cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4610
Views
15
Helpful
6
Replies

Cisco WLC 2504: how to see EAP timeout / retry counts

Sam Brynes
Level 1
Level 1

I'm troubleshooting an issue where a Macbook client loses all connectivity suddenly even though the Wi-Fi icon shows it's still connected.

 

An Omnipeek capture still shows 802.11 frames between the Macbook and the AP during the period of the connectivity loss. I suspect that the connection fails after an 802.1x timeout re-auth "event" because if I disable the session timeout on the WLAN, the problem goes away, but I still need to get some proof. When I have the session timeout enabled, the connectivity drops, the client waits another re-auth period and the connectivity comes back. I have SKC on the WLAN disabled (not sure if that means that PKC / OKC is also disabled or not).

 

I was thinking that maybe the issue is occurring because the EAP parameters might need to be fine tuned. I see the following EAP Parameters in the WLAN settings under Security > AAA Servers:

 

EAPOL Key timeout

EAPOL Key Retries

Identity Request Timeout

Identity Request Retries

Request Timeout

Request Retries

 

Is there a Cisco WLC show command to see counters for how often each of these EAP timeouts and retries have happened? I did a debug client command, but I haven't seen any dot1x EAP timeouts or retry messages (yet).

1 Accepted Solution

Accepted Solutions

Sam Brynes
Level 1
Level 1

I just wanted to report back with the answer:

 

show ap stats wlan <AP-Name>

 

This will show you per-AP and per-WLAN statistics:

 

(Cisco Controller) >show ap stats wlan APXXXX.XXXX.XXXX

WLAN 1
EAP Id Request Msg Timeouts................... 0
EAP Id Request Msg Timeouts Failures.......... 0
EAP Request Msg Timeouts...................... 0
EAP Request Msg Timeouts Failures............. 0
EAP Key Msg Timeouts.......................... 0
EAP Key Msg Timeouts Failures................. 0

(Cisco Controller) >

 

To clear the EAP retry statistics:

 

clear stats ap wlan <AP-Name>

View solution in original post

6 Replies 6

Leo Laohoo
Hall of Fame
Hall of Fame
sh advanced eap

Hi Leo,

Thanks for your response. I think the values listed under the command are the EAP parameter default values, and not the actual EAP statistics, correct?

 

(Cisco Controller) show>advanced eap


EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 1000
EAPOL-Key Max Retries............................ 2
EAP-Broadcast Key Interval....................... 3600

(Cisco Controller) show>

 

Only when using Local EAP authentication, there are related statistics.

 

(wireless-vwlc-2) >show local-auth statistics

Local EAP authentication DB statistics:
Requests received ............................... 0
Responses returned .............................. 0
Requests dropped (no EAP AVP) ................... 0
Requests dropped (other reasons) ................ 0
Authentication timeouts ......................... 0
Request reject (max active EAP context reache.... 0
EAP abort ....................................... 0
EAP delete ...................................... 0
Number of Active EAP context..................... 0

Authentication statistics:
Method Success Fail
------------------------------------
Unknown 0 0
LEAP 0 0
EAP-FAST 0 0
EAP-TLS 0 0
PEAP 0 0

Local EAP credential request statistics:

--More-- or (q)uit
Requests sent to LDAP DB ........................ 0
Requests sent to File DB ........................ 0
Requests failed (unable to send) ................ 0
Authentication results received:
Success ....................................... 0
Fail .......................................... 0

Certificate operations:
Local device certificate load failures .......... 0
Total peer certificates checked ................. 0
Failures:
CA issuer check ............................... 0
CN name not equal to identity ................. 0
Dates not valid or expired .................... 0

 

Sam Brynes
Level 1
Level 1

I just wanted to report back with the answer:

 

show ap stats wlan <AP-Name>

 

This will show you per-AP and per-WLAN statistics:

 

(Cisco Controller) >show ap stats wlan APXXXX.XXXX.XXXX

WLAN 1
EAP Id Request Msg Timeouts................... 0
EAP Id Request Msg Timeouts Failures.......... 0
EAP Request Msg Timeouts...................... 0
EAP Request Msg Timeouts Failures............. 0
EAP Key Msg Timeouts.......................... 0
EAP Key Msg Timeouts Failures................. 0

(Cisco Controller) >

 

To clear the EAP retry statistics:

 

clear stats ap wlan <AP-Name>

ammahend
VIP
VIP

some additional basic check, you might know already:

default radius server timeout is 2 sec, increase it to 5-10 seconds

make sure session timeout is setup right

If your DCA algorithm is set to default interval which is 10 minutes and your 802.1x SSID does not have key catching enabled, then every channel reassignment will cause all clients to disconnect and re-authenticate, so set the DCA algorithm timer high enough.

-hope this helps-

Hi ammahend,

Thanks for the suggestion! I'll try out that.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: