802.1x AAA Authentication timer
authentication timer {{[inactivity | reauthenticate]} {restart value}}
OR
dot1x timeout reauth-period {seconds | server}
Set the number of seconds between re-authentication attempts.
The authentication timer keywords have these meanings:
•inactivity—Interval in seconds after which if there is no activity from the client then it is unauthorized
•reauthenticate—Time in seconds after which an automatic re-authentication attempt is initiated
•restart value—Interval in seconds after which an attempt is made to authenticate an unauthorized port
The dot1x timeout reauth-period keywords have these meanings:
•seconds—Sets the number of seconds from 1 to 65535; the default is 3600 seconds.
•server—Sets the number of seconds based on the value of the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS
dot1x timeout reauth-period {seconds | server}
Set the number of seconds between re-authentication attempts.
The authentication timer keywords have these meanings:
•inactivity—Interval in seconds after which if there is no activity from the client then it is unauthorized
•reauthenticate—Time in seconds after which an automatic re-authentication attempt is initiated
•restart value—Interval in seconds after which an attempt is made to authenticate an unauthorized port
The dot1x timeout reauth-period keywords have these meanings:
•seconds—Sets the number of seconds from 1 to 65535; the default is 3600 seconds.
•server—Sets the number of seconds based on the value of the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS
====================================================================
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout server-timeout 5
dot1x timeout tx-period 5 default=30sec)(eap/request/identity)
dot1x max-req 1 (default=2 request)(eap/request)
dot1x max-reauth-req 1 (default=2 eapreq/identity)
dot1x timeout quiet-period 5
dot1x timeout server-timeout 5
dot1x timeout tx-period 5 default=30sec)(eap/request/identity)
dot1x max-req 1 (default=2 request)(eap/request)
dot1x max-reauth-req 1 (default=2 eapreq/identity)
dot1x timeout supp-timeout 2 (default=30sec)(eap/request)
=========================================================
dot1x timeout quiet-period 5
used when there is no failover machanism like mab,webauth..
CLIENT<-------------------->SWITCH
<---------------1 eap-req/identity
authntication is failed
---------------->
quiet-period -1sec
quiet-period -1sec
quiet-period-1sec
quiet-period-1sec
quiet-period-1sec
<---------------1
used when there is no failover machanism like mab,webauth..
CLIENT<-------------------->SWITCH
<---------------1 eap-req/identity
authntication is failed
---------------->
quiet-period -1sec
quiet-period -1sec
quiet-period-1sec
quiet-period-1sec
quiet-period-1sec
<---------------1
=====================================================================
dot1x timeout server-timeout =NOT USED
switch<---------------------------------->radius server
switch<----------$%$%$%%%---------------->radius server
no responce from server
default value is 0>>never modify this command
because retransmission to the server is goo parctice
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp387334
=======================================================================
dot1x timeout tx-period 5 (default=30sec)(eapreq/identity)
CLIENT<-------------------->SWITCH
<---------------1 eap-req/identity
WAIT FOR 5SEC
<---------------2 eap-req/identity
WAIT FOR 5SEC
FD
<---------------GUEST VLAN
========================================================================
dot1x max-req 1 (default=2 request)(eap/request)
CLIENT<-------------------->SWITCH<-------------------------------------------->RADIUS SERVER
<-------------------1 eap-req/identity
eap/responce--------------->access/req----------------------------------------->
<-------------------eap/request(30sec)<-----------------------------------access/challenge
ONLY ONE EAP/REQUEST IS SENT
CLIENT<-------------------->SWITCH<-------------------------------------------->RADIUS SERVER
<-------------------1 eap-req/identity
eap/responce--------------->access/req----------------------------------------->
<-------------------eap/request(30sec)<-----------------------------------access/challenge
ONLY ONE EAP/REQUEST IS SENT
========================================================================
dot1x max-reauth-req 1 (default=2 eapreq/identity)
CLIENT<-------------------->SWITCH
<---------------1 eap-req/identity
WAIT FOR 30SEC
<---------------GUEST VLAN
CLIENT<-------------------->SWITCH
<---------------1 eap-req/identity
WAIT FOR 30SEC
<---------------GUEST VLAN
=======================================================================
dot1x timeout supp-timeout 2 (default=30sec)(eap/request)
CLIENT<-------------------->SWITCH<-------------------------------------------->RADIUS SERVER
<-------------------1 eap-req/identity
eap/responce--------------->access/req----------------------------------------->
<-------------------eap/request(2sec)<-----------------------------------access/challenge
<--------------------eap/request(2sec)
CLIENT<-------------------->SWITCH<-------------------------------------------->RADIUS SERVER
<-------------------1 eap-req/identity
eap/responce--------------->access/req----------------------------------------->
<-------------------eap/request(2sec)<-----------------------------------access/challenge
<--------------------eap/request(2sec)
========================================================================
===============
------------- ----- ---------------
| | | |
|TELEPRESENCE |-------| IPPHONE |--------------ACS SERVER
| (PEAP) | | (EAP-TLS) |
---------------------- ---------------
0 Response to "802.1x AAA Authentication timer"
Post a Comment