Delay EAP Success

Aruba Employee

Question: What is Delay EAP Success and how to use it on Aruba Mobility Switch?

 

Environment: If want to delay the EAP success for the client to get an IP address during dot1x authentication.

 

 

The new command delay-eap-success under the 802.1x profile helps the clients to obtain an IP address in the correct VLAN by introducing a delay of one second in sending the EAP Success message to the client after it completes the 802.1x authenticaton. 
  • Clients has tendency to send dhcp discover, the moment it gets eap-success.
  • By this time, a dot1x default role might not be installed in datapath which will prevent dhcp discover.
  • Delays sending EAP-SUCCESS message to user by one second
  • This helps installing dot1x default role in datapath before eap-success is sent to the client

This option is disabled by default.

Recommendation:

•          Use Delay EAP and Deny DHCP feature when machine authentication is enabled
•          To improve the login time for non-802.1x clients adjust the eap timers in dot1x profile when “preauth” is enabled
•          For non-PXE clients        
•          reauth-max  1
•          timer idrequest_period 20
•         For PXE clients  
•          reauth-max  1
•          timer idrequest_period 10

To improve the DHCP discovery time for devices that do not support 802.1x authentication, it is recommended to adjust the following values in the aaa authentication dot1x profile:
  • Set the reauth-max value to 1.
  • Set the timer idrequest_period value to 10 for preboot execution environment (PXE) clients and 20 or lower for non-PXE clients.

 

Check using command “show aaa authentication dot1x <name>” whether delay-eap-success is enabled or not.

(switch) #show aaa authentication dot1x dot1x
802.1X Authentication Profile "dot1x"
-------------------------------------
Parameter Value
--------- -----
...
Delay EAP Success Enabled
...

Troubleshooting– Miscellaneous Commands

show aaa profile <name>
show aaa state station <mac>
show station-table
show user table
show user
show rights <role_name>
show aaa authentication dot1x <name>

 

 

Internal Note: This option is disabled by default.

Version history
Revision #:
1 of 1
Last update:
‎11-09-2014 01:07 AM
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.