Authentication Timeout

Similar Messages

• ISE machine authentication timeout

  Hi all,
  We have a ISE infrastructure and we have enabled user and machine authentication through EAP-TLS.
  Everything is working fine except that every 1 hour user must log off and login again because machine authentication has, I think, expired!
  As you can imagine this is unacceptable. I saw that the machine restriction age is only 1 hour and changed it to 8 hours.
  My question is if machine restarts at 7 hours past first successful authentication will the timer reset or after an hour will be kicked and have to log off and in again?
  How have you bypassed the timeout of mar cache?
  My ISE version is 1.2 with 2 patches installed
  Thank you
  Sent from Cisco Technical Support iPad App

  Hi
  Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.
  Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the "Time to Live" parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.
  When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:
  • If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.
  • If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned.

• Wlc 5500 authentication timeout

  I have a WLC 5500 controller. I have two WLANS (OBSD-Internal and OBSD-BYOD). I have authentication setup to the WLC for the BYOD WLAN using LDAP (users connect with an AD user account). They are required to re authenticate every few minutes. This only happens on the BYOD WLAN (not Internal)                  

  Scott-
  Here are the results of the sho WLAN cmd:
  (Cisco Controller) >show wlan 3
  WLAN Identifier.................................. 3
  Profile Name..................................... OBSD BYOD
  Network Name (SSID).............................. OBSD-BYOD
  Status........................................... Enabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
    Radius-NAC State............................... Disabled
    SNMP-NAC State................................. Disabled
    Quarantine VLAN................................ 0
  Maximum number of Associated Clients............. 0
  Number of Active Clients......................... 25
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. Infinity
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ g9c-guest
  Multicast Interface.............................. Not Configured
  --More-- or (q)uit
  WLAN ACL......................................... Guest WiFi Internet Only
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Disabled
  Static IP client tunneling....................... Disabled
  Quality of Service............................... Silver (best effort)
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  WMM UAPSD Compliant Client Support............... Disabled
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... All
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
     Authentication................................ Global Servers
  --More-- or (q)uit
     Accounting.................................... Global Servers
     Dynamic Interface............................. Disabled
  Local EAP Authentication......................... Disabled
  Security
     802.11 Authentication:........................ Open System
     Static WEP Keys............................... Disabled
     802.1X........................................ Disabled
     Wi-Fi Protected Access (WPA/WPA2)............. Disabled
     CKIP ......................................... Disabled
     Web Based Authentication...................... Enabled
  ACL............................................. Web Auth
  Web Authentication server precedence:
  1............................................... local
  2............................................... radius
  3............................................... ldap
     Web-Passthrough............................... Disabled
     Conditional Web Redirect...................... Disabled
     Splash-Page Web Redirect...................... Disabled
     Auto Anchor................................... Disabled
     H-REAP Local Switching........................ Disabled
     H-REAP Local Authentication................... Disabled
     H-REAP Learn IP Address....................... Enabled
  --More-- or (q)uit
     Client MFP.................................... Optional but inactive (WPA2 not configured)
     Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  SIP CAC Fail Send-486-Busy Policy................ Enabled
  SIP CAC Fail Send Dis-Association Policy......... Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled
  Mobility Anchor List
  WLAN ID     IP Address            Status

• 5508 web authentication timeout problem

  If any authenticated user uses protocol other than (http, https) within timeout period,
  that user is deuthenticated, why? solution?

  Are you referring to idle timeout OR session timeout?
  Once a web auth client is authenticated, he has full access and can run any protocol unless
  - restricted by an ACL on controller OR switch with gateway OR firewall.
  c) On WLC CLI, run
  config paging disable
  show run-config
  show traplog
  show msglog
  b) From switch that has L3 SVI for the guest subnet, send
  show run interface vlan x

• Web authentication timeout problem

     We have one SSID using web-auth with ISE.
  On WLC we configured idle timeout fot 2400 seconds and on wlan>advanced with 65535 seconds for session timeout. But we are having continuos deauthentication in about 10 minutes.
  When we check WLC, our mac-address is deleted after about each 10 minutes
  How Can I solved this issue?

  On this wlan we are using Web-Auth with WPA2 + PSK.
  Software version 7.0.220
  another ssid not have this problem.
  debug client
  *dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Key exchange done, data packets from mobile 00:1c:26:ac:d9:e5 should be forwarded shortly
  *dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Sending EAPOL-Key Message to mobile 00:1c:26:ac:d9:e5
     state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
  *dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Updated broadcast key sent to mobile 00:1C:26:AC:D9:E5
  *osapiBsnTimer: Sep 20 12:33:30.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
  *dot1xMsgTask: Sep 20 12:33:30.986: 00:1c:26:ac:d9:e5 Retransmit 1 of EAPOL-Key M5 (length 139) for mobile 00:1c:26:ac:d9:e5
  *osapiBsnTimer: Sep 20 12:33:31.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
  *dot1xMsgTask: Sep 20 12:33:31.986: 00:1c:26:ac:d9:e5 Retransmit 2 of EAPOL-Key M5 (length 139) for mobile 00:1c:26:ac:d9:e5
  *osapiBsnTimer: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
  *dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Retransmit failure for EAPOL-Key M5 to mobile 00:1c:26:ac:d9:e5, retransmit count 3, mscb deauth count 0
  *dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Sent Deauthenticate to mobile on BSSID 40:f4:ec:4a:b0:f0 slot 0(caller 1x_ptsm.c:534)
  *dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station:  (callerId: 57) in 10 seconds
  *osapiBsnTimer: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
  *apfReceiveTask: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:1c:26:ac:d9:e5 on AP 40:f4:ec:4a:b0:f0 from Associated to Disassociated
  *apfReceiveTask: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
  *osapiBsnTimer: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
  *apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 Sent Deauthenticate to mobile on BSSID 40:f4:ec:4a:b0:f0 slot 0(caller apf_ms.c:5101)
  *apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsAssoStateDec
  *apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsExpireMobileStation (apf_ms.c:5139) Changing state for mobile 00:1c:26:ac:d9:e5 on AP 40:f4:ec:4a:b0:f0 from Disassociated to Idle
  *apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station:  (callerId: 47) in 10 seconds
  *osapiBsnTimer: Sep 20 12:34:02.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
  *apfReceiveTask: Sep 20 12:34:02.986: 00:1c:26:ac:d9:e5 10.166.66.248 RUN (20) Deleted mobile LWAPP rule on AP [40:f4:ec:4a:b0:f0]
  Do you have any suggestion about log or debug ?
  thanks a lot,
  Murilo

• Token authentication timeout

  I'm seeing some behavior I don't understand with token timeouts. My code creates a token with a 60 minute, 100 login limit:
  try
     ISessionMgr        sessionMgr        = CrystalEnterprise.getSessionMgr();
     IEnterpriseSession enterpriseSession = sessionMgr.logon(id, pwd, server, type);
     // Now create the login token
     ILogonTokenMgr logonTokenMgr = enterpriseSession.getLogonTokenMgr();
     token = logonTokenMgr.createWCAToken("", 60, 100);
  catch(Exception e)
     throw new LoginHelperException(e);
  I have a web front end that calls various services. All these services begin with an auth check that looks something like this:
  try
     if(token == null)
        throw new LoginHelperException("Missing token");
     else
        enterpriseSession = CrystalEnterprise.getSessionMgr().logonWithToken(token);
  I am not storing the enterpriseSession in my web session. I create a new one with the token for every request.  It's my understanding I should only have to create a new token after 60 minutes, or after 100 calls to logonWithToken(), which ever comes first. But what I'm seeing in practice is an auth exception after only a few minutes.
  2008-11-14 09:41:39,457 ERROR [http-8080-Processor24] (report_jsp.java:120) - Exception in report.jsp
  com.reporting.bo.exceptions.LoginHelperException: com.crystaldecisions.sdk.exception.SDKServerException: An error occurred at the server :
  Session ID is not valid.
  cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
  detail:An error occurred at the server :
  Session ID is not valid.
  The server supplied the following details: OCA_Abuse exception 10503 at [exceptionmapper.cpp : 65]  42436 {}
          ...Session ID is not valid. Original session not available for ONEOFF logon
  Am I misunderstanding how tokens work? I'd like for the token to be valid for more than 10 minutes.

  You're using the WCA token.
  Validity lifetime of a WCA token is tied to the originating EnterpriseSession that created it.
  Since the originating EnterpriseSession is going out of scope in your code, it gets GC'ed.
  When the CMS detects that the EnterpriseSession no longer exists, it invalidates all WCA tokens associated with it.
  Next time you try to use the WCA token, it fails.
  So either use the Logon Token - that uses a CAL each time you use it - or keep the EnterpriseSession live but make sure you log it off when you're done with it.
  Sincerely,
  Ted Ueda

• Wireless Web authentication timeout

  Hello, our wireless web authentication is usually timing out after half an hour of inactivity. How can i increase it so people do not need to reauthenticate after 30 min of inactivity?
  Thanks in advance.

  It's in the WLAN definition on the Advanced tab.

• 802.1x EAP-TLS with NPS/W2008 - Authentication result 'timeout'

  Hello
  [Env on my lab investigation]
  supplicant - W7 with cert
  authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
  authentication server 2x - W2008/NPS like a RADIUS server
  [Config some part of authenticator]
  interface FastEthernet0/1
  switchport access vlan 34
  switchport mode access
  authentication event fail retry 1 action authorize vlan 47
  authentication event server dead action authorize vlan 35
  authentication event no-response action authorize vlan 47
  authentication event server alive action reinitialize
  authentication port-control auto
  dot1x pae authenticator
  dot1x timeout quiet-period 15
  dot1x timeout tx-period 15
  spanning-tree portfast
  [Symptoms]
  After reboot authenticator the supplican connected to FE0/1 finally put into the Guest VLAN 47 and before that I saw on the authenticators console Authentication result 'timeout', but when the switch is up and running the the same port authenticator FE0/1 the same supplicant W7 with cert now I connect to authenticator finally supplicant put into static VLAN 34.
  [Summary]
  The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
  [The question]
  What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts?
  Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34 .
  [Logs]
  During this I observed the wireshark supplicant and authenticator console and NPS wireshark, below:
  1. supplicant and authenticator orderflow at wireshar:
  - supplicant EAPOL Start
  - authenticator EAP Request Identity
  - supplicat  Response Identity, 3 times
  - supplicant EAPOL Start
  - authenticator EAP Failure
  - authenticator EAP Request Identity x2
  - supplicat  Response Identity x2
  and again, more detail about flow from whireshar chart at the end
  2. authenticator console saw like this:
  *Mar  1 00:02:51.563: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
  *Mar  1 00:02:51.563: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
  *Mar  1 00:02:51.563: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
  krasw8021x>
  *Mar  1 00:03:52.876: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
  *Mar  1 00:03:52.876: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
  *Mar  1 00:03:52.876: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
  and finaly
  *Mar  1 00:05:00.286: %AUTHMGR-5-VLANASSIGN: VLAN 47 assigned to Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
  *Mar  1 00:05:01.167: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
  *Mar  1 00:05:01.302: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
  3. Authentication server:
  - NPS doesn'e recived any RADIUS Access-Request/Response.
  [supplicant EAPOL flow chart, source wireshark]
  |Time     | Cisco_f9:98:81                        | Dell_12:cf:80                         |
  |         |                   | Nearest           |                  
  |0,041    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |0,045    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |0,051    |                   |         Start     |                   |EAPOL: Start
  |         |                   |(0)      <------------------  (0)      |
  |0,065    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
  |         |                   |(0)      <------------------  (0)      |
  |0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
  |         |                   |(0)      <------------------  (0)      |
  |18,063   |                   |         Start     |                   |EAPOL: Start
  |         |                   |(0)      <------------------  (0)      |
  |18,065   |         Failure   |                   |                   |EAP: Failure
  |         |(0)      ------------------>  (0)      |                   |
  |18,268   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |18,303   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
  |         |                   |(0)      <------------------  (0)      |
  |18,307   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |18,307   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
  |         |                   |(0)      <------------------  (0)      |
  |37,073   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
  |         |(0)      ------------------>  (0)      |                   |
  |67,941   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
  |         |(0)      ------------------>  (0)      |                   |
  |98,805   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
  |         |(0)      ------------------>  (0)      |                   |
  |129,684  |         Failure   |                   |                   |EAP: Failure
  |         |(0)      ------------------>  (0)      |                   |
  |144,697  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |160,125  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |175,561  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |190,996  |         Failure   |                   |                   |EAP: Failure
  |         |(0)      ------------------>  (0)      |                   |
  |206,002  |         Failure   |                   |                   |EAP: Failure
  |         |(0)      ------------------>  (0)      |                   |
  |206,204  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |212,103  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |227,535  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |242,970  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  /regards Piter 

  Hi,
  Did you ever try to configure re-authentication?
  Is the client is up and running if you connect it to the switch?
  Sent from Cisco Technical Support iPad App

• Issue with HTTP Authentication

  I am trying to implement an authentication/timeout
            system whereby the initial login is done by a standard
            HTML form (posted). When the session times out and the
            user requests a service, the session is "revived" by
            custom HTTP Authentication. In this way, a complex set
            of frames and multiple windows is not disrupted by a
            new window.
            The problem is that one a user HTTP Authenticates, the
            AUTHORIZATION header value stays until the browser is
            closed. Consequently, the user never has to
            authenticate again, even when the session times out,
            because when the servlet requests authorization, it is
            right there in the servlet request.
            So my question is, how do I clear or remove the
            AUTHORIZATION header item from the client ?
            Thanks.
            //Nicholas
            

  Hi,
  Opened a TAC and he confirmed that 8.2.1 supports the SDI for http/asdm authentication.
  http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html#wp340497
  Regards
  Amar

• How to increase the time at the end of what aaa requeries the authentication of a client web

  Hi All,
  I configure ASA aaa to authentificate our internal web client to access to internet. It's check the username/password of client in our Active Directory.
  When the client initiate the first connexion, the ASA request the login connexion and when it's correct, it authorise the access. But after 10 min for exemple, it's request again the login, and so one and so one. Approximativelly, after each ten minute, it requeste an username/password.
  I want to know how can i increase the time between two authentifcation. Or increase the time of 10 min.
  Thanks.

  The authentication timeout is configurable via the "timeout uauth" command, and you can set either absolute or inactivity timeout.
  Here is the command for your reference:
  http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/t.html#wp1569874

• Mobility Anchor connection drops during authentication

  Hi,
  I have a strange situation, hopefully someone can help. I have a WLAN setup with foreign - anchor controllers and MAC address authentication using central RADIUS server. In some cases for some clients the foreign export cannot build up because during the 802.11 process the foreign disconnects the client due to a session timer expires. Some clients can connect, others experience this issue. Sometimes client can get IP address via the anchor DHCP proxy but then foreign disconnects it with expiring message. (foreign sw version 6.0.202, anchor sw version 6.0.188 but we have same situation with other foreign which has 7.4.110 version)
  Debug shows the following (suspicious part is in red):
  *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Reassociation received from mobile on AP e8:04:62:f6:bf:00
  *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Applying site-specific IPv6 override for station 60:c5:47:99:b0:a6 - vapId 3, site 'default-group', interface 'management'
  *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Applying IPv6 Interface Policy for station 60:c5:47:99:b0:a6 - vlan 850, interface id 0, interface 'management'
  *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 STA - rates (6): 24 164 48 72 96 108 0 0 0 0 0 0 0 0 0 0
  *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [e8:04:62:f6:cd:d0]
  *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Updated location for station old AP e8:04:62:f6:cd:d0-0, new AP e8:04:62:f6:bf:00-0
  *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 apfProcessAssocReq (apf_80211.c:4270) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Probe to AAA Pending
  *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
  *Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 Inserting AAA Override struct for mobile MAC: 60:c5:47:99:b0:a6, source 2
  *Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 Setting session timeout 7201 on mobile 60:c5:47:99:b0:a6
  *Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 Session Timeout is 7201 - starting session timer for the mobile
  *Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 0.0.0.0 START (0) Initializing policy
  *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
  *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
  *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP e8:04:62:f6:bf:00 vapId 3 apVapId 3
  *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
  *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from AAA Pending to Associated
  *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station:  (callerId: 49) in 7200 seconds
  *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 Sending Assoc Response to station on BSSID e8:04:62:f6:bf:00 (status 0) Vap Id 3 Slot 0
  *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 apfProcessRadiusAssocResp (apf_80211.c:1956) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Associated to Associated
  *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Applying post-handoff policy for station 60:c5:47:99:b0:a6 - valid mask 0xb00
  *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6     QOS Level: -1, DSCP: -1, dot1p: -1, Data Avg: -1, realtime Avg: -1, Data Burst -1, Realtime Burst -1
  *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6     Session: 7200, User session: 7201, User elapsed 104  Interface: (null) ACL: N/A
  *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Inserting AAA Override struct for mobile MAC: 60:c5:47:99:b0:a6, source 16
  *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Setting session timeout 7201 on mobile 60:c5:47:99:b0:a6
  *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Session Timeout is 7201 - starting session timer for the mobile
  *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station:  (callerId: 55) in 7200 seconds
  *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
  *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
  *Jan 15 12:07:01.329: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 4245
  *Jan 15 12:07:01.329: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Adding Fast Path rule  type = Airespace AP Client on AP e8:04:62:f6:bf:00, slot 0, interface = 29, QOS = 0  ACL Id = 255, Jumbo Frames = NO, 802.1
  *Jan 15 12:07:01.329: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
  *Jan 15 12:07:01.332: 60:c5:47:99:b0:a6 Set bi-dir guest tunnel for 60:c5:47:99:b0:a6 as in Export Foreign role
  *Jan 15 12:07:01.335: 60:c5:47:99:b0:a6 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
  *Jan 15 12:07:11.890: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) State Update from Mobility-Complete to Mobility-Incomplete
  *Jan 15 12:07:11.890: 60:c5:47:99:b0:a6 apfMmProcessDeleteMobile (apf_mm.c:531) Expiring Mobile!
  *Jan 15 12:07:11.890: 60:c5:47:99:b0:a6 apfMsExpireMobileStation (apf_ms.c:4427) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Associated to Disassociated
  *Jan 15 12:07:11.891: 60:c5:47:99:b0:a6 apfMsExpireMobileStation (apf_ms.c:4548) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Disassociated to Idle
  *Jan 15 12:07:11.891: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Deleted mobile LWAPP rule on AP [e8:04:62:f6:bf:00]
  *Jan 15 12:07:11.891: 60:c5:47:99:b0:a6 Deleting mobile on AP e8:04:62:f6:bf:00(0)
  *Jan 15 12:07:11.894: 60:c5:47:99:b0:a6 0.0.0.0 Removed NPU entry.
  *Jan 15 12:07:12.053: 60:c5:47:99:b0:a6 Adding mobile on LWAPP AP 68:bd:ab:48:80:f0(0)
  *Jan 15 12:07:12.053: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
  *Jan 15 12:07:12.053: 60:c5:47:99:b0:a6 apfProcessProbeReq (apf_80211.c:4761) Changing state for mobile 60:c5:47:99:b0:a6 on AP 68:bd:ab:48:80:f0 from Idle to Probe
  Question: Why is that 10 sec timer still ticking at that phase when client already reached RUN state?
  On a foreign wlc with sw 7.4.110 using anchor with sw 6.0.188 the situation is even worse, all clients have this issue and cannot connect.
  Thanks
  Hege

  Hi,
  Yes, that was the first thing to check. We don't use the DHCP required option (unchecked on both sides). The only difference between acnhor and foreign configuration is that in foreign L2 macfiltering is enabled and radius servers are specified while on anchor it is not enabled and specified. I have tried it on anchor with enabling macfiltering (without radius servers specified there) but I have the same behaviour. AAA override is also enabled on both sides.
  I have also increased the authentication timeout in advanced timers options from 10 sec to 40 secs but no luck, debug shows the same 10secs.
  I am thinking on 2 options. 1st option is that the anchor software is too old (6.0.188) and needs to be upgraded to 7.0.240 (anchor is a 4400 wlc). 2nd option is that there might be too much delay between anchor and foreign?
  On the same setup if we use guest access with web authentication on the anchor side (no MAC authentication), then eveyrthing is fine.
  Thanks
  Hege

• WLC user authentication and SSID broadcast

                 Hi Everyone,
  Need to confirm if WLC  is sending the ssid as broadcast or not?
  Also if users connect if they get the ip from dhcp need to confirm how they are getting authenticated?
  Regards
  Mahesh   

  With respect to username you are correct.
  But regarding authentication you cannot come to a conclusion like that, You have to see the full "show client detail " . Here is an example of PEAP authenticated client. Authentication algorithm open system does not mean user does not use password. Any EAP method  Authentication Algorithm show as open system, but still user has to enter their credential (except TLS where it is certificate based)
  (WLC) >show client detail 04:1e:64:13:f9:03
  Client MAC Address............................... 04:1e:64:13:f9:03
  Client Username ................................. smcowgill
  AP MAC Address................................... c4:0a:cb:a0:e8:50
  AP Name.......................................... APc464.13b4.4be8 
  Client State..................................... Associated    
  Client NAC OOB State............................. Access
  Wireless LAN Id.................................. 2 
  Hotspot (802.11u)................................ Not Supported
  BSSID............................................ c4:0a:cb:a0:e8:51 
  Connected For ................................... 7520 secs
  Channel.......................................... 1 
  Association Id................................... 1 
  Authentication Algorithm......................... Open System
  Reason Code...................................... 1 
  Status Code...................................... 0 
  Client CCX version............................... No CCX support
  Re-Authentication Timeout........................ 3284
  802.1P Priority Tag.............................. 6
  CTS Security Group Tag........................... Not Applicable
  KTS CAC Capability............................... No
  WMM Support...................................... Enabled
    APSD ACs.......................................  BK  BE  VI  VO
  Power Save....................................... ON
  Current Rate..................................... 54.0
  Supported Rates.................................. 12.0,18.0,24.0,36.0,48.0,54.0
  Mobility State................................... Foreign
  Mobility Anchor IP Address....................... 10.14.7.247
  Mobility Move Count.............................. 3
  Security Policy Completed........................ Yes
  Policy Manager State............................. RUN
  Policy Manager Rule Created...................... Yes
  Audit Session ID................................. 0a0a06f400040f985228de2e
  IPv4 ACL Name.................................... none
  IPv4 ACL Applied Status.......................... Unavailable
  IPv6 ACL Name.................................... none
  IPv6 ACL Applied Status.......................... Unavailable
  Client Type...................................... SimpleIP
  PMIPv6 State..................................... Unavailable
  mDNS Status...................................... Enabled
  mDNS Profile Name................................ default-mdns-profile
  No. of mDNS Services Advertised.................. 0
  Policy Type...................................... WPA2
  Authentication Key Management.................... 802.1x
  Encryption Cipher................................ CCMP (AES)
  Protected Management Frame ...................... No
  Management Frame Protection...................... No
  EAP Type......................................... PEAP

• Phonefactor with RRAS(Windows Server 2003) - VPN client timeout after 20 seconds -- too fast!

  [Note that I have previously posted this question on Experts Exchange... but have not found a solution yet].
  We are a small business and would like to switch to two-factor authentication for VPN connections. We spent nearly a year helping Barracuda debug their small business VPN appliance and finally they took their boxes back and gave us back our money - they
  just couldn't get file sharing to work consistently with some new firmware they had to install due to a patent case.
  So... now we are trying Phonefactor.
  Our VPN setup is RRAS on a Windows Server 2003 domain controller.
  We have installed Phonefactor, enabled it as a Radius server, and configured RRAS to point to Phonefactor for Radius authentication. We configured phonefactor to send text messages for authentication, as we figured that would be less disruptive than a phone
  call.
  It all works except... the timeout for VPN clients is only 20 seconds! By the time we receive the text message on a cell phone, sometimes there is only 5 or 6 seconds to get the six digit code typed into a reply on the cell phone... and unless we are really
  nimble, that is frequently not enough time!
  When the VPN client times out, it gives an Error 718 "The connection was terminated because the remote computer did not respond in a timely manner."
  How can we increase the timeout on the VPN clients, so we can more reliably enter the authentication code in a reply back to phonefactor?
  Things we have tried:
  1) Connecting (PPTP) from different Windows clients to see if we get different timeout limits. So far we have tried several Windows 7 boxes and a Windows Server 2003 as the client, but in all cases the timeout is 20 seconds.
  2) On the windows clients: Searching through the PPTP client settings to see if there is one labeled "connection timeout". So far we have found nothing.
  3) On the windows 2003 server: Modifying the RRAS Radius Server time-out to be 30 seconds, 60 seconds, 300 seconds. We've tried restarting RRAS after these changes, but the client connection timeout is still 20 seconds.
  4) In the phonefactor configuration: Searching through the radius server settings to see if there is one labeled "connection timeout". So far we have found nothing.
  5) Using NTRadPing to connect directly to the phonefactor radius server. With NTRadPing we were able to wait more than 60 seconds without a timeout from phonefactor. So we don't *think* at this point that the issue is within phonefactor.
  6) We have asked phonefactor support, but their response is "hmmm... good question, we don't know, that sounds like a problem with your vpn client". And they could well be correct.
  7) Search the web for how to increase either the stock windows VPN client timeout, or the RRAS radius authentication timeout. No luck so far.
  8) Try this registry hack:
  http://windowsitpro.com/networking/solving-ras-718-error. Didn't help.
  Any ideas?
  thanks!

  Hi fdc2005,
  Thanks for the post.
  However, generally, we first type User Name, Password, then click connect to establish the VPN connection. Such as:
  Therefore, I have a little confusion about the timeout you mentioned. Would you please provide us more details.
  Regarding error 718, please check if the following could help:
  If you have a third-party VPN server which does not support MS-CHAPv2 as an authentication method and supports only MS-CHAPv1, you will need to use either CHAP or PAP to connect from the Windows Vista VPN client until the server you use starts supporting MS-CHAPv2.
  Steps to follow for resolution:
  (1) Check if the Routing and Remote Access Server (RRAS) is configured to allow connections with MS-CHAPv2
  (2) Check if the RADIUS server policy supports MSCHAPv2 (This step is needed if you control access to clients using Remote Access Policies on the IAS/NPS server)
  Quote from:
  Troubleshooting Vista VPN problems.
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• ASA auth-proxy timeout

  Hi, everyone
  I have a puzzle with ASA auth-proxy authentication timeout. I want to achieve the inactivity timeout, that is, when there are some traffic btw client and host through ASA after user authenticated, cache timeout timer don't work. When traffic is end, cache timeout timer work again.
  but when I configurate the ASA 7.0, I found if I have configurate the ASA timeout timer as absolute with the following command:
  timeout uauth 0:05:00 absolute
  I cannot change the timer to inactivity,
  but can changed to as below
  timeout uauth 0:05:00 absolute uauth 0:05:00 inactivity
  what is its meaning?
  and can user authentication timer change to inactivity?
  very thanks

  Use the timeout uauth absolute & inactivity values locally.
  Try the bug CSCsg52108
  http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/t_711.html#wp1318629

• What kind of timeouts present in SAP Portal?

  Hi there,
  i have a Question. In the portal there are Session Timeouts. Thats OK. But now i want to know what kind of other timeouts are in the portal.
  Can you help here?
  Thanks
  Bjoern

  So i want ti explain what i mean:
  I know that the portal knows:
  Session Timeout
  Log-In Timeout
  Authentication Timeout
  So what kind of timeouts are there too?
  Thanks for your help!
  Edited by: Bjoern Bayerschmidt on Dec 4, 2008 2:25 PM