Wired Intelligent Edge

Hello everyone,

I'm trying to match my Aruba 802.1X configuration as closely as possible to an existing Cisco setup.
On the Cisco side, I have configured the following timers:

dot1x timeout tx-period 5
dot1x max-reauth-req 1

From what I've read in the Aruba documentation, tx-period seems to correspond to the discovery-period.
However, I'm unsure how the command max-reauth-req translates to the Aruba parameters 
max-eapol-requests or max-retries. 

• max-eapol-requests: As far as I understand, this determines how many times an EAPOL
  request(-identity?) is resent if there is no response from the supplicant.
• max-retries: I'm not entirely sure if this refers to how many times a single authentication exchange is retried.

Could someone clarify the exact difference and how to configure them so that they mirror the Cisco settings as closely
as possible? I've already tested various combinations of these parameters, but so far, I haven't arrived at a definitive result.

Thanks in advance for your help!

Is that for ArubaOS or AOS-CX switches?

I would recommend the default settings as described in the Wired Policy Enforcement guide. Both Aruba switches support something called concurrent onboarding, where 802.1X is constantly available and doesn't need to timeout. Useful for devices that are slow booting.

Hello everyone,

I'm trying to match my Aruba 802.1X configuration as closely as possible to an existing Cisco setup.
On the Cisco side, I have configured the following timers:

dot1x timeout tx-period 5
dot1x max-reauth-req 1

From what I've read in the Aruba documentation, tx-period seems to correspond to the discovery-period.
However, I'm unsure how the command max-reauth-req translates to the Aruba parameters 
max-eapol-requests or max-retries. 

• max-eapol-requests: As far as I understand, this determines how many times an EAPOL
  request(-identity?) is resent if there is no response from the supplicant.
• max-retries: I'm not entirely sure if this refers to how many times a single authentication exchange is retried.

Could someone clarify the exact difference and how to configure them so that they mirror the Cisco settings as closely
as possible? I've already tested various combinations of these parameters, but so far, I haven't arrived at a definitive result.

Thanks in advance for your help!

Hello Herman,

This is for AOS-CX. At the moment I am trying to avoid concurrent onboarding.

In the solutions guide you shared, the following configuration is suggested:

aaa authentication port-access dot1x authenticator
   eapol-timeout 10
   max-eapol-requests 1
   max-retries 1
   enable

Efforts are being made to minimize failover from 802.1X to MAB by reducing both the number and interval between EAP-Request, Identity messages.

The discovery-period successfully configures the time between the EAP-Request, Identity messages. Therefore the eapol-timeout does not need to be set in my opinion.
However neither max-eapol-requests nor max-retries (as suggested above) appear to configure the number of these messages.
I hope you might be able to assist me with this.

Thank you!

Is that for ArubaOS or AOS-CX switches?

I would recommend the default settings as described in the Wired Policy Enforcement guide. Both Aruba switches support something called concurrent onboarding, where 802.1X is constantly available and doesn't need to timeout. Useful for devices that are slow booting.

Hello everyone,

I'm trying to match my Aruba 802.1X configuration as closely as possible to an existing Cisco setup.
On the Cisco side, I have configured the following timers:

dot1x timeout tx-period 5
dot1x max-reauth-req 1

From what I've read in the Aruba documentation, tx-period seems to correspond to the discovery-period.
However, I'm unsure how the command max-reauth-req translates to the Aruba parameters 
max-eapol-requests or max-retries. 

• max-eapol-requests: As far as I understand, this determines how many times an EAPOL
  request(-identity?) is resent if there is no response from the supplicant.
• max-retries: I'm not entirely sure if this refers to how many times a single authentication exchange is retried.

Could someone clarify the exact difference and how to configure them so that they mirror the Cisco settings as closely
as possible? I've already tested various combinations of these parameters, but so far, I haven't arrived at a definitive result.

Thanks in advance for your help!

It looks like "dot1x max-reauth-req" translates into CX "aaa authentication port-access dot1x authenticator max-eapol-requests". And "dot1x timeout tx-period" is the same as "aaa authentication port-access dot1x authenticator eapol-timeout".

In the CLI guide for AOS-CX, there is a pretty good description of what each of the settings do. From there it may be possible to get a close enough match, or better implementation as non-concurrent authentication has some timeout challenges and I have not found a universal working setting that works under all circumstances.

From reading the documentation (have not tested/validated), the max-eapol-requests refers to the eapol requests, the max-retries to the complete authentication process which can have multiple eapol requests each.

Hello Herman,

This is for AOS-CX. At the moment I am trying to avoid concurrent onboarding.

In the solutions guide you shared, the following configuration is suggested:

aaa authentication port-access dot1x authenticator
   eapol-timeout 10
   max-eapol-requests 1
   max-retries 1
   enable

Efforts are being made to minimize failover from 802.1X to MAB by reducing both the number and interval between EAP-Request, Identity messages.

The discovery-period successfully configures the time between the EAP-Request, Identity messages. Therefore the eapol-timeout does not need to be set in my opinion.
However neither max-eapol-requests nor max-retries (as suggested above) appear to configure the number of these messages.
I hope you might be able to assist me with this.

Thank you!

Is that for ArubaOS or AOS-CX switches?

I would recommend the default settings as described in the Wired Policy Enforcement guide. Both Aruba switches support something called concurrent onboarding, where 802.1X is constantly available and doesn't need to timeout. Useful for devices that are slow booting.

Hello everyone,

I'm trying to match my Aruba 802.1X configuration as closely as possible to an existing Cisco setup.
On the Cisco side, I have configured the following timers:

dot1x timeout tx-period 5
dot1x max-reauth-req 1

From what I've read in the Aruba documentation, tx-period seems to correspond to the discovery-period.
However, I'm unsure how the command max-reauth-req translates to the Aruba parameters 
max-eapol-requests or max-retries. 

• max-eapol-requests: As far as I understand, this determines how many times an EAPOL
  request(-identity?) is resent if there is no response from the supplicant.
• max-retries: I'm not entirely sure if this refers to how many times a single authentication exchange is retried.

Could someone clarify the exact difference and how to configure them so that they mirror the Cisco settings as closely
as possible? I've already tested various combinations of these parameters, but so far, I haven't arrived at a definitive result.

Thanks in advance for your help!

Hello Herman,

Thank you for your response.

The dot1x timeout tx-period command on IOS-XE 17.12, which is describe here:

Configures the number of seconds between retransmission of EAP request ID packets (assuming that no response is received) to the client.

matches the discovery-period, which is described as follows:

 Configures the period the port waits to retransmit the next EAPOL request identity frame on an 802.1X enabled port that has no authenticated clients. 

This could also be verified on a 6300 running AOS-CX 10.13.

Regarding the max-eapol-requests command, I would agree with you; however, I was unable to verify this.
The failover time was approximately 20 seconds when using a value of 1. However, depending on whether it pertains to the total number of
EAP Request,Identity messages or the retransmissions, it should be around 5 to 10 seconds when configured with
max-eapol-requests 1. 

Unfortunately, the command reference guide does not provide any further information on this.

Best regards,

Matthias

Original Message:
Sent: Jan 02, 2025 08:32 AM
From: Herman Robers
Subject: Wired 802.1X Timer

It looks like "dot1x max-reauth-req" translates into CX "aaa authentication port-access dot1x authenticator max-eapol-requests". And "dot1x timeout tx-period" is the same as "aaa authentication port-access dot1x authenticator eapol-timeout".

In the CLI guide for AOS-CX, there is a pretty good description of what each of the settings do. From there it may be possible to get a close enough match, or better implementation as non-concurrent authentication has some timeout challenges and I have not found a universal working setting that works under all circumstances.

From reading the documentation (have not tested/validated), the max-eapol-requests refers to the eapol requests, the max-retries to the complete authentication process which can have multiple eapol requests each.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 02, 2025 06:11 AM
From: mmachtolf
Subject: Wired 802.1X Timer

Hello Herman,

This is for AOS-CX. At the moment I am trying to avoid concurrent onboarding.

In the solutions guide you shared, the following configuration is suggested:

aaa authentication port-access dot1x authenticator
   eapol-timeout 10
   max-eapol-requests 1
   max-retries 1
   enable

Efforts are being made to minimize failover from 802.1X to MAB by reducing both the number and interval between EAP-Request, Identity messages.

The discovery-period successfully configures the time between the EAP-Request, Identity messages. Therefore the eapol-timeout does not need to be set in my opinion.
However neither max-eapol-requests nor max-retries (as suggested above) appear to configure the number of these messages.
I hope you might be able to assist me with this.

Thank you!

Original Message:
Sent: Jan 02, 2025 03:03 AM
From: Herman Robers
Subject: Wired 802.1X Timer

Is that for ArubaOS or AOS-CX switches?

I would recommend the default settings as described in the Wired Policy Enforcement guide. Both Aruba switches support something called concurrent onboarding, where 802.1X is constantly available and doesn't need to timeout. Useful for devices that are slow booting.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 30, 2024 09:30 AM
From: mmachtolf
Subject: Wired 802.1X Timer

Hello everyone,

I'm trying to match my Aruba 802.1X configuration as closely as possible to an existing Cisco setup.
On the Cisco side, I have configured the following timers:

dot1x timeout tx-period 5
dot1x max-reauth-req 1

From what I've read in the Aruba documentation, tx-period seems to correspond to the discovery-period.
However, I'm unsure how the command max-reauth-req translates to the Aruba parameters 
max-eapol-requests or max-retries. 

• max-eapol-requests: As far as I understand, this determines how many times an EAPOL
  request(-identity?) is resent if there is no response from the supplicant.
• max-retries: I'm not entirely sure if this refers to how many times a single authentication exchange is retried.

Could someone clarify the exact difference and how to configure them so that they mirror the Cisco settings as closely
as possible? I've already tested various combinations of these parameters, but so far, I haven't arrived at a definitive result.

Thanks in advance for your help!

AOS-CX IDF Port-Access Configuration

Without concurrent authentication.

Interface 1/1/1
description Port-Access-Yash-Recommendation
    no shutdown
    no routing
    vlan access 2
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge
    loop-protect
    aaa authentication port-access allow-cdp-bpdu
    aaa authentication port-access allow-lldp-bpdu
    aaa authentication port-access client-limit 2
    aaa authentication port-access reject-role Reject_Role
    aaa authentication port-access critical-role RADIUS_DOWN
    port-access allow-flood-traffic enable
    aaa authentication port-access dot1x authenticator
        cached-reauth
        cached-reauth-period 259200
        eapol-timeout 1
        enable
    aaa authentication port-access mac-auth
        cached-reauth
        cached-reauth-period 259200
        enable
    power-over-ethernet pre-std-detect
   client track ip enable
    client track ip update-interval 60
    client device-fingerprint apply-profile Yash
    apply fault-monitor profile Yash-CLIENT_PORT

With concurrent authentication.

interface 2/1/1
description Port-Access-Yash-Recommendation
    no shutdown
    no routing
    vlan access 2
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge
    loop-protect
    aaa authentication port-access allow-cdp-bpdu
    aaa authentication port-access allow-lldp-bpdu
    aaa authentication port-access client-limit 2
    aaa authentication port-access reject-role Yash-Reject_Role
    aaa authentication port-access critical-role Yash-RADIUS_DOWN
    port-access onboarding-method concurrent enable
    aaa authentication port-access dot1x authenticator
        enable
    aaa authentication port-access mac-auth
        enable
    power-over-ethernet pre-std-detect
    client track ip enable
    client track ip update-interval 60
    client device-fingerprint apply-profile Yash
    apply fault-monitor profile Yash-CLIENT_PORT

Thank you and regards,

Yash Nagaraju

Original Message:
Sent: Jan 02, 2025 11:07 AM
From: mmachtolf
Subject: Wired 802.1X Timer

Hello Herman,

Thank you for your response.

The dot1x timeout tx-period command on IOS-XE 17.12, which is describe here:

Configures the number of seconds between retransmission of EAP request ID packets (assuming that no response is received) to the client.

matches the discovery-period, which is described as follows:

 Configures the period the port waits to retransmit the next EAPOL request identity frame on an 802.1X enabled port that has no authenticated clients. 

This could also be verified on a 6300 running AOS-CX 10.13.

Regarding the max-eapol-requests command, I would agree with you; however, I was unable to verify this.
The failover time was approximately 20 seconds when using a value of 1. However, depending on whether it pertains to the total number of
EAP Request,Identity messages or the retransmissions, it should be around 5 to 10 seconds when configured with
max-eapol-requests 1. 

Unfortunately, the command reference guide does not provide any further information on this.

Best regards,

Matthias

Original Message:
Sent: Jan 02, 2025 08:32 AM
From: Herman Robers
Subject: Wired 802.1X Timer

It looks like "dot1x max-reauth-req" translates into CX "aaa authentication port-access dot1x authenticator max-eapol-requests". And "dot1x timeout tx-period" is the same as "aaa authentication port-access dot1x authenticator eapol-timeout".

In the CLI guide for AOS-CX, there is a pretty good description of what each of the settings do. From there it may be possible to get a close enough match, or better implementation as non-concurrent authentication has some timeout challenges and I have not found a universal working setting that works under all circumstances.

From reading the documentation (have not tested/validated), the max-eapol-requests refers to the eapol requests, the max-retries to the complete authentication process which can have multiple eapol requests each.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 02, 2025 06:11 AM
From: mmachtolf
Subject: Wired 802.1X Timer

Hello Herman,

This is for AOS-CX. At the moment I am trying to avoid concurrent onboarding.

In the solutions guide you shared, the following configuration is suggested:

aaa authentication port-access dot1x authenticator
   eapol-timeout 10
   max-eapol-requests 1
   max-retries 1
   enable

Efforts are being made to minimize failover from 802.1X to MAB by reducing both the number and interval between EAP-Request, Identity messages.

The discovery-period successfully configures the time between the EAP-Request, Identity messages. Therefore the eapol-timeout does not need to be set in my opinion.
However neither max-eapol-requests nor max-retries (as suggested above) appear to configure the number of these messages.
I hope you might be able to assist me with this.

Thank you!

Original Message:
Sent: Jan 02, 2025 03:03 AM
From: Herman Robers
Subject: Wired 802.1X Timer

Is that for ArubaOS or AOS-CX switches?

I would recommend the default settings as described in the Wired Policy Enforcement guide. Both Aruba switches support something called concurrent onboarding, where 802.1X is constantly available and doesn't need to timeout. Useful for devices that are slow booting.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 30, 2024 09:30 AM
From: mmachtolf
Subject: Wired 802.1X Timer

Hello everyone,

I'm trying to match my Aruba 802.1X configuration as closely as possible to an existing Cisco setup.
On the Cisco side, I have configured the following timers:

dot1x timeout tx-period 5
dot1x max-reauth-req 1

From what I've read in the Aruba documentation, tx-period seems to correspond to the discovery-period.
However, I'm unsure how the command max-reauth-req translates to the Aruba parameters 
max-eapol-requests or max-retries. 

• max-eapol-requests: As far as I understand, this determines how many times an EAPOL
  request(-identity?) is resent if there is no response from the supplicant.
• max-retries: I'm not entirely sure if this refers to how many times a single authentication exchange is retried.

Could someone clarify the exact difference and how to configure them so that they mirror the Cisco settings as closely
as possible? I've already tested various combinations of these parameters, but so far, I haven't arrived at a definitive result.

Thanks in advance for your help!

Hello Yash,

What's the reason for setting the eapol-timeout to a value of 1? The VSG recommends a value of 30.

Also the Security Guide for AOS CX 10.13. says the following (for a recommended value of 30): 

Note that reducing the eapol-timeout any further could cause 802.1X to fail in some cases.

Why might 802.1X auth fail in some cases?

Also is there any Best Practice Guide where each of these values is explained (and visualized) further?

Thanks!

AOS-CX IDF Port-Access Configuration

Without concurrent authentication.

Interface 1/1/1
description Port-Access-Yash-Recommendation
    no shutdown
    no routing
    vlan access 2
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge
    loop-protect
    aaa authentication port-access allow-cdp-bpdu
    aaa authentication port-access allow-lldp-bpdu
    aaa authentication port-access client-limit 2
    aaa authentication port-access reject-role Reject_Role
    aaa authentication port-access critical-role RADIUS_DOWN
    port-access allow-flood-traffic enable
    aaa authentication port-access dot1x authenticator
        cached-reauth
        cached-reauth-period 259200
        eapol-timeout 1
        enable
    aaa authentication port-access mac-auth
        cached-reauth
        cached-reauth-period 259200
        enable
    power-over-ethernet pre-std-detect
   client track ip enable
    client track ip update-interval 60
    client device-fingerprint apply-profile Yash
    apply fault-monitor profile Yash-CLIENT_PORT

With concurrent authentication.

interface 2/1/1
description Port-Access-Yash-Recommendation
    no shutdown
    no routing
    vlan access 2
    spanning-tree bpdu-guard
    spanning-tree port-type admin-edge
    loop-protect
    aaa authentication port-access allow-cdp-bpdu
    aaa authentication port-access allow-lldp-bpdu
    aaa authentication port-access client-limit 2
    aaa authentication port-access reject-role Yash-Reject_Role
    aaa authentication port-access critical-role Yash-RADIUS_DOWN
    port-access onboarding-method concurrent enable
    aaa authentication port-access dot1x authenticator
        enable
    aaa authentication port-access mac-auth
        enable
    power-over-ethernet pre-std-detect
    client track ip enable
    client track ip update-interval 60
    client device-fingerprint apply-profile Yash
    apply fault-monitor profile Yash-CLIENT_PORT

Thank you and regards,

Yash Nagaraju

Original Message:
Sent: Jan 02, 2025 11:07 AM
From: mmachtolf
Subject: Wired 802.1X Timer

Hello Herman,

Thank you for your response.

The dot1x timeout tx-period command on IOS-XE 17.12, which is describe here:

Configures the number of seconds between retransmission of EAP request ID packets (assuming that no response is received) to the client.

matches the discovery-period, which is described as follows:

 Configures the period the port waits to retransmit the next EAPOL request identity frame on an 802.1X enabled port that has no authenticated clients. 

This could also be verified on a 6300 running AOS-CX 10.13.

Regarding the max-eapol-requests command, I would agree with you; however, I was unable to verify this.
The failover time was approximately 20 seconds when using a value of 1. However, depending on whether it pertains to the total number of
EAP Request,Identity messages or the retransmissions, it should be around 5 to 10 seconds when configured with
max-eapol-requests 1. 

Unfortunately, the command reference guide does not provide any further information on this.

Best regards,

Matthias

Original Message:
Sent: Jan 02, 2025 08:32 AM
From: Herman Robers
Subject: Wired 802.1X Timer

It looks like "dot1x max-reauth-req" translates into CX "aaa authentication port-access dot1x authenticator max-eapol-requests". And "dot1x timeout tx-period" is the same as "aaa authentication port-access dot1x authenticator eapol-timeout".

In the CLI guide for AOS-CX, there is a pretty good description of what each of the settings do. From there it may be possible to get a close enough match, or better implementation as non-concurrent authentication has some timeout challenges and I have not found a universal working setting that works under all circumstances.

From reading the documentation (have not tested/validated), the max-eapol-requests refers to the eapol requests, the max-retries to the complete authentication process which can have multiple eapol requests each.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 02, 2025 06:11 AM
From: mmachtolf
Subject: Wired 802.1X Timer

Hello Herman,

This is for AOS-CX. At the moment I am trying to avoid concurrent onboarding.

In the solutions guide you shared, the following configuration is suggested:

aaa authentication port-access dot1x authenticator
   eapol-timeout 10
   max-eapol-requests 1
   max-retries 1
   enable

Efforts are being made to minimize failover from 802.1X to MAB by reducing both the number and interval between EAP-Request, Identity messages.

The discovery-period successfully configures the time between the EAP-Request, Identity messages. Therefore the eapol-timeout does not need to be set in my opinion.
However neither max-eapol-requests nor max-retries (as suggested above) appear to configure the number of these messages.
I hope you might be able to assist me with this.

Thank you!

Original Message:
Sent: Jan 02, 2025 03:03 AM
From: Herman Robers
Subject: Wired 802.1X Timer

Is that for ArubaOS or AOS-CX switches?

I would recommend the default settings as described in the Wired Policy Enforcement guide. Both Aruba switches support something called concurrent onboarding, where 802.1X is constantly available and doesn't need to timeout. Useful for devices that are slow booting.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 30, 2024 09:30 AM
From: mmachtolf
Subject: Wired 802.1X Timer

Hello everyone,

I'm trying to match my Aruba 802.1X configuration as closely as possible to an existing Cisco setup.
On the Cisco side, I have configured the following timers:

dot1x timeout tx-period 5
dot1x max-reauth-req 1

From what I've read in the Aruba documentation, tx-period seems to correspond to the discovery-period.
However, I'm unsure how the command max-reauth-req translates to the Aruba parameters 
max-eapol-requests or max-retries. 

• max-eapol-requests: As far as I understand, this determines how many times an EAPOL
  request(-identity?) is resent if there is no response from the supplicant.
• max-retries: I'm not entirely sure if this refers to how many times a single authentication exchange is retried.

Could someone clarify the exact difference and how to configure them so that they mirror the Cisco settings as closely
as possible? I've already tested various combinations of these parameters, but so far, I haven't arrived at a definitive result.

Thanks in advance for your help!

Hello Herman,

Thank you for your response.

The dot1x timeout tx-period command on IOS-XE 17.12, which is describe here:

Configures the number of seconds between retransmission of EAP request ID packets (assuming that no response is received) to the client.

matches the discovery-period, which is described as follows:

 Configures the period the port waits to retransmit the next EAPOL request identity frame on an 802.1X enabled port that has no authenticated clients. 

This could also be verified on a 6300 running AOS-CX 10.13.

Regarding the max-eapol-requests command, I would agree with you; however, I was unable to verify this.
The failover time was approximately 20 seconds when using a value of 1. However, depending on whether it pertains to the total number of
EAP Request,Identity messages or the retransmissions, it should be around 5 to 10 seconds when configured with
max-eapol-requests 1. 

Unfortunately, the command reference guide does not provide any further information on this.

Best regards,

Matthias

It looks like "dot1x max-reauth-req" translates into CX "aaa authentication port-access dot1x authenticator max-eapol-requests". And "dot1x timeout tx-period" is the same as "aaa authentication port-access dot1x authenticator eapol-timeout".

In the CLI guide for AOS-CX, there is a pretty good description of what each of the settings do. From there it may be possible to get a close enough match, or better implementation as non-concurrent authentication has some timeout challenges and I have not found a universal working setting that works under all circumstances.

From reading the documentation (have not tested/validated), the max-eapol-requests refers to the eapol requests, the max-retries to the complete authentication process which can have multiple eapol requests each.

Hello Herman,

This is for AOS-CX. At the moment I am trying to avoid concurrent onboarding.

In the solutions guide you shared, the following configuration is suggested:

aaa authentication port-access dot1x authenticator
   eapol-timeout 10
   max-eapol-requests 1
   max-retries 1
   enable

Efforts are being made to minimize failover from 802.1X to MAB by reducing both the number and interval between EAP-Request, Identity messages.

The discovery-period successfully configures the time between the EAP-Request, Identity messages. Therefore the eapol-timeout does not need to be set in my opinion.
However neither max-eapol-requests nor max-retries (as suggested above) appear to configure the number of these messages.
I hope you might be able to assist me with this.

Thank you!

Is that for ArubaOS or AOS-CX switches?

I would recommend the default settings as described in the Wired Policy Enforcement guide. Both Aruba switches support something called concurrent onboarding, where 802.1X is constantly available and doesn't need to timeout. Useful for devices that are slow booting.

Hello everyone,

I'm trying to match my Aruba 802.1X configuration as closely as possible to an existing Cisco setup.
On the Cisco side, I have configured the following timers:

dot1x timeout tx-period 5
dot1x max-reauth-req 1

From what I've read in the Aruba documentation, tx-period seems to correspond to the discovery-period.
However, I'm unsure how the command max-reauth-req translates to the Aruba parameters 
max-eapol-requests or max-retries. 

• max-eapol-requests: As far as I understand, this determines how many times an EAPOL
  request(-identity?) is resent if there is no response from the supplicant.
• max-retries: I'm not entirely sure if this refers to how many times a single authentication exchange is retried.

Could someone clarify the exact difference and how to configure them so that they mirror the Cisco settings as closely
as possible? I've already tested various combinations of these parameters, but so far, I haven't arrived at a definitive result.

Thanks in advance for your help!