Re: Authentication event no-response problem

AndiMorris · ‎02-14-2012

I'm trying to setup a switch so that it will send a non-dot1x supplicant to a guest vlan so that they can retrieve and install the dot1x configuration files. Then once they reauthenticate they get authorised by our NAC system which works via freeradius.

All this works with no problems, but I'm finding that the no-response event kicks in a little too quickly and my registered supplicants are being put into this vlan whenever they boot up. If I remove this line from the config they get put into the production vlan via the NAC with no problems.

The switchport config is:

switchport mode access

authentication event no-response action authorize vlan 704

authentication order dot1x

authentication priority dot1x

authentication port-control auto

authentication periodic

authentication timer restart 10800

authentication timer reauthenticate 7200

no snmp trap link-status

dot1x pae authenticator

dot1x timeout tx-period 3

dot1x timeout supp-timeout 60

spanning-tree portfast

As you can see I have cranked up the supp-timeout to 60 seconds to see if this helps resolve the issue. However it hasn't, the supplicant gets put into the vlan 704 almost immediately after the boot up. If I remove the no-response line, the client gets put into the production vlan straight away.

Can anyone help please?

Stewie · ‎09-18-2019

Andi,

Did you ever find a solution to this issue? One of our overseas offices is experiencing the same problem on an older switch there.

Mike.Cifelli · ‎09-19-2019

Please test the following:
#dot1x timeout tx-period 7
#dot1x max-reauth-req 3
Once the link comes up the switch sends an EAP Request-Identity frame. It will wait to send the next one via what is defined by timeout tx-period. The max-reauth-req says how many times it will resend the request-identity frames. HTH!