Security

We have been piloting CP for wired access, and only currently have about a dozen users connected to a dot1x configured switch.  90% of the time, everything works well.. but every now and again, a user calls to say they have lost connectivity.  

Looking at the logs, there are timeouts, with the error Client did not complete EAP transaction.  If they log out and back in, they are fine.  If I filter to logs for this user, you can see that every 3 hours an authenticaiton takes place, and then the odd timeowut, cuasing the issue.  

Im assuming this timout is perhaps due to a delay between the client and a response from the authenticaiton server?  Is there a way to extend this timeout period?  Is this 3 hours a default behaviour, or setting?

Any other sugggestions?  I cant imagine what this would be like if we rolled this out to10k users!

What is the Switch Model and Software Version you are using ?

You may also consider playing with tx-period and supplicant-timeout in the below commands.

aaa port-access authenticator 2 tx-period 10      //EAP Request-Identity waiting period (seconds)
aaa port-access authenticator 2 supplicant-timeout 10       //supplicant timeout period (seconds)

Regards,

Kapil

Hi

If you followed the ClearPass wired policy enforcement guide (below) then the 3 hours is the session timeout used. Normally this should not be an issue. Please set all the config as in the guide > http://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161

Hope it helps