Explanation: This error can mean slightly different things depending on EAP method. Basically it is a side effect of an EAP method with identity protection.
EAP authentication is done in two phases. The first phase of authentication uses generic anonymous external identity in order to establish the tunnel. In phase 2, client authentication is done in the established tunnel. The client sends the original username and password to authenticate and establish a client authorization policy. As this authentication method hides the original user name at the first phase of authentication, the controller does not have a way to add the correct username to the authenticated user list. So the controller uses the anonymous username. The end result generates this error.
Further details on the related bug below:
%APF-1-USER_DEL_FAILED: apf_ms.c:5055 flooding msglogs.
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz51403
Symptom:
The "%APF-1-USER_DEL_FAILED: apf_ms.c:5055" message floods msglogs
Conditions:
1. Multiple clients connect to the controller with the same user name, or
2. AAA server returns a user name that is different to what is registered by the client.
Workaround:
No, but it does not affect any controller feature
1st Found-In
Fixed-In
No comments:
Post a Comment