7.1.4 Settings related to authentication processing
- <Structure of this section>
-
-
(1) Setting of the function to request re-authentication to the terminal
-
(3) Setting of the function to suppress authentication requests from terminals
-
(4) Set the time to wait before resuming authentication processing when authentication fails.
-
(5) Time-interval setting for sending EAP-Request/Identity frames
-
(6) Timer setting for the authentication server response wait time
-
(7) Setting the communication block time when authentication is requested from multiple terminals
-
(1) Setting of the function to request re-authentication to the terminal
If you remove a terminal from the network without sending a logoff message to the Switch, the Switch will not have a chance to clear the authentication status of the terminal. This configuration solves the problem by clearing the authentication status of authenticated terminals that do not respond to re-authentication requests.
- Points to note
-
Configure the switch to transmit an EAP-Request/Identity message to each authenticated terminal at the interval specified by the reauth-period timer. Make sure that the value of the reauth-period timer is greater than the value of the tx-period timer.
Command examples (port-based authentication)
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x reauthentication
(config-if)# dot1x timeout reauth-period 360
Enables the re-authentication request functionality at port 1/0/1, and then sets the re-authentication interval to 360 seconds.
Command examples (VLAN-based authentication (static))
-
(config)# dot1x vlan 10 reauthentication
(config)# dot1x vlan 10 timeout reauth-period 360
Enables the re-authentication functionality at VLAN 10 (configured for VLAN-based authentication (static)), and then sets the re-authentication interval to 360 seconds.
Command examples (VLAN-based authentication (dynamic))
-
(config)# dot1x vlan dynamic reauthentication
(config)# dot1x vlan dynamic timeout reauth-period 360
Enables the re-authentication functionality for terminals subject to VLAN-based authentication (dynamic), and then sets the re-authentication interval to 360 seconds.
(2) Setting of EAP-Request frame retransmission to terminal
This step specifies how long the Switch should wait for a terminal to respond to an EAP-Request frame before resending the request, and the maximum number of times that the Switch resends the request.
- Points to note
-
Make sure that the product of the resending interval multiplied by the number of retransmissions does not exceed the value specified for the reauth-period timer.
Command examples (port-based authentication)
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x timeout supp-timeout 60
Specifies a retransmission period of 60 seconds for EAP-Request frames at port 1/0/1.
-
(config-if)# dot1x max-req 3
Specifies that EAP-Request frames be retransmitted a maximum of three times at port 1/0/1.
Command examples (VLAN-based authentication (static))
-
(config)# dot1x vlan 10 timeout supp-timeout 60
Specifies a retransmission period for EAP-Request frames of 60 seconds at VLAN 10 (configured for VLAN-based authentication (static)).
-
(config)# dot1x vlan 10 max-req 3
Specifies that EAP-Request frames are retransmitted a maximum of three times for members of VLAN 10 (configured for VLAN-based authentication (static)).
Command examples (VLAN-based authentication (dynamic))
-
(config)# dot1x vlan dynamic timeout supp-timeout 60
Specifies a retransmission period for EAP-Request frames of 60 seconds for terminals subject to VLAN-based authentication (dynamic).
-
(config)# dot1x vlan dynamic max-req 3
Specifies that EAP-Request frames are retransmitted a maximum of three times to terminals subject to VLAN-based authentication (dynamic).
(3) Setting of the function to suppress authentication requests from terminals
This step prevents terminals from using EAPOL-Start frames to initiate an authentication sequence. With this functionality enabled, the authentication of new terminals and re-authentication of existing terminals take place at the intervals specified by the tx-period timer and reauth-period timer, respectively.
- Points to note
-
This functionality reduces the load on the switch in situations where a large number of terminals send re-authentication requests over a short period. You cannot execute the commands below unless you execute the dot1x reauthentication command first.
Command examples (port-based authentication)
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x reauthentication
(config-if)# dot1x ignore-eapol-start
Prevents authentication processing from being initiated in response to EAP-Start frames received at port 1/0/1.
Command examples (VLAN-based authentication (static))
-
(config)# dot1x vlan 10 reauthentication
(config)# dot1x vlan 10 ignore-eapol-start
Prevents authentication processing from being initiated in response to EAP-Start frames received from VLAN 10 (configured for VLAN-based authentication (static)).
Command examples (VLAN-based authentication (dynamic))
-
(config)# dot1x vlan dynamic reauthentication
(config)# dot1x vlan dynamic ignore-eapol-start
Prevents authentication processing from being initiated in response to EAP-Start frames received from terminals subject to VLAN-based authentication (dynamic).
(4) Set the time to wait before resuming authentication processing when authentication fails.
This step configures how long a terminal that fails authentication must remain idle before it can try again.
- Points to note
-
This configuration prevents a situation in which the switch becomes overloaded by a large number of authentication requests received over a short period from terminals that fail authentication.
Note that the idle period you specify also applies to users who fail authentication because they enter the wrong user name or password.
Command examples (port-based authentication)
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x timeout quiet-period 300
Specifies an idle period of 300 seconds before terminals attached to port 1/0/1 configured for port-based authentication can retry the authentication process.
Command examples (VLAN-based authentication (static))
-
(config)# dot1x vlan 10 timeout quiet-period 300
Specifies an idle period of 300 seconds before terminals associated with VLAN ID 10 (configured for VLAN-based authentication (static)) can retry the authentication process.
Command examples (VLAN-based authentication (dynamic))
-
(config)# dot1x vlan dynamic timeout quiet-period 300
Specifies an idle period of 300 seconds before terminals subject to VLAN-based authentication (dynamic) VLAN can retry the authentication process.
(5) Time-interval setting for sending EAP-Request/Identity frames
This configuration specifies the interval at which the Switch transmits EAP-Request/Identity packets to provide terminals that do not issue EAP-Start packets with an opportunity to initiate an authentication sequence.
- Points to note
-
This functionality sends EAP-Request/Identity packets to the multicast address at the interval specified by the tx-period timer. Because authenticated terminals also respond to an EAP-Response/Identity packet, specify a value that satisfies the following expression to ensure that the switch does not become overloaded.
reauth-period > tx-period >= (Total number of terminals to be authenticated by the device / 20) * 2
The default value of tx-period is 30 seconds. Therefore, in an environment where the switch authenticates more than 300 terminals, you will need to change the value of the tx-period timer.
Command examples (port-based authentication)
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x timeout tx-period 300
Specifies a 300 second interval for the transmission of EAP-Request/Identity frames to port 1/0/1 configured for port-based authentication.
Command examples (VLAN-based authentication (static))
-
(config)# dot1x vlan 10 timeout tx-period 300
Specifies a 300 second interval for the transmission of EAP-Request/Identity frames to VLAN ID 10 (configured for VLAN-based authentication (static)).
Command examples (VLAN-based authentication (dynamic))
-
(config)# dot1x vlan dynamic timeout tx-period 300
Specifies a sending interval of 300 seconds for EAP-Request/Identity frames in VLAN-based authentication (dynamic).
(6) Timer setting for the authentication server response wait time
This step specifies how long the switch waits for the authentication server to respond to a request. When the specified time has elapsed, the switch notifies the supplicant that authentication has failed. The supplicant learns of the failed authentication after the shorter of the following times: the time specified in the commands below, or the total time including retransmissions specified by the attributes of the radius-server command.
- Points to note
-
When multiple RADIUS servers are configured in the radius-server command and you specify a shorter time than the total wait time including retransmissions by each server, the supplicant will be notified that authentication has failed before the switch is able to send requests to all the authentication servers. If you want the notification to wait until the switch has failed to get a response from all of the authentication servers, make sure that these commands specify a longer value.
Command examples (port-based authentication)
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x timeout server-timeout 300
Specifies a 300-second timeout period for responses from the authentication server at port 1/0/1 configured for port-based authentication.
Command examples (VLAN-based authentication (static))
-
(config)# dot1x vlan 10 timeout server-timeout 300
Specifies a 300-second timeout period for responses from the authentication server in VLAN 10 configured for VLAN-based authentication (static).
Command examples (VLAN-based authentication (dynamic))
-
(config)# dot1x vlan dynamic timeout server-timeout 300
Specifies a 300-second timeout period for responses from the authentication server at terminals subject to VLAN-based authentication (dynamic).
(7) Setting the communication block time when authentication is requested from multiple terminals
This step specifies how long to block traffic at a port configured for port-based authentication in single-terminal mode in the event that the port receives authentication requests from multiple terminals.
- Points to note
-
Specify the length of time required to remove the surplus terminal from the port.
Command examples
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x timeout keep-unauth 1800
Specifies that port 1/0/1 configured for port-based authentication blocks traffic for 1800 seconds.
(8) Settings for outputting to syslog servers
Enables logging of operation logs on the syslog server.
- Points to note
-
Configure the output of operation logs that record information about IEEE 802.1X authentication and operation to the syslog server.
Command examples
-
(config)# dot1x logging enable
(config)# logging event-kind aut
Configure output of operation logs to the syslog server.