Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
146
Views
0
Helpful
5
Replies

Authentication failure due to AAA server unavailability

mohd-shakir
Level 1
Level 1

‎11-18-2025 08:42 AM

Hi Cisco Team,

We are having 5520 series WLC and 3800 series access are adapted with it and 9 access points are installed at the site and using FlexConnect mode.

there are 2 users those are facing the issue with intermittent disconnection issue due to Authentication failure due to AAA server unavailability or EAP method type 13 authentication failed.

Could you please help me on this and give me the possible solution.

Labels:
Preview file
1665 KB
Preview file
3 KB
0 Helpful
5 Replies 5

Mark Elsen
Hall of Fame
Hall of Fame

‎11-18-2025 08:54 AM

 

  - @mohd-shakir    Below you will find the output of Debug logs.txt when parsed with Wireless Debug Analyzer
                               We can see multiple ongoing requests to the radius server.
                               Good chance it could be an EAP fragmentation issue over the tunnel.
                               Look up setting the framed-MTU attribute in NPS and play around with lowering that.
                                           (or similar setting if other radius server brand is being used)

 M.
                                

 

Time Task Translated
Connection attempt #1
Nov 12 11:02:19.471 *Dot1x_NW_MsgTask_1 WLC/AP is sending EAP-Identity-Request to the client
Nov 12 11:02:19.703 *Dot1x_NW_MsgTask_1 Client sent EAP-Identity-Response to WLC/AP
Nov 12 11:02:19.703 *aaaQueueReader Radius request with ID 13 sent to 10.128.80.232.
Nov 12 11:02:19.709 *radiusTransportThread Radius request with ID 13 sent to 10.128.80.232.
Nov 12 11:02:19.846 *aaaQueueReader Radius request with ID 14 sent to 10.128.80.232.
Nov 12 11:02:19.848 *radiusTransportThread Radius request with ID 14 sent to 10.128.80.232.
Nov 12 11:02:19.977 *aaaQueueReader Radius request with ID 15 sent to 10.128.80.232.
Nov 12 11:02:19.978 *radiusTransportThread Radius request with ID 15 sent to 10.128.80.232.
Nov 12 11:02:20.107 *aaaQueueReader Radius request with ID 16 sent to 10.128.80.232.
Nov 12 11:02:20.108 *radiusTransportThread Radius request with ID 16 sent to 10.128.80.232.
Nov 12 11:02:20.235 *aaaQueueReader Radius request with ID 17 sent to 10.128.80.232.
Nov 12 11:02:20.236 *radiusTransportThread Radius request with ID 17 sent to 10.128.80.232.
Nov 12 11:02:20.360 *aaaQueueReader Radius request with ID 18 sent to 10.128.80.232.
Nov 12 11:02:20.361 *radiusTransportThread Radius request with ID 18 sent to 10.128.80.232.
Nov 12 11:02:20.486 *aaaQueueReader Radius request with ID 19 sent to 10.128.80.232.
Nov 12 11:02:20.487 *radiusTransportThread Radius request with ID 19 sent to 10.128.80.232.
Nov 12 11:02:20.611 *aaaQueueReader Radius request with ID 20 sent to 10.128.80.232.
Nov 12 11:02:20.612 *radiusTransportThread Radius request with ID 20 sent to 10.128.80.232.
Nov 12 11:02:20.745 *aaaQueueReader Radius request with ID 21 sent to 10.128.80.232.
Nov 12 11:02:20.747 *radiusTransportThread Radius request with ID 21 sent to 10.128.80.232.
Nov 12 11:02:20.871 *aaaQueueReader Radius request with ID 22 sent to 10.128.80.232.
Nov 12 11:02:20.873 *radiusTransportThread Radius request with ID 22 sent to 10.128.80.232.
Nov 12 11:02:20.998 *aaaQueueReader Radius request with ID 23 sent to 10.128.80.232.
Nov 12 11:02:21.000 *radiusTransportThread Radius request with ID 23 sent to 10.128.80.232.
Connection attempt #2
Nov 12 11:06:44.030 *apfMsConnTask_7 Client made new Association to AP/BSSID BSSID cc:db:93:11:5a:25 AP RIOAP05
Nov 12 11:06:44.031 *apfMsConnTask_7 The WLC/AP has found from client association request Information Element that claims PMKID Caching support
Nov 12 11:06:44.031 *apfMsConnTask_7 The Reassociation Request from the client comes with 0 PMKID
Nov 12 11:06:44.031 *apfMsConnTask_7 Client is entering the 802.1x or PSK Authentication state
Nov 12 11:06:44.031 *apfMsConnTask_7 WLC/AP is sending an Association Response to the client with status code 0 = Successful association
Nov 12 11:06:44.177 *Dot1x_NW_MsgTask_1 WLC/AP is sending EAP-Identity-Request to the client
Nov 12 11:06:44.313 *Dot1x_NW_MsgTask_1 Client sent EAP-Identity-Response to WLC/AP
Nov 12 11:06:44.313 *aaaQueueReader Radius request with ID 168 sent to 10.128.80.232.
Nov 12 11:06:44.319 *radiusTransportThread Radius request with ID 168 sent to 10.128.80.232.
Nov 12 11:06:44.450 *aaaQueueReader Radius request with ID 169 sent to 10.128.80.232.
Nov 12 11:06:44.452 *radiusTransportThread Radius request with ID 169 sent to 10.128.80.232.
Nov 12 11:06:44.577 *aaaQueueReader Radius request with ID 170 sent to 10.128.80.232.
Nov 12 11:06:44.579 *radiusTransportThread Radius request with ID 170 sent to 10.128.80.232.
Nov 12 11:06:44.703 *aaaQueueReader Radius request with ID 171 sent to 10.128.80.232.
Nov 12 11:06:44.705 *radiusTransportThread Radius request with ID 171 sent to 10.128.80.232.
Nov 12 11:06:44.830 *aaaQueueReader Radius request with ID 172 sent to 10.128.80.232.
Nov 12 11:06:44.831 *radiusTransportThread Radius request with ID 172 sent to 10.128.80.232.
Nov 12 11:06:44.956 *aaaQueueReader Radius request with ID 173 sent to 10.128.80.232.
Nov 12 11:06:44.957 *radiusTransportThread Radius request with ID 173 sent to 10.128.80.232.
Nov 12 11:06:45.083 *aaaQueueReader Radius request with ID 174 sent to 10.128.80.232.
Nov 12 11:06:45.084 *radiusTransportThread Radius request with ID 174 sent to 10.128.80.232.
Nov 12 11:06:45.208 *aaaQueueReader Radius request with ID 175 sent to 10.128.80.232.
Nov 12 11:06:45.209 *radiusTransportThread Radius request with ID 175 sent to 10.128.80.232.
Nov 12 11:06:45.341 *aaaQueueReader Radius request with ID 176 sent to 10.128.80.232.


-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

mohd-shakir
Level 1
Level 1
In response to Mark Elsen

‎11-18-2025 09:00 AM

@Mark Elsen Could you please help me how to resolve EAP fragmentation issue over the tunnel.?

Could you please share the steps so that I can perform on the WLC.

0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame
In response to mohd-shakir

‎11-18-2025 09:05 AM

 

  - @mohd-shakir            As far as I understand it , it should be done on the radius server  (not on the WLC)
                                       What type of radius server are you using ?

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

mohd-shakir
Level 1
Level 1
In response to Mark Elsen

‎11-18-2025 09:49 AM

@Mark Elsen Right now we are using Aruba ClearPass (NAC) as a Radius server

0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame
In response to mohd-shakir

‎11-18-2025 10:24 AM

 

   - @mohd-shakir      I don't know  how to do this in Aruba Clearpass ; they have a forum which you could use :
                                  https://airheads.hpe.com/community-home/digestviewer?communitykey=2477474f-de43-4598-a465-c179d41fdd0b

                                 I used a few AI engines and asked the question; I won't give the answers  here , because
                                 I can't validate them.
                                                         Sometimes it's useful to do that to get hints ,

   M.
                                  



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card