Q: How to control number of eap-ip-req sent to a client ?
A: In AOS, while doing 802.1x authentication there would be scenarios where we need to control the number of eap-id-requests sent to the client.
Example of a scenario would be where 802.1x-TLS is performed and client takes time to accept the certificate presented by the Server(termination on external auth server).
By default 15 eap-id-requests are sent. Using the below knobs the count can be changed as desired:
"Reauth-Max" * "Max-Requests" is the max number of eap-id-req be sent. Default 3 * 5 = 15
3 = Reauth-Max ==> Number of times the same id-req will be sent.
5 = Max-Requests ==> The total number of EAP requests which the controller will send out for a single EAP transaction
Sep 28 19:14:16 eap-start -> fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 - -
Sep 28 19:14:16 eap-id-req <- fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 1 5 ==> eap-id-req ----> seq1
Sep 28 19:14:21 eap-id-req <- fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 1 5 ==> eap-id-req ----> seq1
Sep 28 19:14:26 eap-id-req <- fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 1 5 ==> eap-id-req ----> seq1
Sep 28 19:14:31 eap-id-req <- fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 2 5 ==> eap-id-req ----> seq2
Sep 28 19:14:36 eap-id-req <- fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 2 5 ==> eap-id-req ----> seq2
Sep 28 19:14:41 eap-id-req <- fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 2 5 ==> eap-id-req ----> seq2
Sep 28 19:14:46 eap-id-req <- fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 3 5
Sep 28 19:14:51 eap-id-req <- fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 3 5
Sep 28 19:14:56 eap-id-req <- fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 3 5
Sep 28 19:15:01 eap-id-req <- fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 4 5
Sep 28 19:15:06 eap-id-req <- fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 4 5
Sep 28 19:15:11 eap-id-req <- fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 4 5
Sep 28 19:15:16 eap-id-req <- fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 5 5
Sep 28 19:15:21 eap-id-req <- fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 5 5
Sep 28 19:15:26 eap-id-req <- fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 5 5
Sep 28 19:15:31 station-down * fc:f8:ae:51:4b:7c 94:b4:0f:10:53:d4 - -
The interval between the eap-id-req is 5 seconds by default. "timer idrequest_period" is knob used to tweak this value.
Below is a sample auth-tracebuf output with all the above mentioned values modified:
(master) #show aaa authentication dot1x "akhil-.1x" | include Max,Req
Interval between Identity Requests 7 sec
Max number of requests sent during an Auth attempt 2
Max Number of Reauthentication Attempts 2
Nov 25 10:29:27 eap-start -> 3c:a9:f4:7f:84:54 18:64:72:ed:62:a0 - -
Nov 25 10:29:27 eap-id-req <- 3c:a9:f4:7f:84:54 18:64:72:ed:62:a0 1 5
Nov 25 10:29:34 eap-id-req <- 3c:a9:f4:7f:84:54 18:64:72:ed:62:a0 1 5
Nov 25 10:29:41 eap-id-req <- 3c:a9:f4:7f:84:54 18:64:72:ed:62:a0 2 5
Nov 25 10:29:48 eap-id-req <- 3c:a9:f4:7f:84:54 18:64:72:ed:62:a0 2 5
Nov 25 10:29:55 station-down * 3c:a9:f4:7f:84:54 18:64:72:ed:62:a0 - -