This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hi all,
I have the following configuration:
aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization exec default local
!
dot1x system-auth-control
radius-server host 10.10.10.10 key cisco
!
interface FastEthernet0/1
switchport mode access
authentication event fail retry 1 action authorize vlan 2
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
!
But it takes quite a while for the user who is not authorized to be switch to vlan 2.
I would like to know what is best practice when using this kind of configuration and if it is possible to optimize on how long it takes to switch the unauthorized user to the restricted VLAN?
Regards,
Laurent
Laurent,
Based on your configuration it looks as if it will take one retry attempt before the client is placed in vlan2. Try to remove the 'retry 1' from command and see if that speeds up the time. Also take the output of the 'show authentication sessions interface
thanks,
Tarik Admani
Hi,
I think there is a 30 second timeout for client and server communication in which the switch waits for responses from client and server, these timeouts can be configured globally.
And there is dot1x timeout quiet-period command which is default 60 seconds.
Sent from Cisco Technical Support iPad App