cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

944
Views
0
Helpful
2
Replies
lap
Explorer
Explorer

IEEE 802.1x Port based Authentication with Restricted VLAN

Hi all,

I have the following configuration:

aaa new-model

!

aaa authentication dot1x default group radius

aaa authorization exec default local

!

dot1x system-auth-control

radius-server host 10.10.10.10 key cisco

!

interface FastEthernet0/1

switchport mode access

authentication event fail retry 1 action authorize vlan 2

authentication port-control auto

dot1x pae authenticator

spanning-tree portfast

!

But it takes quite a while for the user who is not authorized to be switch to vlan 2.

I would like to know what is best practice when using this kind of configuration  and if it is possible to optimize on how long it takes to switch the unauthorized user to the restricted VLAN?

Regards,

Laurent

2 REPLIES 2
Tarik Admani
Advocate

Laurent,

Based on your configuration it looks as if it will take one retry attempt before the client is placed in vlan2. Try to remove the 'retry 1' from command and see if that speeds up the time. Also take the output of the 'show authentication sessions interface '. Please post the output of the 'debug radius authentication' as that will help to see how long it is taking the radius server to respond.

thanks,

Tarik Admani

Oliver Laue
Enthusiast

Hi,

I think there is a 30 second timeout for client and server communication in which the switch waits for responses from client and server, these timeouts can be configured globally.

And there is dot1x timeout quiet-period command which is default 60 seconds.

Sent from Cisco Technical Support iPad App

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube