on 03-26-2015 08:37 AM
If no traffic is seen from the client in the “idle-timeout” interval (e.g., 5 minutes or whatever), the controller will attempt to ping the client. If still no traffic is observed, then “auth” process will remove from the user-table.
Get a client that has been experiencing the disconnect, and observe the “show datapath session table ” for that client. See if any traffic is coming in for it. Also, issue “configure terminal logging level debugging user-debug ” and then “show log user-debug all | include ” to see why client is being disconnected.
All that assumes idle-timeout is at play. If it’s RF/802.11 related, you can look at “show ap remote debug mgmt-frames ap-name ” to see all the management frames from that AP to which the client is connected.
Then, there’s always opening a TAC case . . .
- Ryan -
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
on 03-26-2015 09:02 AM
Thank you for your time. I check my timers and my idle timer is the default 5 min. So after 5 minutes if the controller cannot ping the user because the client either turn off the device or left the area then the controller will remove the user from the table and if the user comeback or reopen the laptop it need to reauthenticate, Am i correct?
show aaa timers
Global User idle timeout = 300 seconds
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes
User Interim stats frequency = 300 seconds
show auth-trace showed the user EAP is successful and the Radius is accepting the req:
Mar 26 10:51:01 eap-req <- b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 12 107
Mar 26 10:51:01 eap-resp -> b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 12 43
Mar 26 10:51:01 rad-req -> b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91/fldvp-appnpspxy.ad.nova.edu 42 254
Mar 26 10:51:01 rad-accept <- b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91/fldvp-appnpspxy.ad.nova.edu 42 305
Mar 26 10:51:01 eap-success <- b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 12 4
Mar 26 10:51:01 wpa2-key1 <- b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 - 117
Mar 26 10:51:01 wpa2-key2 -> b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 - 117
Mar 26 10:51:01 wpa2-key3 <- b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 - 151
Mar 26 10:51:01 wpa2-key4 -> b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 - 95
Now in the logs i can see the testing with my laptop trying to replicate the issue so i can better undersand where to look. I can see my computer was auth successfuly
Mar 26 10:48:38 :522038: <INFO> |authmgr| username=NSU\nils MAC=b8:e8:56:10:9c:c2 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=fldvp-appnpspxy.ad.nova.edu
Mar 26 10:48:38 :522044: <INFO> |authmgr| MAC=b8:e8:56:10:9c:c2 Station authenticate(start): method=802.1x, role=preauth///preauth, VLAN=1248/1248, Derivation=10/0, Value Pair=1, flags=0x8
Mar 26 10:48:38 :522049: <INFO> |authmgr| MAC=b8:e8:56:10:9c:c2,IP=N/A User role updated, existing Role=preauth/none, new Role=ENET/none, reason=Station Authenticated with auth type: 4
Mar 26 10:48:38 :522050: <INFO> |authmgr| MAC=b8:e8:56:10:9c:c2,IP=N/A User data downloaded to datapath, new Role=ENET/139, bw Contract=0/0, reason=Download driven by user role settin
Now from the Client connection the timer does not change so the client computer believe it is still connected but the controller I think is removing the client from the table.