08-03-2019 01:30 PM - edited 07-05-2021 10:48 AM
I'm troubleshooting an issue where a Macbook client loses all connectivity suddenly even though the Wi-Fi icon shows it's still connected.
An Omnipeek capture still shows 802.11 frames between the Macbook and the AP during the period of the connectivity loss. I suspect that the connection fails after an 802.1x timeout re-auth "event" because if I disable the session timeout on the WLAN, the problem goes away, but I still need to get some proof. When I have the session timeout enabled, the connectivity drops, the client waits another re-auth period and the connectivity comes back. I have SKC on the WLAN disabled (not sure if that means that PKC / OKC is also disabled or not).
I was thinking that maybe the issue is occurring because the EAP parameters might need to be fine tuned. I see the following EAP Parameters in the WLAN settings under Security > AAA Servers:
EAPOL Key timeout
EAPOL Key Retries
Identity Request Timeout
Identity Request Retries
Request Timeout
Request Retries
Is there a Cisco WLC show command to see counters for how often each of these EAP timeouts and retries have happened? I did a debug client command, but I haven't seen any dot1x EAP timeouts or retry messages (yet).
Solved! Go to Solution.
08-16-2019 02:39 PM
I just wanted to report back with the answer:
show ap stats wlan <AP-Name>
This will show you per-AP and per-WLAN statistics:
(Cisco Controller) >show ap stats wlan APXXXX.XXXX.XXXX
WLAN 1
EAP Id Request Msg Timeouts................... 0
EAP Id Request Msg Timeouts Failures.......... 0
EAP Request Msg Timeouts...................... 0
EAP Request Msg Timeouts Failures............. 0
EAP Key Msg Timeouts.......................... 0
EAP Key Msg Timeouts Failures................. 0
(Cisco Controller) >
To clear the EAP retry statistics:
clear stats ap wlan <AP-Name>
08-03-2019 05:46 PM
08-04-2019 12:36 AM
Hi Leo,
Thanks for your response. I think the values listed under the command are the EAP parameter default values, and not the actual EAP statistics, correct?
(Cisco Controller) show>advanced eap
EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 1000
EAPOL-Key Max Retries............................ 2
EAP-Broadcast Key Interval....................... 3600
(Cisco Controller) show>
08-04-2019 01:27 AM
Only when using Local EAP authentication, there are related statistics.
(wireless-vwlc-2) >show local-auth statistics Local EAP authentication DB statistics: Requests received ............................... 0 Responses returned .............................. 0 Requests dropped (no EAP AVP) ................... 0 Requests dropped (other reasons) ................ 0 Authentication timeouts ......................... 0 Request reject (max active EAP context reache.... 0 EAP abort ....................................... 0 EAP delete ...................................... 0 Number of Active EAP context..................... 0 Authentication statistics: Method Success Fail ------------------------------------ Unknown 0 0 LEAP 0 0 EAP-FAST 0 0 EAP-TLS 0 0 PEAP 0 0 Local EAP credential request statistics: --More-- or (q)uit Requests sent to LDAP DB ........................ 0 Requests sent to File DB ........................ 0 Requests failed (unable to send) ................ 0 Authentication results received: Success ....................................... 0 Fail .......................................... 0 Certificate operations: Local device certificate load failures .......... 0 Total peer certificates checked ................. 0 Failures: CA issuer check ............................... 0 CN name not equal to identity ................. 0 Dates not valid or expired .................... 0
08-16-2019 02:39 PM
I just wanted to report back with the answer:
show ap stats wlan <AP-Name>
This will show you per-AP and per-WLAN statistics:
(Cisco Controller) >show ap stats wlan APXXXX.XXXX.XXXX
WLAN 1
EAP Id Request Msg Timeouts................... 0
EAP Id Request Msg Timeouts Failures.......... 0
EAP Request Msg Timeouts...................... 0
EAP Request Msg Timeouts Failures............. 0
EAP Key Msg Timeouts.......................... 0
EAP Key Msg Timeouts Failures................. 0
(Cisco Controller) >
To clear the EAP retry statistics:
clear stats ap wlan <AP-Name>
08-18-2019 07:52 PM
some additional basic check, you might know already:
default radius server timeout is 2 sec, increase it to 5-10 seconds
make sure session timeout is setup right
If your DCA algorithm is set to default interval which is 10 minutes and your 802.1x SSID does not have key catching enabled, then every channel reassignment will cause all clients to disconnect and re-authenticate, so set the DCA algorithm timer high enough.
08-18-2019 10:05 PM
Hi ammahend,
Thanks for the suggestion! I'll try out that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide