Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
102263
Views
57
Helpful
18
Comments

EAP Timers on Wireless Lan Controllers

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎07-21-2010 09:12 AM - edited ‎11-18-2020 02:50 AM

On the WLC, we have a couple of EAP timers that we can manipulate to  help with client authentication, they are listed below:

EAP-Identity-Request Timeout
EAP-Identity-Request Max Retries
EAP-Request Timeout (seconds)
EAP-Request Max Retries
EAPOL-Key Timeout
EAPOL-Key Max Retries


Before we can manipulate these values, we need to understand what  they do, and how changing them will affect the network

EAP-Identity-Request Timeout:

This timer affects how long we wait between EAP Identity  Requests.  By default this is one second (4.1 and lower) and 30 seconds  (4.2 and greater.  The reason for this change was, we found that some  clients, hand helds, phones, scanners etc, had a hard time responding  fast enough.  Devices like laptops, usually do not require a  manipulation of these values.  Available value is from 1 to 120.

So, what happens with this attribute set to a value of 30?  When  the client first connects, it sends and EAPOL Start to the network, the  WLC sends down an EAP packet, requesting the user or machines Identity.   If the WLC does not receive the Identity Response, it sends another  Identity Request 30 seconds after the first.  This happens on initial  connection, and when the client roams.

What happens when we increase this timer?  If everything is good,  there is no impact.  However, if there is an issue in the network  (including client issues, AP issues, RF issues), this can cause delays  in network connectivity.  For example, if you set the timer to the  maximum value of 120 seconds, the WLC waits 2 minutes between Identity  Requests.  If the client is roaming, and the Response is not received by  the WLC, we have created, at minimum, a two minute outage for this  client.

Recommendations for this timer is to set it at 5.  There is no  current reason, to place this timer at it's maximum value.

EAP-Identity-Request Max Retries


So, for max retries, what does this value do?  In short, this is  the number of times the WLC will send the Identity Request to the  client, before removing it's entry from the MSCB.  Once the Max Retries  is reached, the WLC sends a de-authentication frame to the client,  forcing them to restart the EAP process.  Available value is 1 to 20.   So let's look at this for a moment.

The Max Retries is going to work with the Identity Timeout.  If  you have your Identity Timeout set to 120, and your Max Retries to 20  how long does it take for the client to be removed?  120 * 20 = 2400.   So it would take 40 minutes for the client to be removed, and to start  the EAP process over again.  If instead you set the Identity timeout to  5, with the Max Retires of 12, 5 * 12 = 60.  So there is one minute  until the client is removed, and it has to start EAP over.

Recommendations for the Max Retries is 12.

EAPOL-Key Timeout


For the EAPOL-Key Timeout value, the default is 1 second or 1000  milliseconds.  What this means is when it comes time to exchange the  EAPOL keys between the AP and client, the AP will send the key and wait  up to 1 second by default for the client to respond.  After waiting the  defined time value, the AP will re-transmit the key again.  You can use  the command "config advanced eap eapol-key-timeout <time>" to alter this setting.  The available values in 6.0 are between 200 and  5000 milliseconds, while codes prior to 6.0 allow for values between 1  and 5 seconds.  Keep in mind that if you have a client which isn't  responding to a key attempt, extending the timers out can give them a  little more time to respond....however, this could also prolong the time  it takes for the WLC/AP to deauthenticate the client in order for the  whole 802.1x process to start fresh.

EAPOL-Key Max Retries


For the EAPOL-Key Max Retries value, the default is 2.  What this  means is that we will retry the original key attempt to the client 2  times.  This setting can be altered using the command "config  advanced eap eapol-key-retries <retries>".  The available  values are between 0 and 4 retries.  Using the default value for the  eapol key timeout (1 sec) and the default value for the eapol key retry  (2) the process would go as follows if a client doesn't respond to the  initial key attempt:

1 - AP sends key attempt to the client
2 - Wait 1 second for a reply
3 - If no reply, then send eapol key retry attempt #1
4 - Wait 1 second for a reply
5 - If no reply, then send eapol key retry attempt #2
6 - If there is still not a response from the client and the retry value  is met, then deauthenticate the client.

Again, as with the EAPOL-Key Timeout, extending the EAPOL-Key  retry value could in some circumstances be beneficial, however setting  it to the max may again be harmful as the deauthenticate message would  be prolonged.

Comments
JPavonM
VIP
VIP
‎09-28-2023 06:13 AM

You can find it under Security > Advanced EAP:

JPavonM_0-1695906804111.png

 

Rich R
VIP
VIP
‎10-01-2023 09:19 AM

@JPavonM @bkatrep asked about "cisco 9800 wlc" - your screenshot is of AireOS ...

On 9800 IOS-XE: Configuration -> Security -> Advanced EAP

RichR_0-1696177148376.png

As far as I can tell these settings are only global.

patoberli
VIP Alumni
VIP Alumni
‎10-04-2023 12:48 PM

Rich R is correct, those settings are global. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents