Hi all,
i'm stuck understanding how the authentication timer and attempts work with 802.1X. I'm using catalyst switch 3850 (OS XE 16.5.1a). The interface config is the following
interface GigabitEthernet1/0/46 switchport access vlan 200 switchport mode access device-tracking attach-policy DeviceTrackingPolicy authentication event fail action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity server mab dot1x pae authenticator dot1x timeout tx-period 7 dot1x max-reauth-req 3 end
and the config of dot1x PAE is the following
PAE = AUTHENTICATOR QuietPeriod = 60 ServerTimeout = 0 SuppTimeout = 30 ReAuthMax = 3 MaxReq = 2 TxPeriod = 7
As you can see from the reported figure, the total authentication attempts are 2 (with 3 attempts of re-authentication). Also the time period between an EAP failure and the next attempts is equal to 60 seconds.
Does anybody know hot to configure this 2 type of parameters?
Accepted Solutions
Thanks Marcelo for the reply.
I changed a bit the config:
interface GigabitEthernet1/0/46 switchport access vlan 200 switchport mode access switchport voice vlan 707 device-tracking attach-policy DeviceTrackingPolicy authentication event fail retry 3 action next-method authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer restart 10 authentication timer inactivity server mab dot1x pae authenticator dot1x timeout quiet-period 18 dot1x timeout tx-period 1 dot1x max-reauth-req 3 spanning-tree portfast end
Here i reported the authentication process.
Until packet n. 1498, PC is trying to connect with its windows native 802.1x supplicant. ISE (and therefore the switch) send to it an access-reject (failure eap message). At this point the switch send:
- 1 Access-Request (authentication message)
- 3 Reauthentication Attempt messages
After this 4 messages, the switch sends an EAP failure beacause he didn't receive any response from the PC. Note that the PC doesn't respond because (this is mine hypotheisy) its supplicant is in a timeout state and therefore it doesn't respond for a time interval period (i can not find its value neither from windows configuration nor from web forum). After 10 seconds (value of restart timer) it begins the process (sending 4 messages). After that, the switch try to use MAB and doing so it is able to authenticate the user.
In this case the quiet period timer (that i configured with 18 seconds) dosen't beeing used. Instead the restart timer is used.
Also i configured (as you sad) the number of attempts with
authentication event fail retry 3 action next-method
However, as you can see, the switch used 2 attempts to authenticate the PC. Trying also to change this value to 4,5,6 the behaviour is the same as reported in the figure.
Can you explain to me this 2 behavior? Thanks!
