Question: What is Delay EAP Success and how to use it on Aruba Mobility Switch?
Environment: If want to delay the EAP success for the client to get an IP address during dot1x authentication.
- Clients has tendency to send dhcp discover, the moment it gets eap-success.
- By this time, a dot1x default role might not be installed in datapath which will prevent dhcp discover.
- Delays sending EAP-SUCCESS message to user by one second
- This helps installing dot1x default role in datapath before eap-success is sent to the client
This option is disabled by default.
• Use Delay EAP and Deny DHCP feature when machine authentication is enabled
• To improve the login time for non-802.1x clients adjust the eap timers in dot1x profile when “preauth” is enabled
To improve the DHCP discovery time for devices that do not support 802.1x authentication, it is recommended to adjust the following values in the aaa authentication dot1x profile:
- Set the reauth-max value to 1.
- Set the timer idrequest_period value to 10 for preboot execution environment (PXE) clients and 20 or lower for non-PXE clients.
Check using command “show aaa authentication dot1x <name>” whether delay-eap-success is enabled or not.
(switch) #show aaa authentication dot1x dot1x
802.1X Authentication Profile "dot1x"
Delay EAP Success Enabled
Troubleshooting– Miscellaneous Commands
show aaa profile <name>
show aaa state station <mac>
show user table
show rights <role_name>
show aaa authentication dot1x <name>
Internal Note: This option is disabled by default.