Scenario:
PC --- IP phone --- 6300 (AOS CX)
- IP phone is connected to a 6300 switch port (details on port configuration further down). Phone authenticates w/ 802.1x. Works as expected.
- PC is connected to phone's LAN port. The PC is not supposed to authenticate. It's supposed to simply be able to use the default VLAN.
The port configuration is the following:
interface 5/1/1
no shutdown
no routing
vlan access 16
port-access fallback-role my-default
port-access onboarding-method concurrent enable
aaa authentication port-access dot1x authenticator
cached-reauth
cached-reauth-period 86400
eapol-timeout 30
max-eapol-requests 2
reauth
reauth-period 172800
enable
client track ip enable
loop-protect action tx-rx-disable
exit
The fallback role puts the client online in the default VLAN; the only additional thing it does is to re-write DSCP values via a policy.
The authentication of the phone works as expected, however, the PC only comes online after several minutes (~5 min.). My question is: how can we manage to shorten this time. It's clear to me that we need to wait until waiting for EAPOL packets times out. But I'm not entirely sure which settings to modify to achieve this. From my understanding, the EAPOL timeout is 30s. 2 retries means that the PC should fail to authenticate no later than 90s. But that's not the case. It's 5 minutes or more.
The only workaround we have right now to configure MAC auth in parallel and simply accept any MAC via RADIUS:
interface 5/1/1
no shutdown
no routing
vlan access 16
port-access fallback-role TUC-default
port-access onboarding-method concurrent enable
aaa authentication port-access client-limit multi-domain 2
aaa authentication port-access client-limit 3
aaa authentication port-access dot1x authenticator
cached-reauth
cached-reauth-period 86400
eapol-timeout 30
max-eapol-requests 2
reauth
reauth-period 172800
enable
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
quiet-period 30
reauth
reauth-period 172800
enable
client track ip enable
loop-protect action tx-rx-disable
exit
I don't seem to be able to find good information on what to do in this scenario. Any help is highly appreciated.