Hello community,
I have set up an EAP-PEAP 802.1X SSID in bridge at EWC topology on a cluster of C5210 running 09.21.16.0013 (as we need to support a couple of 3600 series APs). I have seen a couple of changes in 9.21.17.0006 related to RADIUS but I don't think it is related to the problem I am facing.
The RADIUS authentication is performed by a FreeRADIUS server (version 2.2.5, installed from packages on a Debian "Jessie" 8.8).
I have noticed that a lot of users are experiencing very short sessions (in the order of 0 to a few seconds) that terminate with an Accounting-Stop message with the Acct-Terminate-Cause attribute set to "105". When the end-devices have stored the network credentials then authentication reoccurs. However, when this is not the case they are just disconnected from the network and do not reconnect.
On the controller side, the relevant options are:
In "VNS" / "Global" / "Authentication" / "RADIUS Servers" / "RADIUS Settings" (click on the RADIUS Alias in the Servers table:
- Interim Accounting Interval: 5 (minutes)
- Send Interim Accounting Records for: Fast Failover Events: checked
On the same page, on the "Advanced" window, "RADIUS Accounting" is checked as well.
Finally under "VNS" / "WLAN Services" / "" / "Auth & Acct", in the "Radius TLVs" (that shall spell "RADIUS TLVs" btw), all VSAs are checked, "Replace Called Station ID with Zone name in RADIUS Requests" is unchecked.
On the RADIUS server side, the relevant attributes associated to users that face this issue are as follows:
- Idle-Timeout := 600
I use the same RADIUS server with Wi-Fi network from other vendors and I did not face this issue.
Do you have an idea of what might cause the controller to prematurely stop the RADIUS session, especially with this this Acct-Terminate-Cause value (that is not documented in RFC 2866) ?