Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1456
Views
0
Helpful
2
Replies

ACS 5.4 with RSA SecurID EAP Method

nix-patheon
Level 1
Level 1

‎01-08-2014 02:28 AM - edited ‎03-10-2019 09:15 PM

Hi all,

I'm having issues authenticating against an RSA server for token authentication through my ACS 1121 (5.4) using a wireless supplicant.

RADIUS authentication log on the ACS shows: 5411 EAP session timed out. I think this may possibly de due to the EAP method used, currently using PEAP & EAP-GTC (tunnel protocol).

I have created an access policy for my RSA server and currently allowing the following EAP protocols:

PEAP:

     Allow EAP-GTC

EAP-FAST:

     Allow EAP-GTC

I'm not sure (possibly because of the EAP method) that the ACS is even talking to the RSA server as it has yet to download the node secret from it either.

Any suggestions would be very helpful!

Thanks.

Labels:
0 Helpful
2 Replies 2

edwjames
Level 3
Level 3

‎01-08-2014 05:40 AM

Hi Nix,

This looks like a client issue:

http://www.cisco.com/image/gif/paws/113485/acs5x-tshoot.pdf#page=24&zoom=auto,0,387

Problem: Error "5411 EAP session timed out"

5411 EAP session timed out error messages are received on ACS 5.x.

Solution

EAP session timeouts are quite common with PEAP where the supplicant restarts authentication after the

initial packet goes out to the RADIUS server and, most of the time, are not indicative of a problem.

The flow that is commonly seen is:

Supplicant −−−−−−−−−−−−− Authenticator −−−−−−−−−−−−−− ACS

Connect

<−−−−−−−−−−−−−−−−−−Request for Identity

−−−−−−−−−−−−−−−−−−−−−−−> Response Identity −−−−−−−−−−−−−>

<−−−−−−−−−−−−−−   EAP Challenge <−−−−−−−−−−−−−−−−EAPOL−Start

−−−−−−−−−−−−−>

normal

flow ending in successful authentication.......

In the end the authentication is successful. However, there is a thread left open on the ACS due to the abrupt

restart of the EAP session from the supplicant which causes a successful authentication followed by the EAP

session timeout message. Many times this is due to the driver level of the machine. Make sure that the

NIC/Wireless drivers are up to date on the client machine. You can capture on the client and filter on EAP ||

EAPOL in order to see what the client receives or sends when connecting.

Can you check client configuration?

What supplicant software are you using?

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
0 Helpful

nix-patheon
Level 1
Level 1
In response to edwjames

‎01-08-2014 05:53 AM

Hi Edward,

Thank you very much for replying.

I have continued to work further on this (turns out there was a rule missing for my RSA access service that generated the EAP timeout) and am now able to get an authentication prompt. However, authentication is failing at the RSA server with:

User “x” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SystemDomain”.

I also see a lot of errors for 11013 RADIUS packet already in the process, which makes me think I should possibly increase the time-out value?

The client details are as follows:

Client machine: Windows 7

Supplicant: SecureW2

Supplicant Config: PEAP/EAP-GTC

Thank you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents