Authentication failure due to AAA server unavailability

mohd-shakir · ‎11-18-2025

Hi Cisco Team,

We are having 5520 series WLC and 3800 series access are adapted with it and 9 access points are installed at the site and using FlexConnect mode.

there are 2 users those are facing the issue with intermittent disconnection issue due to Authentication failure due to AAA server unavailability or EAP method type 13 authentication failed.

Could you please help me on this and give me the possible solution.

Mark Elsen · ‎11-18-2025

- @mohd-shakir Below you will find the output of Debug logs.txt when parsed with Wireless Debug Analyzer
We can see multiple ongoing requests to the radius server.
Good chance it could be an EAP fragmentation issue over the tunnel.
Look up setting the framed-MTU attribute in NPS and play around with lowering that.
(or similar setting if other radius server brand is being used)

M.

Time	Task	Translated
Connection attempt #1
Nov 12 11:02:19.471	*Dot1x_NW_MsgTask_1	WLC/AP is sending EAP-Identity-Request to the client
Nov 12 11:02:19.703	*Dot1x_NW_MsgTask_1	Client sent EAP-Identity-Response to WLC/AP
Nov 12 11:02:19.703	*aaaQueueReader	Radius request with ID 13 sent to 10.128.80.232.
Nov 12 11:02:19.709	*radiusTransportThread	Radius request with ID 13 sent to 10.128.80.232.
Nov 12 11:02:19.846	*aaaQueueReader	Radius request with ID 14 sent to 10.128.80.232.
Nov 12 11:02:19.848	*radiusTransportThread	Radius request with ID 14 sent to 10.128.80.232.
Nov 12 11:02:19.977	*aaaQueueReader	Radius request with ID 15 sent to 10.128.80.232.
Nov 12 11:02:19.978	*radiusTransportThread	Radius request with ID 15 sent to 10.128.80.232.
Nov 12 11:02:20.107	*aaaQueueReader	Radius request with ID 16 sent to 10.128.80.232.
Nov 12 11:02:20.108	*radiusTransportThread	Radius request with ID 16 sent to 10.128.80.232.
Nov 12 11:02:20.235	*aaaQueueReader	Radius request with ID 17 sent to 10.128.80.232.
Nov 12 11:02:20.236	*radiusTransportThread	Radius request with ID 17 sent to 10.128.80.232.
Nov 12 11:02:20.360	*aaaQueueReader	Radius request with ID 18 sent to 10.128.80.232.
Nov 12 11:02:20.361	*radiusTransportThread	Radius request with ID 18 sent to 10.128.80.232.
Nov 12 11:02:20.486	*aaaQueueReader	Radius request with ID 19 sent to 10.128.80.232.
Nov 12 11:02:20.487	*radiusTransportThread	Radius request with ID 19 sent to 10.128.80.232.
Nov 12 11:02:20.611	*aaaQueueReader	Radius request with ID 20 sent to 10.128.80.232.
Nov 12 11:02:20.612	*radiusTransportThread	Radius request with ID 20 sent to 10.128.80.232.
Nov 12 11:02:20.745	*aaaQueueReader	Radius request with ID 21 sent to 10.128.80.232.
Nov 12 11:02:20.747	*radiusTransportThread	Radius request with ID 21 sent to 10.128.80.232.
Nov 12 11:02:20.871	*aaaQueueReader	Radius request with ID 22 sent to 10.128.80.232.
Nov 12 11:02:20.873	*radiusTransportThread	Radius request with ID 22 sent to 10.128.80.232.
Nov 12 11:02:20.998	*aaaQueueReader	Radius request with ID 23 sent to 10.128.80.232.
Nov 12 11:02:21.000	*radiusTransportThread	Radius request with ID 23 sent to 10.128.80.232.
Connection attempt #2
Nov 12 11:06:44.030	*apfMsConnTask_7	Client made new Association to AP/BSSID BSSID cc:db:93:11:5a:25 AP RIOAP05
Nov 12 11:06:44.031	*apfMsConnTask_7	The WLC/AP has found from client association request Information Element that claims PMKID Caching support
Nov 12 11:06:44.031	*apfMsConnTask_7	The Reassociation Request from the client comes with 0 PMKID
Nov 12 11:06:44.031	*apfMsConnTask_7	Client is entering the 802.1x or PSK Authentication state
Nov 12 11:06:44.031	*apfMsConnTask_7	WLC/AP is sending an Association Response to the client with status code 0 = Successful association
Nov 12 11:06:44.177	*Dot1x_NW_MsgTask_1	WLC/AP is sending EAP-Identity-Request to the client
Nov 12 11:06:44.313	*Dot1x_NW_MsgTask_1	Client sent EAP-Identity-Response to WLC/AP
Nov 12 11:06:44.313	*aaaQueueReader	Radius request with ID 168 sent to 10.128.80.232.
Nov 12 11:06:44.319	*radiusTransportThread	Radius request with ID 168 sent to 10.128.80.232.
Nov 12 11:06:44.450	*aaaQueueReader	Radius request with ID 169 sent to 10.128.80.232.
Nov 12 11:06:44.452	*radiusTransportThread	Radius request with ID 169 sent to 10.128.80.232.
Nov 12 11:06:44.577	*aaaQueueReader	Radius request with ID 170 sent to 10.128.80.232.
Nov 12 11:06:44.579	*radiusTransportThread	Radius request with ID 170 sent to 10.128.80.232.
Nov 12 11:06:44.703	*aaaQueueReader	Radius request with ID 171 sent to 10.128.80.232.
Nov 12 11:06:44.705	*radiusTransportThread	Radius request with ID 171 sent to 10.128.80.232.
Nov 12 11:06:44.830	*aaaQueueReader	Radius request with ID 172 sent to 10.128.80.232.
Nov 12 11:06:44.831	*radiusTransportThread	Radius request with ID 172 sent to 10.128.80.232.
Nov 12 11:06:44.956	*aaaQueueReader	Radius request with ID 173 sent to 10.128.80.232.
Nov 12 11:06:44.957	*radiusTransportThread	Radius request with ID 173 sent to 10.128.80.232.
Nov 12 11:06:45.083	*aaaQueueReader	Radius request with ID 174 sent to 10.128.80.232.
Nov 12 11:06:45.084	*radiusTransportThread	Radius request with ID 174 sent to 10.128.80.232.
Nov 12 11:06:45.208	*aaaQueueReader	Radius request with ID 175 sent to 10.128.80.232.
Nov 12 11:06:45.209	*radiusTransportThread	Radius request with ID 175 sent to 10.128.80.232.
Nov 12 11:06:45.341	*aaaQueueReader	Radius request with ID 176 sent to 10.128.80.232.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

mohd-shakir · ‎11-18-2025

@Mark Elsen Could you please help me how to resolve EAP fragmentation issue over the tunnel.?

Could you please share the steps so that I can perform on the WLC.

Mark Elsen · ‎11-18-2025

- @mohd-shakir As far as I understand it , it should be done on the radius server (not on the WLC)
What type of radius server are you using ?

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

mohd-shakir · ‎11-18-2025

@Mark Elsen Right now we are using Aruba ClearPass (NAC) as a Radius server

Mark Elsen · ‎11-18-2025

- @mohd-shakir I don't know how to do this in Aruba Clearpass ; they have a forum which you could use :
https://airheads.hpe.com/community-home/digestviewer?communitykey=2477474f-de43-4598-a465-c179d41fdd0b

I used a few AI engines and asked the question; I won't give the answers here , because
I can't validate them.
Sometimes it's useful to do that to get hints ,

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Mark Elsen · ‎11-18-2025

- @mohd-shakir Ref : https://academy.socialwifi.com/en/hardware-and-installation/installation-guides/cisco/cisco-wlc/
Checkout : the second image after
Security → AAA → Radius → Authentication → New
where you can set the Framed Mtu for Radius Authentication Servers

Not sure if it will work; I also noticed : https://bst.cisco.com/bugsearch/bug/CSCvz64602?rfs=qvred

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)