Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
272
Views
1
Helpful
2
Replies

EAP Response frame is not always forwarded to the Radius Server when doing Full Authentications.

RandyRayman
Level 1
Level 1

‎03-16-2015 11:04 AM - edited ‎07-05-2021 02:43 AM

We have seen issues with a Cisco 5500 and 2405 WLAN controller with older and the latest controller firmware(8.x) of not forwarding the first EAP Response frame to the radius server on 802.1x WLAN devices doing full authentications. The first EAP Response frame from the WLAN client is supposed to be forwarded to the Radius server but a Wireshark trace shows that frame is never sent by the WLAN controller. The WLAN controller does ack the first EAP Response frame but the EAP response frame when the problem occurs always seems to be a retried packet.   I do have all RRM and AP scanning turned off. This is an intermittent issue and only occurs on devices doing full authentications and does occur on multiple vendors products. This produces a 18-20 second drop-off until the station recovers by sending an EAP-Start frame and then it associates properly. Since the first EAP Response frame is never forwarded to the Radius server and the EAP Response frame is being ack’d on the retried packet, this seems to be a WLAN controller issues but I’m looking at all possibilities. Does anyone have any thoughts?

I attached a wireless and wired trace of the issue. See the Readme.txt file in the attachment for specific information.

Thanks in advance.

 

1 person had this problem
Labels:
cisco_eap-rsp-frame_not_getting_forwarded_to_radius.zip
2 Replies 2

Rasika Nayanajith
VIP
VIP

‎03-16-2015 11:42 AM

Do you have a packet capture to see this ? If so pls attach it

Rasika

0 Helpful

wififofum
Level 4
Level 4

‎10-10-2024 10:04 AM - edited ‎10-10-2024 10:06 AM

Hello Randy,

Dusting this thread off - it is a hidden gem ;).  Thanks for documenting and analyzing this issue - I am seeing something similar with our patient monitors and 3702 APs on a 5508 controller running 8.10 code.  In our case the client's EAP Responses are not Acked by the AP, leading to 15-30s communication gaps and eventual EAP Failures and Disassociations from the network, resulting in extended data loss.  Did you ever obtain a resolution as to why the EAP packets never reached the RADIUS server?  Out of curiosity, what is the OS and supplicant version of the device under test? 

Thanks for your past efforts and in advance of additional insight!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card