Re: [WIRELESS-LAN] ISE errors 5440 for guests using eduroam

Tue, 15 Oct 2019 12:44:08 -0700 

I'm not sure that I can help you reduce this, but I might be able to
shed some light on the issue.

One common cause of such a situation would be that some IdP stops
responding to the eduroam-US servers (a timeout occurs). When that
happens our servers will mark the proxy server as dead for 60 seconds
(our dead time). During that 60 seconds our servers will not forward
anything else to the server and any ongoing authentications will end up
dying (often rejected as a No response in our log viewer for the SP).
This is because EAP requires each server to keep the state of the
authentication so failover cannot happen with EAP. The IdP will likely
see this as the error you mentioned because the client just disappeared.

The real solution to the problem is for IdPs to always respond to all
requests (including accounting!). A somewhat workable solution is to use
Status-Server requests for those with RADIUS servers that can support them.

                                             Chad Bauer

eduroam-US Team Member
PGP Key ID 0x5A20AE5E

On 10/10/19 12:17 PM, Christina Klam wrote:
> As many of you have mentioned, the following message is very common in 
> the ISE logs, "5440 Endpoint abandoned EAP session and started new." 
> Our logs are full of that message for an clients that eventually joins
> one second later.   I have noticed that it is far more common for guests
> using eduroam on our campus -- where their IDP is another university.   
>   Is there a setting we can make to improve or stop these messages?
> 
> Thank you,
> Christina Klam
> Network Engineer
> Institute for Advanced Study
> 1 Einstein Dr
> Princeton, NJ 08540
> +1 609-734-8154
> ck...@ias.edu
> 
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> 




**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to