In Mobility Access switch, we have introduced a new role called "Preauth" role. This role is assigned to a client until it derives the final role after passing through all the configured authentication methods. Hence, the policies defined on an intermediate role do not get applied on the client traffic. This avoids the clients from obtaining an IP address through DHCP in a subnet different from the final VLAN derived.
- Large number of servers in a server group.
- User delay in providing 802.1x credentials.
- Increased value of retransmit and time out intervals configured for the servers.
- Set the reauth-max value to 1
- Set the timer idrequest_period value to 10 for preboot execution environment (PXE) clients and 20 or lower for non-PXE clients.
(host) (config) # aaa profile Profile1
(host) (AAA Profile "Profile1") #show aaa profile Profile1