconds

make sure session timeout is setup right

If your DCA algorithm is set to default interval which is 10 minutes and your 802.1x SSID does not have key catching enabled, then every channel reassignment will cause all clients to disconnect and re-authenticate, so set the DCA algorithm timer high enough.

-Rate helpful posts-
Highlighted
Beginner

Re: Cisco WLC 2504: how to see EAP timeout / retry counts

Hi ammahend,

Thanks for the suggestion! I'll try out that.

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards