06-25-2012 12:08 AM - edited 03-10-2019 07:14 PM
Hi all,
I have the following configuration:
aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization exec default local
!
dot1x system-auth-control
radius-server host 10.10.10.10 key cisco
!
interface FastEthernet0/1
switchport mode access
authentication event fail retry 1 action authorize vlan 2
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
!
But it takes quite a while for the user who is not authorized to be switch to vlan 2.
I would like to know what is best practice when using this kind of configuration and if it is possible to optimize on how long it takes to switch the unauthorized user to the restricted VLAN?
Regards,
Laurent
06-26-2012 09:06 AM
Laurent,
Based on your configuration it looks as if it will take one retry attempt before the client is placed in vlan2. Try to remove the 'retry 1' from command and see if that speeds up the time. Also take the output of the 'show authentication sessions interface
thanks,
Tarik Admani
06-29-2012 08:48 AM
Hi,
I think there is a 30 second timeout for client and server communication in which the switch waits for responses from client and server, these timeouts can be configured globally.
And there is dot1x timeout quiet-period command which is default 60 seconds.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide