Wireless Access

In Airwaves, it shows a lot of "Authentication server request timed out" issues, for multiple controllers attempting to authenticate wireless users.  The RADIUS server is Windows NPS.  I would assume the issue is with NPS, but I don't see anything logged in RADIUS to indicate an issue.  The RADIUS server itself seems to be online and not having any issues.  Has anyone else seen this before?

 

We're on OS v5.

We've been experancing similiar issues.   We running 6.1.2.4 and authenticating to a 2003 IAS Server via a 2003 IAS proxy server.

 

When we looked at the IAS Server we saw season time-outs, so I've redirected the request to a less busy server and its helped alot, but still get them every now and again.

How many simultaneous users do you have possibly hitting that radius server?

 

It would indicate that the server is missing some requests, so it could be overloaded.  By default, the controller will try three times before indicating that a server did not respond.  You could try increasing the Timeout Parameter on the Radius server, to see if giving the server more time will you see less Authentication server request timeouts.  You probably do not want to increase the Retransmits number on the radius server, because that may end up increasing the utilization on the server.  You could also ensure that the radius server is doing as little as possible and make sure that things like other programs and things that increase cpu utilization like screensavers are turned off.

 

 

---

@cjoseph wrote:

How many simultaneous users do you have possibly hitting that radius server?

 

It would indicate that the server is missing some requests, so it could be overloaded.  By default, the controller will try three times before indicating that a server did not respond.  You could try increasing the Timeout Parameter on the Radius server, to see if giving the server more time will you see less Authentication server request timeouts.  You probably do not want to increase the Retransmits number on the radius server, because that may end up increasing the utilization on the server.  You could also ensure that the radius server is doing as little as possible and make sure that things like other programs and things that increase cpu utilization like screensavers are turned off.

 

 

---

Only a couple hundred of users.

 

I'm trying to understand the relationship between timeout and retransmits.  If retransmits are set to '3' and timeout is set to '5', does that mean that there will be 3 attempts, each attempt timing out after 5 seconds?  If so, that would indicate that I'm not receiving a response after 15 seconds.

correct

After a packet capture on our RADIUS server and examining it's log files, I was able to figure out the problem.

 

The issue is with Windows NPS.  It's not sending an "access-reject" packet back to the controller when the "access-request" packet contains incorrect credentials.  Since the controller doesn't receive a response, it suspects that the RADIUS server is unavailable.  MS has listed a hotfix for it: http://support.microsoft.com/kb/979137

The hot fix says this is if you configured the ping name registry entry on the server. Does that match your situation? Did you apply the fix and are no longer having problems?

No, we do not  have the ping name registry entry configured.  I can't find any other articles regarding NPS not sending access-reject messages and assume this must be the fix.  I decided against applying the hotfix as MS states that the hotfixes aren't fully tested.  I'll see if I can create a dev environment and test the hotfix to be 100% sure it resolves the issue.

Compnerd,

 

Please let us know how it goes.  Please feel free to open a support case in parallel so that they can dive into this in earnest.

 

 

 

Any resolution to this issue?

 

I've got a pair of 2008R2 NPS and we're getting the same result to one of them with a few hundred users as well (controller on 6.1.3.1). If I added the second server (which tests successfully in diags) to the auth profile the network begins to authenticate again, and I don't have any issues, but the original radius still fails. I'm not convinced the issue is in the NPS, since restarting the service, etc. seems to have no effect. The only way I've got to clear up the issue so far is a controller reboot (less than desirable). It appears to be a time thing - after a certain amount of time (a week?), RADIUS auth begins to fail, and won't work again until the reboot. Maybe that's not related at all? I plan to open a support ticket, but in case anyone has found a solution, I'm all ears.

The way it works, is if you have two servers that are in a server group, the first one will be used until it becomes unresponsive.  If it becomes unresponsive, the second one will be used exclusively and the first one will be marked down.  If there is only a single server in the server group, even if it is unresponsive, it will NEVER be marked down and the controller will continuously try.

 

Here is what I would do:

 

- Try using the "good" server in the server group as the first server and put the "bad" sever as the second and see if you have any issues (a week?).  If don't have any issues, switch them.  The only way to find out if a server is at fault is to leave it by itself in the server group and then look at the server logs that correspond to the time that it timed out.