Question: What is Delay EAP Success and how to use it on Aruba Mobility Switch?
Environment: If want to delay the EAP success for the client to get an IP address during dot1x authentication.
The new command delay-eap-success under the 802.1x profile helps the clients to obtain an IP address in the correct VLAN by introducing a delay of one second in sending the EAP Success message to the client after it completes the 802.1x authenticaton.
- Clients has tendency to send dhcp discover, the moment it gets eap-success.
- By this time, a dot1x default role might not be installed in datapath which will prevent dhcp discover.
- Delays sending EAP-SUCCESS message to user by one second
- This helps installing dot1x default role in datapath before eap-success is sent to the client
This option is disabled by default.
Recommendation:
• Use Delay EAP and Deny DHCP feature when machine authentication is enabled
• To improve the login time for non-802.1x clients adjust the eap timers in dot1x profile when “preauth” is enabled
• For non-PXE clients
• reauth-max 1
• timer idrequest_period 20
• For PXE clients
• reauth-max 1
• timer idrequest_period 10
To improve the DHCP discovery time for devices that do not support 802.1x authentication, it is recommended to adjust the following values in the aaa authentication dot1x profile:
- Set the reauth-max value to 1.
- Set the timer idrequest_period value to 10 for preboot execution environment (PXE) clients and 20 or lower for non-PXE clients.
Check using command “show aaa authentication dot1x <name>” whether delay-eap-success is enabled or not.
(switch) #show aaa authentication dot1x dot1x
802.1X Authentication Profile "dot1x"
-------------------------------------
Parameter Value
--------- -----
...
Delay EAP Success Enabled
...
Troubleshooting– Miscellaneous Commands
show aaa profile <name>
show aaa state station <mac>
show station-table
show user table
show user
show rights <role_name>
show aaa authentication dot1x <name>
Internal Note: This option is disabled by default.