12-06-2018 08:02 PM - edited 07-05-2021 09:33 AM
Greetings,
Before client association occurs, is there a timeout value for a client to be authenticated with the AP? This will be the step before the user is authenticated using EAP...
so lets say the authentication open seq is sent by the AP and nothing is heard back, how long will it take for the AP to reset the connection to the client?
Also, do we have a timeout value for the steps to follow after this? The client is authenticated but association hasn't completed, how long would the AP wait for the client to respond?
Thanks
12-06-2018 08:32 PM
12-07-2018 04:46 AM - edited 12-07-2018 04:54 AM
Client starts probe request (10ms per request if no response), followed with probe response from AP, followed with open authentication (can also do WEP) this is unicast communication to specific AP followed by an acknowledgement, followed by association request and response (Again Unicast) eventually obtaining an Association ID, till this stage any failure will be presented with a Status code 0-9 for success or failure result, you should be able to see this in capture.
post this Client will Start EAP communication with WLC and WLC will indeed talk Radius to AAA, there are timers here for EAP between controller and client, timers and retires are show below
(Cisco Controller) >show advanced eap
EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 1000
EAPOL-Key Max Retries............................ 2
EAP-Broadcast Key Interval....................... 3600
For Radius timeout can vary default in most cases in 5 sec.
All these are configurable parameters.
12-09-2018 02:22 PM
Thanks Ammahend,
Do you know what the timeout is in the first phase? probe is send and is heard but then the client isnt heard of, how long would the AP wait for a response before resetting the session?
With EAP, the user now needs to enter a password and be authenticated either through radius or other methods. If the client does not respond at this stage or if the client takes too long to put in his/her key, the AP would keep the session for 30 seconds and then reset?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide