Re: delay for wired 802.1X authentication

lkneschke · ‎02-18-2005

Hello!

Maybe someone has a solution.

I try to get 802.1X working. It is working so far. The computer authenticates against the IAS/Cisco ACS server without problems using EAP-TLS.

The problem is that there is a delay of 10 seconds before the authentication succeds(i just plugged the cable out and in from the switch). I just don't understand why!!! Maybe someone else knows the answer.

I attached the logging output from "debug dot1x events".

As you can see the Cisco Switch is asking for identity and also gets a answer. Then we come to following line:

01:22:26: dot1x-ev:Delaying initial EAP-Request/Identity packet

Delaying initial EAP-Request. Then the switch is waiting 10 seconds before he continues with 802.1X. This is reproduceable with WindowsXP and Xsupplicant/Linux.

Why is the switch waiting 10 seconds?

Thats the current config of the port:

interface FastEthernet0/24

switchport access vlan 19

switchport mode access

dot1x port-control auto

dot1x timeout tx-period 1

dot1x timeout supp-timeout 1

dot1x guest-vlan 12

spanning-tree portfast

As you can see i also played around with the dot1x values, but nothing changed. I have always a 10 second delay, which makes no sense for me.

Cu

lkneschke · ‎02-21-2005

Finally found the solution.

Setting

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters \General\Global\SupplicantMode

to 3 solved the problem. Now the authentication process only take 3-4 seconds.

Cu

tanner.zaitt · ‎06-20-2022

Hi, this hint helped my colleague to resolve the slow authentication on dot1x with old Cisco 2960 series switches with old firmwares IOS 12 and IOS 15 in nowadays with Windows 10 OS.
Please keep in mind that our example is for 802x1 dot1x EAP-TLS Computer based authentication with certificates. We use Microsoft DC, Microsoft AD, Microsoft CA, Microsoft NPS, Cisco switches, Juniper switches and Windows 10 OS based laptop and workstations.

Unfortunately on Windows 10, this registry doesn't exist.
But with Group Policy the issue is resolved.
Computer Configuration -> Policies ->Windows Settings -> Security Settings ->Wired Network (IEEE 802.3) Policies.
Here we create new policy Radius Ethernet with description Allow 802.1x authentication. The box for Use Windows Wired Auto Config service for clients is checked. In the Security the box for Enable use of IEEE 802.1X authentication for network access is checked also.
For Select a network authentication method has been chosen Microsoft: Smart Card or other Certificate. In the Properties near to Select authentication method in the condition "When connecting" has been chosen Use a certificate on this computer. The box for Use simple certificate selection has been checked. In advanced the box for Certificate Issuer has been checked. In Root Certification Authorities the box for root certificate has been checked.
In Intermediate Certification Authorities the box for root certifcate has been checked. The box for Verify the server’s identity by validating the certificate has been checked. In Trusted Root Certification Authorities the box for root certificate has been checked.
Authentication Mode has been set to Computer only. The box for Cache user information for subsequent connections to this network has been checked. For Max Authentication Failures the value is 1.
And the most important point!
In advanced we should configure IEEE 802.1X only!
The box for Enforce advanced 802.1X settings has been checked.
The parameters here are:
Max Eapol-Start Msgs 3
Held Period (seconds) 1
Start Period (seconds) 5
Auth Period (seconds) 18

And voala!

Best Regard!