Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ACS 5.4 with RSA SecurID EAP Method

Hi all,

I'm having issues authenticating against an RSA server for token authentication through my ACS 1121 (5.4) using a wireless supplicant.

RADIUS authentication log on the ACS shows: 5411 EAP session timed out. I think this may possibly de due to the EAP method used, currently using PEAP & EAP-GTC (tunnel protocol).

I have created an access policy for my RSA server and currently allowing the following EAP protocols:


     Allow EAP-GTC


     Allow EAP-GTC

I'm not sure (possibly because of the EAP method) that the ACS is even talking to the RSA server as it has yet to download the node secret from it either.

Any suggestions would be very helpful!



ACS 5.4 with RSA SecurID EAP Method

Hi Nix,

This looks like a client issue:,0,387

Problem: Error "5411 EAP session timed out"

5411 EAP session timed out error messages are received on ACS 5.x.


EAP session timeouts are quite common with PEAP where the supplicant restarts authentication after the

initial packet goes out to the RADIUS server and, most of the time, are not indicative of a problem.

The flow that is commonly seen is:

Supplicant −−−−−−−−−−−−− Authenticator −−−−−−−−−−−−−− ACS


<−−−−−−−−−−−−−−−−−−Request for Identity

−−−−−−−−−−−−−−−−−−−−−−−> Response Identity −−−−−−−−−−−−−>

<−−−−−−−−−−−−−−   EAP Challenge <−−−−−−−−−−−−−−−−EAPOL−Start



flow ending in successful authentication.......

In the end the authentication is successful. However, there is a thread left open on the ACS due to the abrupt

restart of the EAP session from the supplicant which causes a successful authentication followed by the EAP

session timeout message. Many times this is due to the driver level of the machine. Make sure that the

NIC/Wireless drivers are up to date on the client machine. You can capture on the client and filter on EAP ||

EAPOL in order to see what the client receives or sends when connecting.

Can you check client configuration?

What supplicant software are you using?

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

ACS 5.4 with RSA SecurID EAP Method

Hi Edward,

Thank you very much for replying.

I have continued to work further on this (turns out there was a rule missing for my RSA access service that generated the EAP timeout) and am now able to get an authentication prompt. However, authentication is failing at the RSA server with:

User “x” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SystemDomain”.

I also see a lot of errors for 11013 RADIUS packet already in the process, which makes me think I should possibly increase the time-out value?

The client details are as follows:

Client machine: Windows 7

Supplicant: SecureW2

Supplicant Config: PEAP/EAP-GTC

Thank you.