7.1.6 Settings related to authentication processing
- <Structure of this section>
-
-
(1) Setting of the function to request re-authentication to the terminal
-
(3) Setting of the function to suppress authentication requests from terminals
-
(4) Set the time to wait before resuming authentication processing when authentication fails.
-
(5) Time-interval setting for sending EAP-Request/Identity frames
-
(6) Timer setting for the authentication server response wait time
-
(7) Setting the communication block time when authentication is requested from multiple terminals
-
(1) Setting of the function to request re-authentication to the terminal
If you remove a terminal from the network without sending a logoff message to the Switch, the Switch will not have a chance to clear the authentication status of the terminal. This configuration solves the problem by clearing the authentication status of authenticated terminals that do not respond to re-authentication requests.
- Points to note
-
Configure the switch to transmit an EAP-Request/Identity message to each authenticated terminal at the interval specified by the reauth-period timer. Make sure that the value of the reauth-period timer is greater than the value of the tx-period timer.
Command examples
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x reauthentication
(config-if)# dot1x timeout reauth-period 360
Enables the re-authentication request functionality at port 1/0/1, and then sets the re-authentication interval to 360 seconds.
(2) Setting of EAP-Request frame retransmission to terminal
This step specifies how long the Switch should wait for a terminal to respond to an EAP-Request frame before resending the request, and the maximum number of times that the Switch resends the request.
- Points to note
-
Make sure that the product of the resending interval multiplied by the number of retransmissions does not exceed the value specified for the reauth-period timer.
Command examples
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x timeout supp-timeout 60
Specifies a retransmission period of 60 seconds for EAP-Request frames at port 1/0/1.
-
(config-if)# dot1x max-req 3
Specifies that EAP-Request frames be retransmitted a maximum of three times at port 1/0/1.
(3) Setting of the function to suppress authentication requests from terminals
This step prevents terminals from using EAPOL-Start frames to initiate an authentication sequence. With this functionality enabled, the authentication of new terminals and re-authentication of existing terminals take place at the intervals specified by the tx-period timer and reauth-period timer, respectively.
- Points to note
-
This functionality reduces the load on the switch in situations where a large number of terminals send re-authentication requests over a short period. You cannot execute the commands below unless you execute the dot1x reauthentication command first.
Command examples
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x reauthentication
(config-if)# dot1x ignore-eapol-start
Prevents authentication processing from being initiated in response to EAP-Start frames received at port 1/0/1.
(4) Set the time to wait before resuming authentication processing when authentication fails.
This step configures how long a terminal that fails authentication must remain idle before it can try again.
- Points to note
-
This configuration prevents a situation in which the switch becomes overloaded by a large number of authentication requests received over a short period from terminals that fail authentication.
Note that the idle period you specify also applies to users who fail authentication because they enter the wrong user name or password.
Command examples
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x timeout quiet-period 300
Sets the wait time for resuming authentication processing to 300 seconds on port 1/0/1 for which IEEE802.1X authentication is set.
(5) Time-interval setting for sending EAP-Request/Identity frames
This configuration specifies the interval at which the Switch transmits EAP-Request/Identity packets to provide terminals that do not issue EAP-Start packets with an opportunity to initiate an authentication sequence.
- Points to note
-
This functionality sends EAP-Request/Identity packets to the multicast address at the interval specified by the tx-period timer. Because authenticated terminals also respond to an EAP-Response/Identity packet, specify a value that satisfies the following expression to ensure that the switch does not become overloaded.
reauth-period > tx-period >= (Total number of terminals to be authenticated by the device / 20) * 2
The default value of tx-period is 30 seconds. Therefore, in an environment where the switch authenticates more than 300 terminals, you will need to change the value of the tx-period timer.
Command examples
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x timeout tx-period 300
Sets the interval for sending EAP-Request/Identity frames to 300 seconds on port 1/0/1 for which IEEE802.1X authentication is set.
(6) Timer setting for the authentication server response wait time
This step specifies how long the switch waits for the authentication server to respond to a request. When the specified time has elapsed, the switch notifies the supplicant that authentication has failed. Supplicant is notified of an authentication failure in the shorter time compared to the total time including the retransmission set by dot1x radius-server host command.
- Points to note
-
If more than one server is set by dot1x radius-server host command, and the time less than the total response wait time including the number of retransmissions of each server is set, the authentication failure is notified to Supplicant while requesting the authentication server. If you want the notification to wait until the switch has failed to get a response from all of the authentication servers, make sure that these commands specify a longer value.
Command examples
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x timeout server-timeout 300
For port 1/0/1 for which IEEE802.1X authentication is set, set the wait time for reply from the authentication server to 300 seconds.
(7) Setting the communication block time when authentication is requested from multiple terminals
Specifies how long to block communication on a port running IEEE802.1X authentication (single mode) when an authentication request from two or more terminals is detected.
- Points to note
-
Specify the length of time required to remove the surplus terminal from the port.
Command examples
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x timeout keep-unauth 1800
Sets 1800 seconds for the communication block status of PORT1/0/1 for which IEEE802.1X authentication is set.