Higher Education

This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Super Contributor I

Re: 802.1X Age time

Look at your timers: “show aaa timers” and see if idle-timeout correlates with when they are disconnected.
If no traffic is seen from the client in the “idle-timeout” interval (e.g., 5 minutes or whatever), the controller will attempt to ping the client. If still no traffic is observed, then “auth” process will remove from the user-table.

Get a client that has been experiencing the disconnect, and observe the “show datapath session table ” for that client. See if any traffic is coming in for it. Also, issue “configure terminal logging level debugging user-debug ” and then “show log user-debug all | include ” to see why client is being disconnected.

All that assumes idle-timeout is at play. If it’s RF/802.11 related, you can look at “show ap remote debug mgmt-frames ap-name ” to see all the management frames from that AP to which the client is connected.

Then, there’s always opening a TAC case . . .

- Ryan -
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Frequent Contributor I

Re: 802.1X Age time



Thank you for your time. I check my timers and my idle timer is the default 5 min. So after 5 minutes if the controller cannot ping the user because the client either turn off the device or left the area then the controller will remove the user from the table and if the user comeback or reopen the laptop it need to reauthenticate, Am i correct? 


show aaa timers

Global User idle timeout = 300 seconds
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes
User Interim stats frequency = 300 seconds


show auth-trace showed the user EAP is successful and the Radius is accepting the req:


Mar 26 10:51:01 eap-req <- b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 12 107
Mar 26 10:51:01 eap-resp -> b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 12 43
Mar 26 10:51:01 rad-req -> b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91/fldvp-appnpspxy.ad.nova.edu 42 254
Mar 26 10:51:01 rad-accept <- b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91/fldvp-appnpspxy.ad.nova.edu 42 305
Mar 26 10:51:01 eap-success <- b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 12 4
Mar 26 10:51:01 wpa2-key1 <- b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 - 117
Mar 26 10:51:01 wpa2-key2 -> b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 - 117
Mar 26 10:51:01 wpa2-key3 <- b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 - 151
Mar 26 10:51:01 wpa2-key4 -> b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 - 95


Now in the logs i can see the testing with my laptop trying to replicate the issue so i can better undersand where to look. I can see my computer was auth successfuly


Mar 26 10:48:38 :522038: <INFO> |authmgr| username=NSU\nils MAC=b8:e8:56:10:9c:c2 IP= Authentication result=Authentication Successful method=802.1x server=fldvp-appnpspxy.ad.nova.edu
Mar 26 10:48:38 :522044: <INFO> |authmgr| MAC=b8:e8:56:10:9c:c2 Station authenticate(start): method=802.1x, role=preauth///preauth, VLAN=1248/1248, Derivation=10/0, Value Pair=1, flags=0x8
Mar 26 10:48:38 :522049: <INFO> |authmgr| MAC=b8:e8:56:10:9c:c2,IP=N/A User role updated, existing Role=preauth/none, new Role=ENET/none, reason=Station Authenticated with auth type: 4
Mar 26 10:48:38 :522050: <INFO> |authmgr| MAC=b8:e8:56:10:9c:c2,IP=N/A User data downloaded to datapath, new Role=ENET/139, bw Contract=0/0, reason=Download driven by user role settin


Now from the Client connection the timer does not change so the client computer believe it is still connected but the controller I think is removing the client from the table. 


Thank you


Search Airheads
Showing results for 
Search instead for 
Did you mean: