A certain site is experiencing frequent pop-up authentication windows on the portal.

On-site, the ACs are configured in an IRF and the authentication server is set up as primary and secondary using IMC.

On-site feedback shows that portal-authenticated users receive multiple pop-ups within a day. When faults occur, there are no portal entries for terminals on the AC, and the IMC displays that the reason for the last logout of the terminals is repeated authentication.

When the fault occurs, there is no terminal entry on the Access Controller (AC). Normally, AC deletes terminal entries when the terminal is offline actively or the idle-cut time expires. However, in this case, the terminal has not clicked to log out, and its online time is less than the configured 30-minute idle-cut time. Therefore, these two situations can be ruled out.

Further, the portal logout record feature is enabled by using the command "portal logout-record enable." When the fault reoccurs, the command "display portal logout-record username + username" is used to check the reason for the terminal logout, which is "session timeout." For normal terminals, the session time is 86400 seconds, or 24 hours, which should be fine in theory. Further investigation confirms that the terminal not only receives a session time when authentication is successful, but also when the billing is updated. Moreover, the online time of the terminals that drop abnormally is just an integer multiple of the billing cycle. Therefore, it is suspected that during the billing process, the server issued a session time of 0 for some reason, causing the AC to delete the portal entry.

By using the command "display radius statistics," the 3A message statistics are checked, and it is found that there are cases where there is no response due to timeout from the server for the billing update message. On-site configuration has a primary and a secondary IMC. In theory, if the primary server does not respond, AC will send the billing update to the secondary server. However, in reality, the secondary server does not have an online entry for this user. What happens in this case?

After confirmation by the IMC second-level support team, it was found that in the previous version, when the host was switched to the backup machine, the previously online user would be dropped, and after the disconnection, the user would be re-authenticated on the secondary machine. This online record exists on the backup machine but not on the primary machine. When switching back to the primary machine (regardless of whether there is an online record previously on the primary machine), the user will be dropped again.

Finally, by capturing packets, it is confirmed that there is indeed a switching situation. In this case, the server issues a billing update message with a session time of 0, which causes the terminal to disconnect.

There were packet losses on the 1813 port from the AC to the IMC at the site. After troubleshooting the link, the problem was resolved.