Wireless Access

 View Only
last person joined: 2 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Approaching radius ID exhaustion on Radius server

This thread has been viewed 32 times
  • 1.  Approaching radius ID exhaustion on Radius server

    Posted Feb 15, 2023 05:11 AM

    Hi all,

    I'm facing an issue that clients can't associate with a dot1x SSID because of Authentication timeout.

    There are a lot of dot1x timeout logs on the radius server as well as  "Approaching radius ID exhaustion on radius server socket xx" logs on the MCs

    Radsec is enabled on the Radius server.

    The radius server is working properly with branches (without these logs above). The HQ has more clients than other branches.

    The issue has happened since I upgraded MCs from AOS 8.8.0.3 to AOS 8.10.0.2.

    Does anyone have the same issue? 



    ------------------------------
    Thank you in advance for your help
    ------------------------------


  • 2.  RE: Approaching radius ID exhaustion on Radius server

    EMPLOYEE
    Posted Feb 15, 2023 09:04 AM

    Are you using Radsec?  What is your radius server?



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: Approaching radius ID exhaustion on Radius server

    Posted Feb 15, 2023 09:33 PM

    Hi Cjoseph,

    Yes, Radsec is enabled on the radius server. The Radius server is CPPM

    We have 2 MCs working in a cluster, and the authentication server group is load-balance with 2 CPPMs

    The issue has just happened with the headquarter, which has plenty of dot1x clients. There's no issue with the branches at the same time.

    Could you give me some advice?

    Thank you,




  • 4.  RE: Approaching radius ID exhaustion on Radius server

    EMPLOYEE
    Posted Feb 16, 2023 09:49 AM

    I believe this is bug AOS-235160.  It is fixed in 8.10.0.5 https://www.arubanetworks.com/techdocs/ArubaOS/Consolidated_8.x_RN/Content/8.10/05/resolved_8.10.0.5.htm

    "For some RADIUS servers during radsec socket clean up, incorrect handling of free sequence number count is observed in case of radius server timeout resulting in EAP ID exhaustion. The fix ensures that controllers work as expected. This issue was observed in controllers running ArubaOS 8.10.0.0 or later versions."



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 5.  RE: Approaching radius ID exhaustion on Radius server

    Posted Mar 14, 2023 06:01 AM

    Hi Cjosepth,

    I upgraded MC to AOS 8.10.0.5, and there is no log "Approaching radius ID exhaustion on server" anymore.

    Thank you so much for your valuable advice.



    ------------------------------
    Thank you for your help
    ------------------------------