Security

last person joined: 7 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

RADIUS Timeout

This thread has been viewed 39 times

  • 1.  RADIUS Timeout

    Posted May 13, 2013 01:54 PM

    I just put my ClearPass servers in production today for wireless 802.1X and am seeing many "TIMEOUT" messages logged in Access Tracker.  The message logged for each client timeout is "Client did not complete EAP transaction".  Looking at logs for each client, they all seem to hhave similar log details:

     

    2013-05-13 12:10:20,715 [Th 11 Req 95122 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 194:189:0024D6XXXX
    2013-05-13 12:10:20,717 [RequestHandler-1-0x7fc74cf65700 r=auto-19914 h=95 r=R000026ca-07-51911e7c] INFO Core.ServiceReqHandler - Service classification result = Corp Wifi - 802.1X
    2013-05-13 12:10:20,718 [Th 11 Req 95122 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "Corp Wifi - 802.1X"
    2013-05-13 12:10:20,718 [Th 11 Req 95122 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_ldap: searching for user Operator in AD:Operator
    2013-05-13 12:10:20,719 [Th 11 Req 95122 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_ldap: found user Operator in AD:Operator
    2013-05-13 12:10:20,719 [Th 11 Req 95122 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_eap_peap: Initiate
    2013-05-13 12:10:20,719 [Th 11 Req 95122 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 194:76:0024D6XXXX:0x007000280046008c92730100622084b7b58cf809960ab8b9dbe4a547
    2013-05-13 12:10:20,726 [Th 15 Req 95123 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Corp Wifi - 802.1X" - 211:308:0024D6XXXX
    2013-05-13 12:10:20,726 [Th 15 Req 95123 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client certificate A
    2013-05-13 12:10:20,726 [Th 15 Req 95123 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 211:1112:0024D6XXXX:0x0068000600750083937301003bf443d4c8934a7a5dc7d6e7b325ebca
    2013-05-13 12:10:20,732 [Th 16 Req 95124 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Corp Wifi - 802.1X" - 230:209:0024D6XXXX
    2013-05-13 12:10:20,733 [Th 16 Req 95124 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 230:1108:0024D6XXXX:0x0027001a00ff0030947301009628b2ed3899c191e13a6fb9d3903653
    2013-05-13 12:10:20,739 [Th 19 Req 95125 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Corp Wifi - 802.1X" - 203:209:0024D6XXXX
    2013-05-13 12:10:20,740 [Th 19 Req 95125 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 203:1108:0024D6XXXX:0x00910070006f000895730100a4ecaca3cee41cd0e7f967abf6c17aa4
    2013-05-13 12:10:20,749 [Th 12 Req 95126 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Corp Wifi - 802.1X" - 227:209:0024D6XXXX
    2013-05-13 12:10:20,749 [Th 12 Req 95126 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 227:1108:0024D6XXXX:0x00fe00f400e300b6967301009eaefbf68992822d23c3da044b91e358
    2013-05-13 12:10:20,755 [Th 13 Req 95127 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Corp Wifi - 802.1X" - 244:209:0024D6XXXX
    2013-05-13 12:10:20,755 [Th 13 Req 95127 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 244:303:0024D6XXXX:0x00ec008000280045977301000b659ecfde376dc96aa2329eddcaa5a6
    2013-05-13 12:10:20,764 [Th 18 Req 95128 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Corp Wifi - 802.1X" - 241:541:0024D6XXXX
    2013-05-13 12:10:20,766 [Th 18 Req 95128 SessId R000026ca-07-51911e7c] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 241:135:0024D6XXXX:0x003b00eb000f00919873010036df40fce231f7507c5b8c6f240e08e6
    2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R000026ca-07-51911e7c, state - 0x003b00eb000f00919873010036df40fce231f7507c5b8c6f240e08e6
    2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 194:189:76:0024D6XXXX recv 1368465020.715318 - resp 1368465020.719306
    2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 211:308:1112:0024D6XXXX recv 1368465020.725839 - resp 1368465020.726403
    2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 230:209:1108:0024D6XXXX recv 1368465020.732677 - resp 1368465020.733125
    2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 203:209:1108:0024D6XXXX recv 1368465020.739709 - resp 1368465020.740151
    2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 227:209:1108:0024D6XXXX recv 1368465020.749028 - resp 1368465020.749455
    2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 244:209:303:0024D6XXXX recv 1368465020.755473 - resp 1368465020.755817
    2013-05-13 12:11:19,646 [main SessId R000026ca-07-51911e7c] ERROR RadiusServer.Radius - reqst_clean_list: Packet 241:541:135:0024D6XXXX recv 1368465020.764214 - resp 1368465020.766123

     

    Anyone familar with this error and know what could be causing it?


    #AP135


  • 2.  RE: RADIUS Timeout
    Best Answer

    EMPLOYEE
    Posted May 13, 2013 03:25 PM

    If you just put in a new radius server and clients have never seen the server certificate, they might be asked to accept the new one.  If they don't manually accept it...it could register as a radius timeout.



  • 3.  RE: RADIUS Timeout

    Posted May 14, 2013 09:15 AM

    The GPO that we use to configure all laptop's wireless settings was not being pushed to all laptops like we thought.  So yes, we ended up with several clients receiving certificate errors when ClearPass was put in place.  We solved the GPO issue yesterday so I'm hoping to see fewer RADIUS timeouts today.  I'll udpate the thread if we continue to have problems.



  • 4.  RE: RADIUS Timeout

    Posted May 14, 2013 10:52 PM

    Not only did we leave some computers out of the GPO update, but we've had quite a few laptops that weren't getting GPO updates.  We waited about a week and a half after deploying the GPO to put CP into production, so it's a bit surprising to find out how many machines were not updated in that amount of time.  Oh well, problem identified.

     

    We also found that several employees have attempted to connect their personal device (typically iphone or ipad) at one time or another to our corporate SSID. Since we enforce machine auth, the employees can't get on the network.  Regardless, idevices like to remember the connection details and attempt to authenticate over-and-over throughout the day.  I was able to seek out these employees, let them know their devices won't work on our corporate SSID, and then show them how to "forget" the network in their wifi settings so the device stops trying to connect.

     

    Case closed.  Thanks for the assist, Colin.



  • 5.  RE: RADIUS Timeout

    Posted Jun 27, 2013 11:05 PM

    Hi.

     

    Out company using a LG Electronic laptops and we also have same problem. That new GPO will solve our problem also?

     



  • 6.  RE: RADIUS Timeout

    EMPLOYEE
    Posted Jun 27, 2013 11:13 PM
    @paulkim111 wrote:

    Hi.

     

    Out company using a LG Electronic laptops and we also have same problem. That new GPO will solve our problem also?

     

    In the specific situation above, the server certificate on the radius server was switched and the clients did not respond to the request to accept the new server certificate.  If that matches your situation, then that is your problem.  If that is NOT your situation, please open a case with support to determine why you are having radius timeouts.

     



  • 7.  RE: RADIUS Timeout

    Posted May 14, 2013 04:29 AM

    I got the same error when the CPPM could not connect to the AD because of network issues (the DNS server could not resolve the hostname of the AD in this particular case).



  • 8.  RE: RADIUS Timeout

    EMPLOYEE
    Posted May 14, 2013 06:00 AM
    Thecompnerd,

    Please open a support case regarding this error and your specific circumstances surrounding it. That is your best chance of understanding what is going on here.

    Please also observe the specific client when this is happening and the auth-tracebuf output on the Aruba controller to see the radius packet tracing.