Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1282
Views
0
Helpful
3
Replies

Dot1x, Multi-auth, open mode

r.martins
Level 1
Level 1

‎03-21-2011 07:34 AM - edited ‎03-10-2019 05:55 PM

Hi,

a customer has configured an dot1x scenario in a lab envoirenment to test setup before rollout. he configured dot1x multi-auth with open mode (because there are a lot of clients that can not authenticate at this time), radius and mab. now he has the problem, that the switch every minute tries to reauthenticate unathorized clients and never stops, these causes a lot of unwanted requests on the acs server. we already tried a lot of settings and timeouts, but nothing worked. is there any way to configure the switch to retries only 3 times with a wait time of 5 minute between every retry? we also tried configure authentication fallback, but this doesn't work with multi-auth.

regards,

Roberto

Labels:
0 Helpful
3 Replies 3

Tiago Antunes
Cisco Employee
Cisco Employee

‎03-24-2011 01:03 AM

Hi Roberto,

Can you share with us the switch port configuration? Maybe you have re-authentication configured and this would expalin why the switch attempts every minute.

If you do not want re-authentication to happen: "no dot1x reauthentication" or in later versions "no authentication periodic".

Regarding tweaking the timers wih the goal of configure the switch to retry only 3 times with a wait time of 5 minute between every retry:

dot1x max-reauth-req count

Set the number of times that the switch sends an EAP-request/identity  frame to the client before restarting the authentication process. The  range is 1 to 10; the default is 2.

dot1x timeout tx-period seconds

Set the number of seconds that the switch waits for a response to an  EAP-request/identity frame from the client before resending the request.

The range is 1 to 65535 seconds; the default is 5.

These commands are available in the dot1x config guides, like:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/sw8021x.html.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

r.martins
Level 1
Level 1
In response to Tiago Antunes

‎03-29-2011 06:53 AM

Hi Tiago,

I want an periodic re-authentication, but only for "authorized" clients, this has been set to 1 hour.

I already tried to set dot1x max-reauth-req and dot1x timeout tx-period and this worked well as they should (and expected). The Switch sent EAPPOL three times (the first one and the two from max-reauth-req) with a wait time of 10 seconds and the client has been showed as unauthorized. But after 60 seconds the switch begins the authentication process again, and that is what I don't want. Maybe there are undocumented configuration settings to disable this behavior.

regards,

Roberto

0 Helpful

r.martins
Level 1
Level 1
In response to Tiago Antunes

‎03-30-2011 04:01 AM

Hi Tiago,

i also set the dot1x timeout quiet-period to an other value than 60 seconds (default), but the described behavior did not not change.

regards,

Roberto

0 Helpful
Customers Also Viewed These Support Documents