We're having trouble trying to deploy 802.1x authentication on a brand new site.
Our primary and secondary ACS are located in Paris and the new site located in Toulouse, France. Both sites are connected through the WAN. Everytime a computer/user connects to this new site in Toulouse, ACS 5.2 sends a "5411 EAP session timeout" error message.
I am using ACS 5.3 for certificate based authentication for lan workstation. Now few times I received this message from ACS.5411 EAP session timed out : EAP session timed out?
View 1 Replies View RelatedI've got ACS currently authenticating wireless users - using EAP-MSCHAPv2. There are a large number of failures being reported as:
View 4 Replies View RelatedOur company has installed ACS Version: 5.1.0.44.6 Internal Build ID: B.2347 with patches: 5-1-0-44-5, 5-1-0-44-6. The security policy of our company includes a password change every 3 months. Our programmers had written a script that allows us to do it. When testing revealed that the script does not work. This is due to the fact that it is not possible to enter the mode "acs-config". In determining the reasons it was found that to enter this mode there is a limit on sessions (6 sessions). When the number of connections becomes larger than 6 then the script does not work. The documentation says that the update is not active sessions is set with terminal session-timeout. In this case, the terminal session-timeout 30. But after 30 minutes of the session will remain active. It interferes with our script.
View 1 Replies View RelatedIn our setup we have WiSM modules installed on cisco 6506-E, ACS 5.3 virtual appliance. We are trying to implement EAP-FAST for our Wireless using WPA/WPA2 802.1x on the WLC side.
I have followed the instructions in the following document step-by-step: [URL]
Still I have no success. Tried most of the permutations on ACS EAP-FAST configuration.
I have inherited the support of an ASA5520 running 8.0(3)12 code and I believe I have a pretty simple question here that I haven't been able to figure out on my own. I have a few users that connect to the box via IPSEC VPN client connections. They want to be able to leave up a RDP based connection, for monitoring purposes, for a most of the day, but thier RDP connection keeps getting discounnted after a few hours. The VPN connection never gets disconnected, just the RDP session running through it. I have another box running 8.0(4) code and they can leave up the RDP sessions as long as they like without getting disconnected from the server(s). I have compared the configs of both boxes and don't see any glsring differences in regards to the configuration that would cuase the RDP sessions to either to stay up or be disconnected after an inactivity type scenario.
What to look for in regards to identifying the timer that is disconnecting the RDP session after a period of time.
We are trying to configure our 2106 wireless lan controller to expire wireless users sessions so the user is not remembered indefinitely. We are using freeradius to validate the users login information and passing back a "session-timeout" avpair but the WLC seems to be ignoring this value.
How to configure the session expiration time of wireless users on a 2106?
I have a DIR-825 with 2.60VT firmware (rented from Videotron).
Even though the manual says the stateful firewall should have a timeout on connections of 240 seconds or 7800 seconds, all of my connections start at a mere 120 seconds. I'm having trouble with IMAP IDLE pushing e-mails because the connections timeout so quickly (before any stay alive can be sent). A connection to the e-mail server gets opened on 143 (Videotron) or 993 (encrypted - google, e.g.), and I see the connection on the Internet Sessions page, the timeout starts at 120. When it hits 0, the connection is no longer displayed (it is not renewed), and the IMAP IDLE ****s out because the server can't find the client (i.e. the connection has been closed). But it's not just on those ports or servers. ALL of my TCP sessions begin at a mere 120 seconds! Even for a home router, isn't this way too low?
confirm that their DIR-825, on the Internet Sessions page, shows initial timeout values of greater than 120 for a TCP connection? I would love to see a picture of that screen showing higher values. Does it start at 240? Do you ever see a connection start at a timeout of 7800?
I see no way of changing the timeout value. Is it possible to force connections on certain ports to begin at a higher timeout value?
Per PCI & company policy all VPN users have a 12 hour session limit. They will disconnected after 12 hours regardless of use. Is there any way to send a message prior to the 12 hour limit to warn the users that they will be disconnected in x minutes? I'm running SSL VPN on a ASA 5520 ver 8.4(1)
View 1 Replies View RelatedIs there any way to change a setting which causes a user logged in to the web browser interface (or connected via ssh) to have to re-authenticate. Im getting annoyed by being disconnected from the AP and having to re-authenticate.
View 1 Replies View RelatedWhat the command to prevent a telnet session to the 4400 controller from timing out is?
View 1 Replies View RelatedFor guest clients , we have configured guest vlan and applied external web authenication on WLC 5508 , the session timeout value is 2700secons . When a client open a browser to internet page , wlc will redirect to URL and get the login page . After completed the login , he can go to internet page .
We find the iPhone and ipad clients will get the login page again ahfter ~ 5 mins , it is mismatch with session timeout value 2700 sec (45 mins) .
what would be causing my management HTTPS session to a SF200-24 to suddenly timeout? I receive "The session has been timed out. You may log in again" few mins after logging into to switch.Sometime it happens within 45seconds, other times after 3mins, timouts are not consistent. And, i was not idle when it timed-out. My HTTPs idle time-out is set for 10mins.
I had a continuous PING going to managment IP, and it did not drop any pings when session timed-out.Interface stats are also clean. I tried IE, FireFox, Chrome and all are timming out.
I've changed the HTTP default idle-time out from 1 to 10 and my HTTPs stopped timing out. Management Access Authentication is cleary set for HTTPs, and the Idle-timeout for HTTPs was set for 10mins since install. Yet, adjusting the HTTP idle-timeout cleared the issue.
I have an SG300-20 here for testing (firmware: 1.1.2.0, boot version: 1.0.0.4, language version: 1.1.1.6 English). Everything seems to work on it, except, that if I choose Radius authentication by mac address only, then the switch does not honor the Idle-Timeout and Session-Timeout attributes from the Radius server (freeradius).
The setup is the following: I have a no name access point plugged in to switch port gi1. The port gi1 is set up for Radius authentication by mac address only. The access point itself is authenticated, no problem with that. If I connect through the access point by (say) a mobile phone, it is authenticated, no problem. The radius server does send the Idle-Timeout and Session-Timeout attributes, I checked it by running "freeradius -X", both are set to 30 seconds. Then I turn off the wireless card in my mobile phone and check the dot1x users by "show dot1x users". My mobile phone's mac address remains there for 5-10 minutes, so the Idle-Timeout and Session-Timeout does not work.
Another way I could resolv this problem is by explicitely asking the switch to reauthenticate the user. Unfortunately there is no CLI command to do just that, I can do however a reauthentication on a port using "dot1x re-authenticate gi1" (for example). But it does not work as it is expected: the switch uses the stored mac-address to reauthenticate the user, so nothing changes on the port (unless something changes in the radius server). I think it should work like the following: remove the authenticated user from the port, and whenever that mac address makes some network traffic, then reauthenticate as if it were a completely new connection. BTW: it would work for me also if I could just remove an authenticated user from a port, but I did not find a command to do that.
As a last resort I can simply shutdown the port, bring it up again ("shutdown" and "no shutdown" in the interface config), then all users are removed from the port and they all mush reauthenticate. But it causes a network outage for a couple of seconds for all users on that port, on a busy access point it is quite disturbing, and it is not an elegant way to do this.
So my actual question is: is there a way to remove an authenticated user either automatically (Idle-Timeout and Session-Timeout) or manually from this switch?
I enclose the relevant part of the running config.
interface range gi1-2
dot1x host-mode multi-sessions
exit
vlan database
vlan 2-4
exit
[code]....
Just recently we replaced our HQ Cisco-Pix with Cisco-ASA 5510. where we have many branches connecting to our HQ through site-to-site vpn. Since putting this new ASA5510 at HQ , while we are getting a Remote-Desktop session into our branches clients, and at the time when even a single TIMEOUT occurs on the vpn-link so the remote-desktop session gets completely lost. then we have to re-connect the session.This issue happens as i said above when a single timeout occurs on the vpn link. What is the issue with the ASA5510. because with pix we didn't have this issue, remote-desktops were never getting lost / reset with single timeout
View 1 Replies View RelatedWhen a client connecting to a specific AP (example AP01), after every 1800 sec uptime it will reconnect and join other unit AP (example AP02)Both AP physically installed distance is around 6 meters from each other. I conduct the testing where i get myself sitting in middle between these two APs.
01. If i disable settsion timeout this feature, or setting the seconds become higher value, what's the performance and security impact? Is it recomend to change the default 1800 seconds session timeout?
02. Is there anyway i can tweak on WLC controller to prevent the client after session timeout then associate with another AP. This will lead major performance impact as the client woudl possibility connect to the weak signal AP and effect on the performance.
These are the details for reference:Client detail
- Dell DW1520 wireless-N WLAN card, with firmware version 5.100.235.12
- CCX version 4 supported
- Layer 2 security is WPA2 personal with PSK.
- wireless radio an
Controller detail:
model is AIR-CT5508-K9
software version is 7.2.110.0
I have several devices on the same subnet and with similar configuration. All of them were entered manually on the ACS server and are configured to authenticate using TACACS+. Some of the devices can authenticate ok, but other will timeout. I did a tcpdump on the firewall port and can see the device sending the SYN to the ACS server but the server sends no reply to the device.
View 3 Replies View Relatedmy current setup: Windows XP machines authenticating wireless using 802.1X to a Cisco ACS 5.3 that redirects the request to Microsoft Active Directory. All the statements that I make below are what I have gathered from reading on forums, some of them might be incorrect.
In the ACS Under “External Identity Stores” and “Active Directory”, there is a check box called “Enable Machine Access Restrictions” if it is checked and the Aging time is set to 8 hours and a Windows XP machine authenticates using it’s Domain credentials it will gain access to the network but if that computer is not rebooted after the 8 hours is up, Windows XP will not send it machine credentials again, it will only send the user/pass of the user and will loose access to the network. The problem we have is that most of the users do not shutdown their computers when they go home, they hibernate the computers thus when they come back to the school the 8 hours aging time on the ACS has expired. The ACS expects to see the Windows XP machine send it’s domain credentials again but from every forum I have read on, Windows XP will not send it again until it get rebooted (FYI, Windows 7 will send the proper info, thus they work just fine). In the mean time I have changed the aging time to 8760 hours but this should only be temporary because it is a security risk to have the aging time set so high. Moving forward what are my options to make this work properly?
-Is there a way to fix Windows XP?
-Is there a recommendation on how to bypass this issue but still give us decent security?
-Is setting the aging time so high, a non security issue?
-I guess worst case scenario, the customer can try to educate all the students and staff to reboot their machines every morning?
IPSEC VPN users are using ACS for extended authentication, whenever authentication is made, entries are available on ACS, now i need the session duration info on ACS, that means total time during which the user was active should be available.
i have enabled accounting globally on the ASA firewall through aaa accounting enable console ACS and also enable accounting in the tunnel-group itself, to which the user is using.
on ACS 5.1 ,i could not find any option / TAB that can give some information on the session duration.
I'm trying to configure a timeout for network connection, but when it suppose to disconnect client, it's not working. Is it possible to do this??
Only works when the client is connecting and is denied if the time is not valid. But how could I do this if the client is already connected, enable re-authentication?
I am using ISE 1.1.3.124.My first question:I want to know the relation between the attribute "WasMachineAuthenticated" and the MAR (MAchine access restriction in advanced setting for AD).Is-it the same or not ?Once you time out, you need to do machine auth again. What is the timer ?Using the attribute "WasMachineAuthenticated", is-it the same timer that you configure in MAR ? In a distributed environnement, is the information about machine previously authenticated replicated to all policy node ?Because, if a swicth has 2 radius-server, we are not sure that it will point everytime to the same server.
View 1 Replies View Relatedi am configuring a Cisco Secure ACS 1120 appliance running ACS 5.0.0.21 to handle RADIUS request from a Cisco WLC 5508 appliance running version 7.0.116.0.these devices have open communication on all ports - no firewalls or ACL'sthey have successful ping communication The following statements illustrate some but not all the debugging I have done to ensure each device functions as it should in isolation.Using a simple windows RADIUS server (radserv2.exe) instead of the Cisco ACS This works and the WLC gets RADIUS response from my makeshift serverUsing a simple windows EAP client to query the ACS using RADIUS protocol this works and the ACS processes the RADIUS request and sends a responsePlaced a wireshark client on the network to inspect timeout. Wireshark logs the packet from the WLC to the ACS using port 1812 but doesn't see any packet responses from the ACS At the moment I have the WLC accepting the association from the wireless client and sending the RADIUS (PEAP, EAP-FAST or EAP-TLS) request to the ACS, the WLC receives no response and generates a timeout message and disassociates from the client. note this is not a reject or similar message, the ACS simple does not even process the packet. i.e. there is absolutely nothing in the ACS logs to suggest it even received a radius packet from the WLC. In summary the WLC and the ACS successfully function independently but they do not communicate via radius.
View 3 Replies View Related[Env on my lab investigation]
supplicant - W7 with cert
authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
authentication server 2x - W2008/NPS like a RADIUS server
The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
[The question]
What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts? Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34.
[Code] ........
We have Cisco ACS 4.2 in our network and the accounting is done for 750-1000 devices and only for level priv-15.If i want to enable accounting for all levels from priv-1 to 15. All commands executed in devices are sent to ACS. Does the ACS can that much sessions from those many devices?Am also planning to configure acs remote agent to store all the accounting history.
View 1 Replies View RelatedI have upgraded Cisco ACS from 4.1 to 4.2, I have Cisco Access Control 1113 apliance, as soon as I upgraded I am getting error in failed logs "Authen session timed out: Challenge not provided by client", what is wring with this?
View 4 Replies View RelatedASA 8.2(5), uauth absolute timeout is disabled and inactivity timeout is set to 48 hours:
timeout xlate 48:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute uauth 48:00:00 inactivity
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
Users still get kicked out every 8 hours and they have to reauth. This is a logging message:
%ASA-5-109012: Authen Session End: user 'john', sid 839, elapsed 28801 seconds
How do I, if I even can, adjust the MAC table timeout from 5 minutes to whatever is bigger and allowable?
I would like to also like to change the ARP table timeout as well.
I know there has already been a couple of threads on this but rather than add my question to the bottom of one of those I thought I would try afresh.
We have an 857W connected to the internet via ADSL. All works very well, however if I ping from an attached PC the first one always times out. If i ping from the router (ping { URL}source 192.168.18.1) I get !!!!! every time. Back to the PC and 'Request timed out' on the first.
The only way I have been able to resolve this is by using no ip cef. It then works as expected, first ping and all. The problem is after much reading, it is not ideal to disable cef.
I have a D-Link DIR-825.B1, which I've recently updated to the 2.04EU firmware. The update fixed some IPv6 problems I've had, but introduced an IPv4 problem instead: TCP NATs have a rediculesly low timeout of 60 seconds, which makes the router useless for most protocols.How do I set the NAT timeout for TCP connections?
View 4 Replies View RelatedI would like to know something with more accuration about idle timeout configuration. In particular why is impossible to set "half-closed connections" to a value lower than 5 minutes neither through a policy-map? In my particular scenario, my asa is used to nat mobile phones traffic, it should be advisable to use less than 5 minutes
In my configuration I've set the timers as follows:
.
timeout xlate 0:15:00
timeout pat-xlate 0:00:30
timeout conn 0:14:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
[Code].....
If any authenticated user uses protocol other than (http, https) within timeout period, that user #is deuthenticated
View 1 Replies View RelatedFaced this recent vulnerability?
[URL]
My understanding is that for ASA 8.4.1 and prior, there's a vulnerability that opening many ssh sessions and one of them times out, the firewalls crashes!
As we have many customers with ASA using 8.2.5(26) (for example) I'd like a confirmation that for fixing that bug I need to upgrade my ASA image to at least 8.4.x.Case that, I believe that all the former firewall configuration must be reviewed because 8.2.x version has many different commands that 8.4.x (for example, NAT)
I have deployed a 2504 controller with EAP-TLS however we are receiving the following errors where it appears the EAP response timeout from the client is expiring and not receiving a reply, this is happening with all clients.
We have three SSIDs one with EAP-FAST working perfectly, and a third with WPA2-AES itis only this where we are seeing the response appear to expire. Running code 7.0.116.0 on a WLC2504. RADIUS shared secrets all ok.
*Dot1x_NW_MsgTask_5: Oct 17 11:16:16.207: 00:19:7e:c3:ab:35 Sending EAP Request from AAA to mobile 00:19:7e:c3:ab:35 (EAP Id 224) *osapiBsnTimer: Oct 17 11:16:46.036: 00:19:7e:c3:ab:35 802.1x 'timeoutEvt' Timer expired for station 00:19:7e:c3:ab:35 and for message = M0 *dot1xMsgTask: Oct 17 11:16:46.037: 00:19:7e:c3:ab:35 Retransmit 1 of EAP-Request (length 14) for mobile 00:19:7e:c3:ab:35 *osapiBsnTimer: Oct 17 11:17:16.036:
[Code]....