|
Home > Archive > Radius Server > September 2005 > Clients re-authenticate all the time
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Clients re-authenticate all the time
|
|
| Magnus Andreassen 2005-09-26, 6:02 pm |
| Hello,
am having problems with Wireless clients re-authenticating against ISA
Radius on W2K3s all the time
The AP's are cisco 1100.
I receive messages like this in the system log, and everytime
re-authenication happens, the connection i broken for a few seconds:
User xxx\xxx was granted access.
Fully-Qualified-User-Name = xxx\xxx
NAS-IP-Address = xxx
NAS-Identifier = 1100-AP2
Client-Friendly-Name = 1100-AP2
Client-IP-Address = xxx
Calling-Station-Identifier = 0012.f0b7.2ae4
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1530
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Allow Wireless LAN Access
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
How can I correct this issue?
| |
| Magnus Andreassen 2005-09-26, 6:02 pm |
| Correction; I meant IAS offcourse.
I have tried increasing the timeout settings on the IAS profile, but with no
luck.
The cisco event log shows that "Previous authentication no longer valid"
Any suggestions would be appreciated!
"Magnus Andreassen" <magnus.andreassen@officeteam.no> skrev i melding
news:ePtd9UqwFHA.3644@TK2MSFTNGP11.phx.gbl...
> Hello,
>
> am having problems with Wireless clients re-authenticating against ISA
> Radius on W2K3s all the time
>
> The AP's are cisco 1100.
>
> I receive messages like this in the system log, and everytime
> re-authenication happens, the connection i broken for a few seconds:
>
> User xxx\xxx was granted access.
> Fully-Qualified-User-Name = xxx\xxx
> NAS-IP-Address = xxx
> NAS-Identifier = 1100-AP2
> Client-Friendly-Name = 1100-AP2
> Client-IP-Address = xxx
> Calling-Station-Identifier = 0012.f0b7.2ae4
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 1530
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Allow Wireless LAN Access
> Authentication-Type = PEAP
> EAP-Type = Secured password (EAP-MSCHAP v2)
>
> How can I correct this issue?
>
>
>
| |
| Manjunath Bharadwaj [MSFT] 2005-09-26, 6:02 pm |
| Some cisco APs have this re-auth bug. You may have some luck at the cisco
news groups.
Thanks, Manju
--
++++++++++++++++++++++++++++++++++++++++
+++++++
This posting is provided "AS IS" with no warranties, and confers no rights
"Magnus Andreassen" <magnus.andreassen@officeteam.no> wrote in message
news:%23Dlj5brwFHA.212@TK2MSFTNGP12.phx.gbl...
> Correction; I meant IAS offcourse.
>
> I have tried increasing the timeout settings on the IAS profile, but with
> no luck.
> The cisco event log shows that "Previous authentication no longer valid"
>
> Any suggestions would be appreciated!
>
>
>
> "Magnus Andreassen" <magnus.andreassen@officeteam.no> skrev i melding
> news:ePtd9UqwFHA.3644@TK2MSFTNGP11.phx.gbl...
>
>
| |
| Magnus Andreassen 2005-09-27, 5:55 pm |
| Thanks for your response,
I have not been able to find anything related to this problem.
The cisco 1100 AP's are all upgraded with the latest IOS.
The clients are still authenticating an awful lot, and they are even
bouncing between access points.
I've tried to shut down the radio interface on some access points, changed
the frequency and so on, but the authentication goes on and on.
Please help,
best regards
Magnus
"Manjunath Bharadwaj [MSFT]" <mbhara@online.microsoft.com> skrev i melding
news:%239BPWrrwFHA.3692@TK2MSFTNGP11.phx.gbl...
> Some cisco APs have this re-auth bug. You may have some luck at the cisco
> news groups.
>
> Thanks, Manju
>
> --
> ++++++++++++++++++++++++++++++++++++++++
+++++++
> This posting is provided "AS IS" with no warranties, and confers no rights
>
>
> "Magnus Andreassen" <magnus.andreassen@officeteam.no> wrote in message
> news:%23Dlj5brwFHA.212@TK2MSFTNGP12.phx.gbl...
>
>
| |
| Manjunath Bharadwaj [MSFT] 2005-09-27, 5:55 pm |
| Hello Magnus,
I posted your question internally at Microsoft and got the following 2
responses:
--------------------------
Changing the session-timeout might help
The default is 30 minutes, there's a setting in the AP configuration that
helps too. (re-keying time out if I remember correctly)
What kind of supplicant are they using? Microsoft or Cisco's (Aegis)?
---------------------------
This is most defiantly not an IAS problem and not likely an AP issue either.
Usually, when you have this issue its because the nics are actually
"bouncing" between APs. The reason is the nics have a roaming algorithm
that determines when they will roam. Unless the AP is kicking off the
clients (possible but unlikely), the most probably cause is the nics
themselves are roaming between APs.
As you know, the IAS servers are reactive. They are just doing what they
are told to do. The APs are also reactive in that they pass through the
RADIUS packets to the client. The nics on the other hand are the ones that
initiate the connection to the APs and maintain it.
I would recommend your customer upgrade his nic drivers.
---------------------------
Let me know if this helps, Thanks, Manju
++++++++++++++++++++++++++++++++++++++++
+++++++
This posting is provided "AS IS" with no warranties, and confers no rights
"Magnus Andreassen" <magnus.andreassen@officeteam.no> wrote in message
news:%234u0Az3wFHA.2656@TK2MSFTNGP09.phx.gbl...
> Thanks for your response,
> I have not been able to find anything related to this problem.
> The cisco 1100 AP's are all upgraded with the latest IOS.
> The clients are still authenticating an awful lot, and they are even
> bouncing between access points.
> I've tried to shut down the radio interface on some access points, changed
> the frequency and so on, but the authentication goes on and on.
>
> Please help,
> best regards
> Magnus
| |
| William Bain 2005-09-27, 5:55 pm |
| We had exactly the same issue but only with Intel 2100 and 2200 clients and
AP1100's. After many client driver updates we eventually fixed the issue.
Interestingly enough the update the fixed the problem listed a fix for
"aggressive client roaming".
What clients are you using?
"Manjunath Bharadwaj [MSFT]" <mbhara@online.microsoft.com> wrote in message
news:expTxG6wFHA.460@TK2MSFTNGP15.phx.gbl...
> Hello Magnus,
> I posted your question internally at Microsoft and got the following 2
> responses:
>
> --------------------------
> Changing the session-timeout might help
> The default is 30 minutes, there's a setting in the AP configuration that
> helps too. (re-keying time out if I remember correctly)
> What kind of supplicant are they using? Microsoft or Cisco's (Aegis)?
> ---------------------------
> This is most defiantly not an IAS problem and not likely an AP issue
> either. Usually, when you have this issue its because the nics are
> actually "bouncing" between APs. The reason is the nics have a roaming
> algorithm that determines when they will roam. Unless the AP is kicking
> off the clients (possible but unlikely), the most probably cause is the
> nics themselves are roaming between APs.
> As you know, the IAS servers are reactive. They are just doing what they
> are told to do. The APs are also reactive in that they pass through the
> RADIUS packets to the client. The nics on the other hand are the ones
> that initiate the connection to the APs and maintain it.
> I would recommend your customer upgrade his nic drivers.
> ---------------------------
>
> Let me know if this helps, Thanks, Manju
> ++++++++++++++++++++++++++++++++++++++++
+++++++
> This posting is provided "AS IS" with no warranties, and confers no rights
>
>
> "Magnus Andreassen" <magnus.andreassen@officeteam.no> wrote in message
> news:%234u0Az3wFHA.2656@TK2MSFTNGP09.phx.gbl...
>
>
| |
| Magnus Andreassen 2005-09-28, 7:57 am |
| Changing the Intel 2200 Wireless driver from ver. 9.0.1.9 to ver. 9.0.2.25
solved this problem!
I would like to thank you for your interrest and fast responses regarding
this case.
Best regards
Magnus
"William Bain" <williambain@nowhere.com> skrev i melding
news:Nyi_e.5422$iW5.2372@fe3.news.blueyonder.co.uk...
> We had exactly the same issue but only with Intel 2100 and 2200 clients
> and AP1100's. After many client driver updates we eventually fixed the
> issue. Interestingly enough the update the fixed the problem listed a fix
> for "aggressive client roaming".
>
> What clients are you using?
> "Manjunath Bharadwaj [MSFT]" <mbhara@online.microsoft.com> wrote in
> message news:expTxG6wFHA.460@TK2MSFTNGP15.phx.gbl...
>
>
|
|
|
|
|