IEEE 802.1x Port based Authentication with Restricted VLAN

lap · ‎06-25-2012

Hi all,

I have the following configuration:

aaa new-model

!

aaa authentication dot1x default group radius

aaa authorization exec default local

!

dot1x system-auth-control

radius-server host 10.10.10.10 key cisco

!

interface FastEthernet0/1

switchport mode access

authentication event fail retry 1 action authorize vlan 2

authentication port-control auto

dot1x pae authenticator

spanning-tree portfast

!

But it takes quite a while for the user who is not authorized to be switch to vlan 2.

I would like to know what is best practice when using this kind of configuration and if it is possible to optimize on how long it takes to switch the unauthorized user to the restricted VLAN?

Regards,

Laurent

Tarik Admani · ‎06-26-2012

Laurent,

Based on your configuration it looks as if it will take one retry attempt before the client is placed in vlan2. Try to remove the 'retry 1' from command and see if that speeds up the time. Also take the output of the 'show authentication sessions interface '. Please post the output of the 'debug radius authentication' as that will help to see how long it is taking the radius server to respond.

thanks,

Tarik Admani

Oliver Laue · ‎06-29-2012

Hi,

I think there is a 30 second timeout for client and server communication in which the switch waits for responses from client and server, these timeouts can be configured globally.

And there is dot1x timeout quiet-period command which is default 60 seconds.

Sent from Cisco Technical Support iPad App