Security

Reply
MVP
Posts: 1,110
Registered: ‎10-11-2011

RADIUS Timeout

I just put my ClearPass servers in production today for wireless 802.1X and am seeing many "TIMEOUT" messages logged in Access Tracker.  The message logged for each client timeout is "Client did not complete EAP transaction".  Looking at logs for each client, they all seem to hhave similar log details:

 

2013-05-13 12:10:20,715 [Th 11 Req 95122 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 194:189:0024D6XXXX
2013-05-13 12:10:20,717 [RequestHandler-1-0x7fc74cf65700 r=auto-19914 h=95 r=R000026ca-07-51911e7c] INFO Core.ServiceReqHandler - Service classification result = Corp Wifi - 802.1X
2013-05-13 12:10:20,718 [Th 11 Req 95122 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "Corp Wifi - 802.1X"
2013-05-13 12:10:20,718 [Th 11 Req 95122 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_ldap: searching for user Operator in AD:Operator
2013-05-13 12:10:20,719 [Th 11 Req 95122 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_ldap: found user Operator in AD:Operator
2013-05-13 12:10:20,719 [Th 11 Req 95122 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_eap_peap: Initiate
2013-05-13 12:10:20,719 [Th 11 Req 95122 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 194:76:0024D6XXXX:0x007000280046008c92730100622084b7b58cf809960ab8b9dbe4a547
2013-05-13 12:10:20,726 [Th 15 Req 95123 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Corp Wifi - 802.1X" - 211:308:0024D6XXXX
2013-05-13 12:10:20,726 [Th 15 Req 95123 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client certificate A
2013-05-13 12:10:20,726 [Th 15 Req 95123 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 211:1112:0024D6XXXX:0x0068000600750083937301003bf443d4c8934a7a5dc7d6e7b325ebca
2013-05-13 12:10:20,732 [Th 16 Req 95124 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Corp Wifi - 802.1X" - 230:209:0024D6XXXX
2013-05-13 12:10:20,733 [Th 16 Req 95124 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 230:1108:0024D6XXXX:0x0027001a00ff0030947301009628b2ed3899c191e13a6fb9d3903653
2013-05-13 12:10:20,739 [Th 19 Req 95125 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Corp Wifi - 802.1X" - 203:209:0024D6XXXX
2013-05-13 12:10:20,740 [Th 19 Req 95125 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 203:1108:0024D6XXXX:0x00910070006f000895730100a4ecaca3cee41cd0e7f967abf6c17aa4
2013-05-13 12:10:20,749 [Th 12 Req 95126 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Corp Wifi - 802.1X" - 227:209:0024D6XXXX
2013-05-13 12:10:20,749 [Th 12 Req 95126 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 227:1108:0024D6XXXX:0x00fe00f400e300b6967301009eaefbf68992822d23c3da044b91e358
2013-05-13 12:10:20,755 [Th 13 Req 95127 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Corp Wifi - 802.1X" - 244:209:0024D6XXXX
2013-05-13 12:10:20,755 [Th 13 Req 95127 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 244:303:0024D6XXXX:0x00ec008000280045977301000b659ecfde376dc96aa2329eddcaa5a6
2013-05-13 12:10:20,764 [Th 18 Req 95128 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Corp Wifi - 802.1X" - 241:541:0024D6XXXX
2013-05-13 12:10:20,766 [Th 18 Req 95128 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 241:135:0024D6XXXX:0x003b00eb000f00919873010036df40fce231f7507c5b8c6f240e08e6
2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R000026ca-07-51911e7c, state - 0x003b00eb000f00919873010036df40fce231f7507c5b8c6f240e08e6
2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 194:189:76:0024D6XXXX recv 1368465020.715318 - resp 1368465020.719306
2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 211:308:1112:0024D6XXXX recv 1368465020.725839 - resp 1368465020.726403
2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 230:209:1108:0024D6XXXX recv 1368465020.732677 - resp 1368465020.733125
2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 203:209:1108:0024D6XXXX recv 1368465020.739709 - resp 1368465020.740151
2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 227:209:1108:0024D6XXXX recv 1368465020.749028 - resp 1368465020.749455
2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 244:209:303:0024D6XXXX recv 1368465020.755473 - resp 1368465020.755817
2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 241:541:135:0024D6XXXX recv 1368465020.764214 - resp 1368465020.766123

 

Anyone familar with this error and know what could be causing it?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 20,576
Registered: ‎03-29-2007

Re: RADIUS Timeout

If you just put in a new radius server and clients have never seen the server certificate, they might be asked to accept the new one.  If they don't manually accept it...it could register as a radius timeout.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 114
Registered: ‎12-02-2011

Re: RADIUS Timeout

I got the same error when the CPPM could not connect to the AD because of network issues (the DNS server could not resolve the hostname of the AD in this particular case).

Guru Elite
Posts: 20,576
Registered: ‎03-29-2007

Re: RADIUS Timeout

Thecompnerd,

Please open a support case regarding this error and your specific circumstances surrounding it. That is your best chance of understanding what is going on here.

Please also observe the specific client when this is happening and the auth-tracebuf output on the Aruba controller to see the radius packet tracing.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: RADIUS Timeout

The GPO that we use to configure all laptop's wireless settings was not being pushed to all laptops like we thought.  So yes, we ended up with several clients receiving certificate errors when ClearPass was put in place.  We solved the GPO issue yesterday so I'm hoping to see fewer RADIUS timeouts today.  I'll udpate the thread if we continue to have problems.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: RADIUS Timeout

Not only did we leave some computers out of the GPO update, but we've had quite a few laptops that weren't getting GPO updates.  We waited about a week and a half after deploying the GPO to put CP into production, so it's a bit surprising to find out how many machines were not updated in that amount of time.  Oh well, problem identified.

 

We also found that several employees have attempted to connect their personal device (typically iphone or ipad) at one time or another to our corporate SSID. Since we enforce machine auth, the employees can't get on the network.  Regardless, idevices like to remember the connection details and attempt to authenticate over-and-over throughout the day.  I was able to seek out these employees, let them know their devices won't work on our corporate SSID, and then show them how to "forget" the network in their wifi settings so the device stops trying to connect.

 

Case closed.  Thanks for the assist, Colin.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
New Contributor
Posts: 3
Registered: ‎06-27-2013

Re: RADIUS Timeout

Hi.

 

Out company using a LG Electronic laptops and we also have same problem. That new GPO will solve our problem also?

 

Guru Elite
Posts: 20,576
Registered: ‎03-29-2007

Re: RADIUS Timeout


paulkim111 wrote:

Hi.

 

Out company using a LG Electronic laptops and we also have same problem. That new GPO will solve our problem also?

 


In the specific situation above, the server certificate on the radius server was switched and the clients did not respond to the request to accept the new server certificate.  If that matches your situation, then that is your problem.  If that is NOT your situation, please open a case with support to determine why you are having radius timeouts.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: