f = 1/T
f = 1/T

EAPOL-KEY-TIMEOUT

If you are facing the  issue that in the log you find:

%DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client

 

Potentials causes:

There could be 3 potentials causes of this issue:

 

  • The client supplicant is not up to date
  • The WLC sofware is not up to date
  • The supplicant take long time to response to eap message.

 

 

Solutions:

Increase the EAPOL-Key Timeout on the AP to 3000 ms by running the following command:

 

#config advanced eap eapol-key-timeout 3000

 

The default timeout is 1000 ms (1second), that is not enough for certains user's equipments.

If the problem is not solved, try to upgrade the supplicant software.

 

When you are troubleshooting the issue regarding 802.1x authentication, it is possible that you must manipulate some EAP timers, among witch:

 

EAP-Identity-Request Timeout
EAP-Identity-Request Max Retries
EAP-Request Timeout (seconds)
EAP-Request Max Retries
*EAPOL-Key Timeout
EAPOL-Key Max Retries

 

So more details:

 

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69730-eap-auth-wlc.html