Authentication Timeout
I have an ASA 5520 and I am having trouble getting the AnyConnect VPN authentication timeout feature to work properly. I thought I did have it working a couple of months ago, but right now it is not giving me more than the default 12 seconds. I have tried intervals of anywhere from 25 seconds up to 120. I am currently runnign version 6.4 on the ASA and AnyConnect 2.5.3055. Any input is appreciated.
Thanks!
I think I am now talking to myself, but hopefully this helps someone else someday!
The profiles located in C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile were not updated. The client was using both the wrong profile AND an outdated profile. I modified the profile locally and the client worked fine. Now I need to determine why the client profile's are not being downloaded.
Similar Messages
-
ISE machine authentication timeout
Hi all,
We have a ISE infrastructure and we have enabled user and machine authentication through EAP-TLS.
Everything is working fine except that every 1 hour user must log off and login again because machine authentication has, I think, expired!
As you can imagine this is unacceptable. I saw that the machine restriction age is only 1 hour and changed it to 8 hours.
My question is if machine restarts at 7 hours past first successful authentication will the timer reset or after an hour will be kicked and have to log off and in again?
How have you bypassed the timeout of mar cache?
My ISE version is 1.2 with 2 patches installed
Thank you
Sent from Cisco Technical Support iPad AppHi
Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.
Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the "Time to Live" parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.
When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:
• If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.
• If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned. -
Wlc 5500 authentication timeout
I have a WLC 5500 controller. I have two WLANS (OBSD-Internal and OBSD-BYOD). I have authentication setup to the WLC for the BYOD WLAN using LDAP (users connect with an AD user account). They are required to re authenticate every few minutes. This only happens on the BYOD WLAN (not Internal)
Scott-
Here are the results of the sho WLAN cmd:
(Cisco Controller) >show wlan 3
WLAN Identifier.................................. 3
Profile Name..................................... OBSD BYOD
Network Name (SSID).............................. OBSD-BYOD
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 25
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ g9c-guest
Multicast Interface.............................. Not Configured
--More-- or (q)uit
WLAN ACL......................................... Guest WiFi Internet Only
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
--More-- or (q)uit
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Enabled
ACL............................................. Web Auth
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
--More-- or (q)uit
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status -
5508 web authentication timeout problem
If any authenticated user uses protocol other than (http, https) within timeout period,
that user is deuthenticated, why? solution?Are you referring to idle timeout OR session timeout?
Once a web auth client is authenticated, he has full access and can run any protocol unless
- restricted by an ACL on controller OR switch with gateway OR firewall.
c) On WLC CLI, run
config paging disable
show run-config
show traplog
show msglog
b) From switch that has L3 SVI for the guest subnet, send
show run interface vlan x -
Web authentication timeout problem
We have one SSID using web-auth with ISE.
On WLC we configured idle timeout fot 2400 seconds and on wlan>advanced with 65535 seconds for session timeout. But we are having continuos deauthentication in about 10 minutes.
When we check WLC, our mac-address is deleted after about each 10 minutes
How Can I solved this issue?On this wlan we are using Web-Auth with WPA2 + PSK.
Software version 7.0.220
another ssid not have this problem.
debug client
*dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Key exchange done, data packets from mobile 00:1c:26:ac:d9:e5 should be forwarded shortly
*dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Sending EAPOL-Key Message to mobile 00:1c:26:ac:d9:e5
state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
*dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Updated broadcast key sent to mobile 00:1C:26:AC:D9:E5
*osapiBsnTimer: Sep 20 12:33:30.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
*dot1xMsgTask: Sep 20 12:33:30.986: 00:1c:26:ac:d9:e5 Retransmit 1 of EAPOL-Key M5 (length 139) for mobile 00:1c:26:ac:d9:e5
*osapiBsnTimer: Sep 20 12:33:31.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
*dot1xMsgTask: Sep 20 12:33:31.986: 00:1c:26:ac:d9:e5 Retransmit 2 of EAPOL-Key M5 (length 139) for mobile 00:1c:26:ac:d9:e5
*osapiBsnTimer: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
*dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Retransmit failure for EAPOL-Key M5 to mobile 00:1c:26:ac:d9:e5, retransmit count 3, mscb deauth count 0
*dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Sent Deauthenticate to mobile on BSSID 40:f4:ec:4a:b0:f0 slot 0(caller 1x_ptsm.c:534)
*dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station: (callerId: 57) in 10 seconds
*osapiBsnTimer: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:1c:26:ac:d9:e5 on AP 40:f4:ec:4a:b0:f0 from Associated to Disassociated
*apfReceiveTask: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*osapiBsnTimer: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 Sent Deauthenticate to mobile on BSSID 40:f4:ec:4a:b0:f0 slot 0(caller apf_ms.c:5101)
*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsAssoStateDec
*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsExpireMobileStation (apf_ms.c:5139) Changing state for mobile 00:1c:26:ac:d9:e5 on AP 40:f4:ec:4a:b0:f0 from Disassociated to Idle
*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station: (callerId: 47) in 10 seconds
*osapiBsnTimer: Sep 20 12:34:02.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 20 12:34:02.986: 00:1c:26:ac:d9:e5 10.166.66.248 RUN (20) Deleted mobile LWAPP rule on AP [40:f4:ec:4a:b0:f0]
Do you have any suggestion about log or debug ?
thanks a lot,
Murilo -
I'm seeing some behavior I don't understand with token timeouts. My code creates a token with a 60 minute, 100 login limit:
try
ISessionMgr sessionMgr = CrystalEnterprise.getSessionMgr();
IEnterpriseSession enterpriseSession = sessionMgr.logon(id, pwd, server, type);
// Now create the login token
ILogonTokenMgr logonTokenMgr = enterpriseSession.getLogonTokenMgr();
token = logonTokenMgr.createWCAToken("", 60, 100);
catch(Exception e)
throw new LoginHelperException(e);
I have a web front end that calls various services. All these services begin with an auth check that looks something like this:
try
if(token == null)
throw new LoginHelperException("Missing token");
else
enterpriseSession = CrystalEnterprise.getSessionMgr().logonWithToken(token);
I am not storing the enterpriseSession in my web session. I create a new one with the token for every request. It's my understanding I should only have to create a new token after 60 minutes, or after 100 calls to logonWithToken(), which ever comes first. But what I'm seeing in practice is an auth exception after only a few minutes.
2008-11-14 09:41:39,457 ERROR [http-8080-Processor24] (report_jsp.java:120) - Exception in report.jsp
com.reporting.bo.exceptions.LoginHelperException: com.crystaldecisions.sdk.exception.SDKServerException: An error occurred at the server :
Session ID is not valid.
cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
detail:An error occurred at the server :
Session ID is not valid.
The server supplied the following details: OCA_Abuse exception 10503 at [exceptionmapper.cpp : 65] 42436 {}
...Session ID is not valid. Original session not available for ONEOFF logon
Am I misunderstanding how tokens work? I'd like for the token to be valid for more than 10 minutes.You're using the WCA token.
Validity lifetime of a WCA token is tied to the originating EnterpriseSession that created it.
Since the originating EnterpriseSession is going out of scope in your code, it gets GC'ed.
When the CMS detects that the EnterpriseSession no longer exists, it invalidates all WCA tokens associated with it.
Next time you try to use the WCA token, it fails.
So either use the Logon Token - that uses a CAL each time you use it - or keep the EnterpriseSession live but make sure you log it off when you're done with it.
Sincerely,
Ted Ueda -
Wireless Web authentication timeout
Hello, our wireless web authentication is usually timing out after half an hour of inactivity. How can i increase it so people do not need to reauthenticate after 30 min of inactivity?
Thanks in advance.It's in the WLAN definition on the Advanced tab.
-
802.1x EAP-TLS with NPS/W2008 - Authentication result 'timeout'
Hello
[Env on my lab investigation]
supplicant - W7 with cert
authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
authentication server 2x - W2008/NPS like a RADIUS server
[Config some part of authenticator]
interface FastEthernet0/1
switchport access vlan 34
switchport mode access
authentication event fail retry 1 action authorize vlan 47
authentication event server dead action authorize vlan 35
authentication event no-response action authorize vlan 47
authentication event server alive action reinitialize
authentication port-control auto
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 15
spanning-tree portfast
[Symptoms]
After reboot authenticator the supplican connected to FE0/1 finally put into the Guest VLAN 47 and before that I saw on the authenticators console Authentication result 'timeout', but when the switch is up and running the the same port authenticator FE0/1 the same supplicant W7 with cert now I connect to authenticator finally supplicant put into static VLAN 34.
[Summary]
The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
[The question]
What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts?
Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34 .
[Logs]
During this I observed the wireshark supplicant and authenticator console and NPS wireshark, below:
1. supplicant and authenticator orderflow at wireshar:
- supplicant EAPOL Start
- authenticator EAP Request Identity
- supplicat Response Identity, 3 times
- supplicant EAPOL Start
- authenticator EAP Failure
- authenticator EAP Request Identity x2
- supplicat Response Identity x2
and again, more detail about flow from whireshar chart at the end
2. authenticator console saw like this:
*Mar 1 00:02:51.563: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:02:51.563: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:02:51.563: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
krasw8021x>
*Mar 1 00:03:52.876: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:03:52.876: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:03:52.876: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
and finaly
*Mar 1 00:05:00.286: %AUTHMGR-5-VLANASSIGN: VLAN 47 assigned to Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
*Mar 1 00:05:01.167: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
*Mar 1 00:05:01.302: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
3. Authentication server:
- NPS doesn'e recived any RADIUS Access-Request/Response.
[supplicant EAPOL flow chart, source wireshark]
|Time | Cisco_f9:98:81 | Dell_12:cf:80 |
| | | Nearest |
|0,041 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|0,045 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|0,051 | | Start | |EAPOL: Start
| | |(0) <------------------ (0) |
|0,065 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|0,075 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|0,075 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|18,063 | | Start | |EAPOL: Start
| | |(0) <------------------ (0) |
|18,065 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|18,268 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|18,303 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|18,307 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|18,307 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|37,073 | Request, EAP-TLS [R | |EAP: Request, EAP-TLS [RFC5216] [Aboba]
| |(0) ------------------> (0) | |
|67,941 | Request, EAP-TLS [R | |EAP: Request, EAP-TLS [RFC5216] [Aboba]
| |(0) ------------------> (0) | |
|98,805 | Request, EAP-TLS [R | |EAP: Request, EAP-TLS [RFC5216] [Aboba]
| |(0) ------------------> (0) | |
|129,684 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|144,697 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|160,125 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|175,561 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|190,996 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|206,002 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|206,204 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|212,103 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|227,535 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|242,970 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
/regards PiterHi,
Did you ever try to configure re-authentication?
Is the client is up and running if you connect it to the switch?
Sent from Cisco Technical Support iPad App -
Issue with HTTP Authentication
I am trying to implement an authentication/timeout
system whereby the initial login is done by a standard
HTML form (posted). When the session times out and the
user requests a service, the session is "revived" by
custom HTTP Authentication. In this way, a complex set
of frames and multiple windows is not disrupted by a
new window.
The problem is that one a user HTTP Authenticates, the
AUTHORIZATION header value stays until the browser is
closed. Consequently, the user never has to
authenticate again, even when the session times out,
because when the servlet requests authorization, it is
right there in the servlet request.
So my question is, how do I clear or remove the
AUTHORIZATION header item from the client ?
Thanks.
//Nicholas
Hi,
Opened a TAC and he confirmed that 8.2.1 supports the SDI for http/asdm authentication.
http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html#wp340497
Regards
Amar -
How to increase the time at the end of what aaa requeries the authentication of a client web
Hi All,
I configure ASA aaa to authentificate our internal web client to access to internet. It's check the username/password of client in our Active Directory.
When the client initiate the first connexion, the ASA request the login connexion and when it's correct, it authorise the access. But after 10 min for exemple, it's request again the login, and so one and so one. Approximativelly, after each ten minute, it requeste an username/password.
I want to know how can i increase the time between two authentifcation. Or increase the time of 10 min.
Thanks.The authentication timeout is configurable via the "timeout uauth" command, and you can set either absolute or inactivity timeout.
Here is the command for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/t.html#wp1569874 -
Mobility Anchor connection drops during authentication
Hi,
I have a strange situation, hopefully someone can help. I have a WLAN setup with foreign - anchor controllers and MAC address authentication using central RADIUS server. In some cases for some clients the foreign export cannot build up because during the 802.11 process the foreign disconnects the client due to a session timer expires. Some clients can connect, others experience this issue. Sometimes client can get IP address via the anchor DHCP proxy but then foreign disconnects it with expiring message. (foreign sw version 6.0.202, anchor sw version 6.0.188 but we have same situation with other foreign which has 7.4.110 version)
Debug shows the following (suspicious part is in red):
*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Reassociation received from mobile on AP e8:04:62:f6:bf:00
*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Applying site-specific IPv6 override for station 60:c5:47:99:b0:a6 - vapId 3, site 'default-group', interface 'management'
*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Applying IPv6 Interface Policy for station 60:c5:47:99:b0:a6 - vlan 850, interface id 0, interface 'management'
*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 STA - rates (6): 24 164 48 72 96 108 0 0 0 0 0 0 0 0 0 0
*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [e8:04:62:f6:cd:d0]
*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Updated location for station old AP e8:04:62:f6:cd:d0-0, new AP e8:04:62:f6:bf:00-0
*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 apfProcessAssocReq (apf_80211.c:4270) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Probe to AAA Pending
*Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds
*Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 Inserting AAA Override struct for mobile MAC: 60:c5:47:99:b0:a6, source 2
*Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 Setting session timeout 7201 on mobile 60:c5:47:99:b0:a6
*Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 Session Timeout is 7201 - starting session timer for the mobile
*Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 0.0.0.0 START (0) Initializing policy
*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP e8:04:62:f6:bf:00 vapId 3 apVapId 3
*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from AAA Pending to Associated
*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station: (callerId: 49) in 7200 seconds
*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 Sending Assoc Response to station on BSSID e8:04:62:f6:bf:00 (status 0) Vap Id 3 Slot 0
*Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 apfProcessRadiusAssocResp (apf_80211.c:1956) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Associated to Associated
*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Applying post-handoff policy for station 60:c5:47:99:b0:a6 - valid mask 0xb00
*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 QOS Level: -1, DSCP: -1, dot1p: -1, Data Avg: -1, realtime Avg: -1, Data Burst -1, Realtime Burst -1
*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Session: 7200, User session: 7201, User elapsed 104 Interface: (null) ACL: N/A
*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Inserting AAA Override struct for mobile MAC: 60:c5:47:99:b0:a6, source 16
*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Setting session timeout 7201 on mobile 60:c5:47:99:b0:a6
*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Session Timeout is 7201 - starting session timer for the mobile
*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station: (callerId: 55) in 7200 seconds
*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
*Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
*Jan 15 12:07:01.329: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 4245
*Jan 15 12:07:01.329: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Adding Fast Path rule type = Airespace AP Client on AP e8:04:62:f6:bf:00, slot 0, interface = 29, QOS = 0 ACL Id = 255, Jumbo Frames = NO, 802.1
*Jan 15 12:07:01.329: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
*Jan 15 12:07:01.332: 60:c5:47:99:b0:a6 Set bi-dir guest tunnel for 60:c5:47:99:b0:a6 as in Export Foreign role
*Jan 15 12:07:01.335: 60:c5:47:99:b0:a6 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
*Jan 15 12:07:11.890: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) State Update from Mobility-Complete to Mobility-Incomplete
*Jan 15 12:07:11.890: 60:c5:47:99:b0:a6 apfMmProcessDeleteMobile (apf_mm.c:531) Expiring Mobile!
*Jan 15 12:07:11.890: 60:c5:47:99:b0:a6 apfMsExpireMobileStation (apf_ms.c:4427) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Associated to Disassociated
*Jan 15 12:07:11.891: 60:c5:47:99:b0:a6 apfMsExpireMobileStation (apf_ms.c:4548) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Disassociated to Idle
*Jan 15 12:07:11.891: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Deleted mobile LWAPP rule on AP [e8:04:62:f6:bf:00]
*Jan 15 12:07:11.891: 60:c5:47:99:b0:a6 Deleting mobile on AP e8:04:62:f6:bf:00(0)
*Jan 15 12:07:11.894: 60:c5:47:99:b0:a6 0.0.0.0 Removed NPU entry.
*Jan 15 12:07:12.053: 60:c5:47:99:b0:a6 Adding mobile on LWAPP AP 68:bd:ab:48:80:f0(0)
*Jan 15 12:07:12.053: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station: (callerId: 23) in 5 seconds
*Jan 15 12:07:12.053: 60:c5:47:99:b0:a6 apfProcessProbeReq (apf_80211.c:4761) Changing state for mobile 60:c5:47:99:b0:a6 on AP 68:bd:ab:48:80:f0 from Idle to Probe
Question: Why is that 10 sec timer still ticking at that phase when client already reached RUN state?
On a foreign wlc with sw 7.4.110 using anchor with sw 6.0.188 the situation is even worse, all clients have this issue and cannot connect.
Thanks
HegeHi,
Yes, that was the first thing to check. We don't use the DHCP required option (unchecked on both sides). The only difference between acnhor and foreign configuration is that in foreign L2 macfiltering is enabled and radius servers are specified while on anchor it is not enabled and specified. I have tried it on anchor with enabling macfiltering (without radius servers specified there) but I have the same behaviour. AAA override is also enabled on both sides.
I have also increased the authentication timeout in advanced timers options from 10 sec to 40 secs but no luck, debug shows the same 10secs.
I am thinking on 2 options. 1st option is that the anchor software is too old (6.0.188) and needs to be upgraded to 7.0.240 (anchor is a 4400 wlc). 2nd option is that there might be too much delay between anchor and foreign?
On the same setup if we use guest access with web authentication on the anchor side (no MAC authentication), then eveyrthing is fine.
Thanks
Hege -
WLC user authentication and SSID broadcast
Hi Everyone,
Need to confirm if WLC is sending the ssid as broadcast or not?
Also if users connect if they get the ip from dhcp need to confirm how they are getting authenticated?
Regards
MaheshWith respect to username you are correct.
But regarding authentication you cannot come to a conclusion like that, You have to see the full "show client detail " . Here is an example of PEAP authenticated client. Authentication algorithm open system does not mean user does not use password. Any EAP method Authentication Algorithm show as open system, but still user has to enter their credential (except TLS where it is certificate based)
(WLC) >show client detail 04:1e:64:13:f9:03
Client MAC Address............................... 04:1e:64:13:f9:03
Client Username ................................. smcowgill
AP MAC Address................................... c4:0a:cb:a0:e8:50
AP Name.......................................... APc464.13b4.4be8
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 2
Hotspot (802.11u)................................ Not Supported
BSSID............................................ c4:0a:cb:a0:e8:51
Connected For ................................... 7520 secs
Channel.......................................... 1
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Client CCX version............................... No CCX support
Re-Authentication Timeout........................ 3284
802.1P Priority Tag.............................. 6
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Power Save....................................... ON
Current Rate..................................... 54.0
Supported Rates.................................. 12.0,18.0,24.0,36.0,48.0,54.0
Mobility State................................... Foreign
Mobility Anchor IP Address....................... 10.14.7.247
Mobility Move Count.............................. 3
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
Audit Session ID................................. 0a0a06f400040f985228de2e
IPv4 ACL Name.................................... none
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Client Type...................................... SimpleIP
PMIPv6 State..................................... Unavailable
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
No. of mDNS Services Advertised.................. 0
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... PEAP -
[Note that I have previously posted this question on Experts Exchange... but have not found a solution yet].
We are a small business and would like to switch to two-factor authentication for VPN connections. We spent nearly a year helping Barracuda debug their small business VPN appliance and finally they took their boxes back and gave us back our money - they
just couldn't get file sharing to work consistently with some new firmware they had to install due to a patent case.
So... now we are trying Phonefactor.
Our VPN setup is RRAS on a Windows Server 2003 domain controller.
We have installed Phonefactor, enabled it as a Radius server, and configured RRAS to point to Phonefactor for Radius authentication. We configured phonefactor to send text messages for authentication, as we figured that would be less disruptive than a phone
call.
It all works except... the timeout for VPN clients is only 20 seconds! By the time we receive the text message on a cell phone, sometimes there is only 5 or 6 seconds to get the six digit code typed into a reply on the cell phone... and unless we are really
nimble, that is frequently not enough time!
When the VPN client times out, it gives an Error 718 "The connection was terminated because the remote computer did not respond in a timely manner."
How can we increase the timeout on the VPN clients, so we can more reliably enter the authentication code in a reply back to phonefactor?
Things we have tried:
1) Connecting (PPTP) from different Windows clients to see if we get different timeout limits. So far we have tried several Windows 7 boxes and a Windows Server 2003 as the client, but in all cases the timeout is 20 seconds.
2) On the windows clients: Searching through the PPTP client settings to see if there is one labeled "connection timeout". So far we have found nothing.
3) On the windows 2003 server: Modifying the RRAS Radius Server time-out to be 30 seconds, 60 seconds, 300 seconds. We've tried restarting RRAS after these changes, but the client connection timeout is still 20 seconds.
4) In the phonefactor configuration: Searching through the radius server settings to see if there is one labeled "connection timeout". So far we have found nothing.
5) Using NTRadPing to connect directly to the phonefactor radius server. With NTRadPing we were able to wait more than 60 seconds without a timeout from phonefactor. So we don't *think* at this point that the issue is within phonefactor.
6) We have asked phonefactor support, but their response is "hmmm... good question, we don't know, that sounds like a problem with your vpn client". And they could well be correct.
7) Search the web for how to increase either the stock windows VPN client timeout, or the RRAS radius authentication timeout. No luck so far.
8) Try this registry hack:
http://windowsitpro.com/networking/solving-ras-718-error. Didn't help.
Any ideas?
thanks!Hi fdc2005,
Thanks for the post.
However, generally, we first type User Name, Password, then click connect to establish the VPN connection. Such as:
Therefore, I have a little confusion about the timeout you mentioned. Would you please provide us more details.
Regarding error 718, please check if the following could help:
If you have a third-party VPN server which does not support MS-CHAPv2 as an authentication method and supports only MS-CHAPv1, you will need to use either CHAP or PAP to connect from the Windows Vista VPN client until the server you use starts supporting MS-CHAPv2.
Steps to follow for resolution:
(1) Check if the Routing and Remote Access Server (RRAS) is configured to allow connections with MS-CHAPv2
(2) Check if the RADIUS server policy supports MSCHAPv2 (This step is needed if you control access to clients using Remote Access Policies on the IAS/NPS server)
Quote from:
Troubleshooting Vista VPN problems.
Hope this helps.
Jeremy Wu
TechNet Community Support -
Hi, everyone
I have a puzzle with ASA auth-proxy authentication timeout. I want to achieve the inactivity timeout, that is, when there are some traffic btw client and host through ASA after user authenticated, cache timeout timer don't work. When traffic is end, cache timeout timer work again.
but when I configurate the ASA 7.0, I found if I have configurate the ASA timeout timer as absolute with the following command:
timeout uauth 0:05:00 absolute
I cannot change the timer to inactivity,
but can changed to as below
timeout uauth 0:05:00 absolute uauth 0:05:00 inactivity
what is its meaning?
and can user authentication timer change to inactivity?
very thanksUse the timeout uauth absolute & inactivity values locally.
Try the bug CSCsg52108
http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/t_711.html#wp1318629 -
What kind of timeouts present in SAP Portal?
Hi there,
i have a Question. In the portal there are Session Timeouts. Thats OK. But now i want to know what kind of other timeouts are in the portal.
Can you help here?
Thanks
BjoernSo i want ti explain what i mean:
I know that the portal knows:
Session Timeout
Log-In Timeout
Authentication Timeout
So what kind of timeouts are there too?
Thanks for your help!
Edited by: Bjoern Bayerschmidt on Dec 4, 2008 2:25 PM
Maybe you are looking for
-
Please help me! A lot of my songs that I bought I can't play and it's probably because my computer is being weird. Please give as much feedback as possible; I need to resolve this issue ASAP! Thanks!
-
Case of the Disappearing Order
Hello Best Buy, I"m a member of the Slickdeals community (slickdeals.net). On Sunday, April 19th, I attempted to order the Toshiba Satellite 14" laptop - intel Core i5 - 6GB, ( "Toshiba Satellite E45 Laptop (E45-B4100) on sale for $399.99. Shipping i
-
Hi I try start a managed server from admin console. I obtain this error: <12-sep-02 18:30:38 CEST> <Info> <NodeManager@localhost:5555> <Starting Server general::testbruc_t3 ...> The WebLogic Server did not start up properly. Exception raised: java.la
-
Safari not loading sites fully
I used to use Chrome for most of my browsing, but since the battery of my Mac lasts longer using Safari, I recently decided to switch back to Safari. Unfortunatelly, I have been experiencing some problems, Safari is having problems loading sites like
-
Revision: 3233 Author: [email protected] Date: 2008-09-16 12:57:29 -0700 (Tue, 16 Sep 2008) Log Message: Fix for bug related to see tag, [Exclude] metadata, and extra lines in mxml examples block. Bugs: SDK-16886 QA: Yes Doc: Reviewed By: Pete F Test