I'm having issues authenticating against an RSA server for token authentication through my ACS 1121 (5.4) using a wireless supplicant.
RADIUS authentication log on the ACS shows: 5411 EAP session timed out. I think this may possibly de due to the EAP method used, currently using PEAP & EAP-GTC (tunnel protocol).
I have created an access policy for my RSA server and currently allowing the following EAP protocols:
I'm not sure (possibly because of the EAP method) that the ACS is even talking to the RSA server as it has yet to download the node secret from it either.
Any suggestions would be very helpful!
This looks like a client issue:
Problem: Error "5411 EAP session timed out"
5411 EAP session timed out error messages are received on ACS 5.x.
EAP session timeouts are quite common with PEAP where the supplicant restarts authentication after the
initial packet goes out to the RADIUS server and, most of the time, are not indicative of a problem.
The flow that is commonly seen is:
Supplicant −−−−−−−−−−−−− Authenticator −−−−−−−−−−−−−− ACS
<−−−−−−−−−−−−−−−−−−Request for Identity
−−−−−−−−−−−−−−−−−−−−−−−> Response Identity −−−−−−−−−−−−−>
<−−−−−−−−−−−−−− EAP Challenge <−−−−−−−−−−−−−−−−EAPOL−Start
flow ending in successful authentication.......
In the end the authentication is successful. However, there is a thread left open on the ACS due to the abrupt
restart of the EAP session from the supplicant which causes a successful authentication followed by the EAP
session timeout message. Many times this is due to the driver level of the machine. Make sure that the
NIC/Wireless drivers are up to date on the client machine. You can capture on the client and filter on EAP ||
EAPOL in order to see what the client receives or sends when connecting.
Can you check client configuration?
What supplicant software are you using?
**Share your knowledge. It’s a way to achieve immortality.
Please Rate if helpful.
Thank you very much for replying.
I have continued to work further on this (turns out there was a rule missing for my RSA access service that generated the EAP timeout) and am now able to get an authentication prompt. However, authentication is failing at the RSA server with:
User “x” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SystemDomain”.
I also see a lot of errors for 11013 RADIUS packet already in the process, which makes me think I should possibly increase the time-out value?
The client details are as follows:
Client machine: Windows 7
Supplicant Config: PEAP/EAP-GTC