https://community.extremenetworks.com/t5/extremewireless-identifi/identify-short-802-1x-eap-peap-sessions-with-acct-terminate/m-p/28946#M137 Hello Umut, Thanks for your quick reply. I suppose the source code abstract is from the EWC software. Are other non-standard Acct-Terminate-Cause values available somewhere (as this can be useful for any further troubleshooting). Can you also clarify when this CHANGED_WLAN_SERVICE condition is raised? Is this when the user changes IP address? The VNS associated with the SSID where the problem arises uses the same role for Non-Authenticated and Authenticated users. In the logs and the RADIUS accounting, I see that for the short sessions may have or not have a valid associated IP address (some have 0.0.0.0 or an IP in the link-local range). The network where the SSID is deployed is known to have a slow DHCP server (IP address attribution can take several seconds). For the IP range associated to the SSID, lease has been set to a long value (1 week) as this is supposed to help troubleshooting. Would the option "Defer sending the accounting start request until the client's IP address is known." in the "VNS" / "Global" / "Authentication" / "Advanced" section help? If not, I will make a request for the DHCP lease to be reduces (then is a value of a few hours suitable?). Regards, Wed, 17 May 2017 14:45:00 GMT gherbiet 2017-05-17T14:45:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/identify-short-802-1x-eap-peap-sessions-with-acct-terminate/m-p/28944#M135 Hello community,<BR /> <BR /> I have set up an EAP-PEAP 802.1X SSID in bridge at EWC topology on a cluster of C5210 running 09.21.16.0013 (as we need to support a couple of 3600 series APs). I have seen a couple of changes in 9.21.17.0006 related to RADIUS but I don't think it is related to the problem I am facing.<BR /> <BR /> The RADIUS authentication is performed by a FreeRADIUS server (version 2.2.5, installed from packages on a Debian "Jessie" 8.8).<BR /> <BR /> I have noticed that a lot of users are experiencing very short sessions (in the order of 0 to a few seconds) that terminate with an Accounting-Stop message with the Acct-Terminate-Cause attribute set to "105". When the end-devices have stored the network credentials then authentication reoccurs. However, when this is not the case they are just disconnected from the network and do not reconnect.<BR /> <BR /> On the controller side, the relevant options are:<BR /> <BR /> In "VNS" / "Global" / "Authentication" / "RADIUS Servers" / "RADIUS Settings" (click on the RADIUS Alias in the Servers table:<BR /> - Interim Accounting Interval: 5 (minutes)<BR /> - Send Interim Accounting Records for: Fast Failover Events: checked<BR /> <BR /> On the same page, on the "Advanced" window, "RADIUS Accounting" is checked as well.<BR /> <BR /> Finally under "VNS" / "WLAN Services" / "<NAMEOFMYWLAN>" / "Auth &amp; Acct", in the "Radius TLVs" (that shall spell "RADIUS TLVs" btw), all VSAs are checked, "Replace Called Station ID with Zone name in RADIUS Requests" is unchecked.<BR /> <BR /> On the RADIUS server side, the relevant attributes associated to users that face this issue are as follows:<BR /> - Idle-Timeout := 600<BR /> <BR /> I use the same RADIUS server with Wi-Fi network from other vendors and I did not face this issue.<BR /> <BR /> Do you have an idea of what might cause the controller to prematurely stop the RADIUS session, especially with this this Acct-Terminate-Cause value (that is not documented in RFC 2866) ?</NAMEOFMYWLAN> Wed, 17 May 2017 13:24:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/identify-short-802-1x-eap-peap-sessions-with-acct-terminate/m-p/28944#M135 gherbiet 2017-05-17T13:24:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/identify-short-802-1x-eap-peap-sessions-with-acct-terminate/m-p/28945#M136 Hi,<BR /> <BR /> the meaning of this should be<BR /> <BR /> Acct-Terminate-Cause attribute set to "105".<BR /> <BR /> --&gt; #define CHANGED_WLAN_SERVICE 105<BR /> <BR /> Look if the user get IP in the new SSID?<BR /> <BR /> Decrease the leased time on DHCP Server?<BR /> <BR /> <BR /> Regards<BR /> Umut<BR /> <BR /> Wed, 17 May 2017 14:22:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/identify-short-802-1x-eap-peap-sessions-with-acct-terminate/m-p/28945#M136 Umut_Aydin 2017-05-17T14:22:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/identify-short-802-1x-eap-peap-sessions-with-acct-terminate/m-p/28946#M137 Hello Umut, Thanks for your quick reply. I suppose the source code abstract is from the EWC software. Are other non-standard Acct-Terminate-Cause values available somewhere (as this can be useful for any further troubleshooting). Can you also clarify when this CHANGED_WLAN_SERVICE condition is raised? Is this when the user changes IP address? The VNS associated with the SSID where the problem arises uses the same role for Non-Authenticated and Authenticated users. In the logs and the RADIUS accounting, I see that for the short sessions may have or not have a valid associated IP address (some have 0.0.0.0 or an IP in the link-local range). The network where the SSID is deployed is known to have a slow DHCP server (IP address attribution can take several seconds). For the IP range associated to the SSID, lease has been set to a long value (1 week) as this is supposed to help troubleshooting. Would the option "Defer sending the accounting start request until the client's IP address is known." in the "VNS" / "Global" / "Authentication" / "Advanced" section help? If not, I will make a request for the DHCP lease to be reduces (then is a value of a few hours suitable?). Regards, Wed, 17 May 2017 14:45:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/identify-short-802-1x-eap-peap-sessions-with-acct-terminate/m-p/28946#M137 gherbiet 2017-05-17T14:45:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/identify-short-802-1x-eap-peap-sessions-with-acct-terminate/m-p/28947#M138 Hi Guillaume-Jean,<BR /> <BR /> this happens CHANGED_WLAN_SERVICE if the user need or should change his SSID/TOPOLOYG(VLAN) after succesfully authentication.<BR /> Since he stuck in the old SSID IP world the client doesn't renew his IP.<BR /> Therefore if you wanted change the WLAN ( to other SSID ) then you need lower the DHCP lease time so that the Client ask faster for his new IP .<BR /> <BR /> This point provides improvements.<BR /> <BR /> 1.Change unauthenticated behavior to "Discard Unauthenticated Traffic" in the non-auth policy. <BR /> 2.Super low lease timer in the start off topology.<BR /> 3.Under the MAC Authorization Config, checking the option "RADIUS Accounting begins after MAC-based authorization completes". <BR /> <BR /> Regards<BR /> <BR /> Umut<BR /> <BR /> Thu, 18 May 2017 13:52:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/identify-short-802-1x-eap-peap-sessions-with-acct-terminate/m-p/28947#M138 Umut_Aydin 2017-05-18T13:52:00Z