Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Authentication server request timed out for RADIUS-AUTH

This thread has been viewed 44 times
  • 1.  Authentication server request timed out for RADIUS-AUTH

    MVP
    Posted Feb 22, 2023 02:13 AM

    I have many such events in Aruba WLCs logs.

    1) Is it critical and even on non-working day e.g. during the weekend I had several in logs...

    2) I've increased default value of "Timeout " under related  "aaa authentication-server radius  <....>", but I also seen similar parameter under "aaa authentication dot1x <.....>"

    Authentication Server Retry Interval                           5 sec
    Authentication Server Retry Count                              3

    Which will take preference "aaa authentication-server radius <....>" or "aaa authentication dot1x <.....>" or 

    "aaa authentication dot1x <.....>" with its settings will trigger "aaa authentication-server radius <....>" with its own settings ?!



  • 2.  RE: Authentication server request timed out for RADIUS-AUTH

    Posted Feb 22, 2023 01:12 PM

    I spent a lot of time troubleshooting this and was even able to capture timeouts in a packet capture.  Aruba TAC just kept saying the client device was not responding to the Clearpass request.  We kept receiving more issues from users.  We are just finishing up resolving the issue today and created a one page word doc that I posted on youtube to hopefully help others out.  Our Event was 9002. 

    https://youtu.be/Hl-mPWRHvWU




  • 3.  RE: Authentication server request timed out for RADIUS-AUTH

    Posted Feb 27, 2023 04:47 AM

    If you see timeouts, that can be a client configuration issue, or an MTU issue between your controller and ClearPass (or even AP and controller). If you have a non-responding backend authentication/authorization server (when using ClearPass, for other RADIUS servers the name may be different), that can also result in timeouts.

    MTU can fragement the RADIUS/EAP packets and result them being dropped. If the client does not trust the RADIUS Server EAP certificate, or does have other issues with the supplicant configuration, this may happen as well.

    What is the authentication you have configured?

    What is the server certificate used?

    Increasing the timeout value will in general not solve your issue. 



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: Authentication server request timed out for RADIUS-AUTH

    MVP
    Posted Feb 28, 2023 04:31 AM

    thanks for these points!

    I've checked by pings

    ping ip <RADIUS_IP> df-bit repeat 100 size 1472

    it shows all good (packets reaching related server) but during peak hours high losses due to congested links (during non-peak hours losses absent or just few)

    !!!!!!.!!!!!!.!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!.!!!

    .!!!!!!.!!!.!!!!!!!!!!!!!!!!!!

    Will need to work to add bandwidth ...




  • 5.  RE: Authentication server request timed out for RADIUS-AUTH

    Posted Mar 07, 2023 05:53 AM

    You may consider to prioritize the RADIUS traffic, like you probably have for voice traffic to prevent those packets from being dropped if your link is congested.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Authentication server request timed out for RADIUS-AUTH

    MVP
    Posted Mar 08, 2023 09:02 PM

    yes, I assume such RADIUS traffic is by default with QoS tag 0 (thats what I've observed in traffic capture for RADIUS traffic from old Cisco's 5508 )