>> > After a year of pretty much rock solid behavior we’ve had two instances >> > this week where EAP failed for some or all of the users on our WLC 5508 > >In what way?
Clients just wouldn't connect. I didn't find anything in the WLC logs that helped me, but probably I just didn't understand what I was seeing. I did see one iPad that made the user accept the cert for our CA, Entrust, but that's about it. > >> > experiencing the problem, but the WebAuth SSID worked fine. The ACS logs >> > showed “EAP session timed out.” The Windows NPS logs didn’t show any >> > authentication failures. > >How many authentications per second? Is it busier than usual? > We're tiny, only 65 APs, currently about 300 users on EAP SSIDs and max 1500 authentications per hour. Let's see, 1500/3600 is about 0.4 ;-) This started sometime overnight, and our peak period is lunchtime. >Could be a case of the WLC reusing RADIUS session IDs which will >totally break stuff and is a know issue under high numbers of >authentications. > >Cisco have gone some way to fix this issue in the latest 8.x, but >as far as I'm concerned their RADIUS client design is overall >still pretty bad. > >> > After a few hours it fixed itself. I tried a 5508 reboot in one of the >> > instances, and it didn’t appear to help. > >So likely behaviour caused by some external factor, such as the >above. But could be anything like eap timers not tuned well, >wireless issues at the edge, etc. Or backend auth being slow. > >Cheers, > >Matthew I'll try going to 8.0.121.0 this weekend since that's easy, and falling back is easy (usually, knock on wood.) Thanks everyone! John ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
