If you are facing the issue that in the log you find:
%DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:449 Invalid replay counter from client
There could be 3 potentials causes of this issue:
Increase the EAPOL-Key Timeout on the AP to 3000 ms by running the following command:
#config advanced eap eapol-key-timeout 3000
The default timeout is 1000 ms (1second), that is not enough for certains user's equipments.
If the problem is not solved, try to upgrade the supplicant software.
When you are troubleshooting the issue regarding 802.1x authentication, it is possible that you must manipulate some EAP timers, among witch:
EAP-Identity-Request Max Retries
EAP-Request Timeout (seconds)
EAP-Request Max Retries
EAPOL-Key Max Retries
So more details: