Controller Based WLANs

 View Only
last person joined: one year ago 

APs, Controllers, VIA
Back to Library

How to control number of eap-ip-req sent to a client ? 

Nov 25, 2015 07:12 PM

Q:

How to control number of eap-ip-req sent to a client ?



A:

In AOS, while doing 802.1x authentication there would be scenarios where we need to control the number of eap-id-requests sent to  the client.

Example of a scenario would be where 802.1x-TLS is performed and client takes time to accept the certificate presented by the Server(termination on external auth server).

By default 15 eap-id-requests are sent.  Using the below knobs the count can be changed as desired:

 

"Reauth-Max" * "Max-Requests"  is the max number of eap-id-req be sent.  Default 3 * 5 = 15

3 = Reauth-Max ==> Number of times the same id-req will be sent.

5 = Max-Requests ==> The total number of EAP requests which the controller will send out for a single EAP transaction


Sep 28 19:14:16  eap-start             ->  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                -   -    
Sep 28 19:14:16  eap-id-req            <-  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                1   5    ==> eap-id-req ----> seq1
Sep 28 19:14:21  eap-id-req            <-  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                1   5    ==> eap-id-req ----> seq1
Sep 28 19:14:26  eap-id-req            <-  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                1   5    ==> eap-id-req ----> seq1
Sep 28 19:14:31  eap-id-req            <-  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                2   5    ==> eap-id-req ----> seq2
Sep 28 19:14:36  eap-id-req            <-  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                2   5    ==> eap-id-req ----> seq2
Sep 28 19:14:41  eap-id-req            <-  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                2   5    ==> eap-id-req ----> seq2
Sep 28 19:14:46  eap-id-req            <-  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                3   5    
Sep 28 19:14:51  eap-id-req            <-  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                3   5    
Sep 28 19:14:56  eap-id-req            <-  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                3   5    
Sep 28 19:15:01  eap-id-req            <-  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                4   5    
Sep 28 19:15:06  eap-id-req            <-  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                4   5    
Sep 28 19:15:11  eap-id-req            <-  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                4   5    
Sep 28 19:15:16  eap-id-req            <-  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                5   5    
Sep 28 19:15:21  eap-id-req            <-  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                5   5    
Sep 28 19:15:26  eap-id-req            <-  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                5   5    
Sep 28 19:15:31  station-down           *  fc:f8:ae:51:4b:7c  94:b4:0f:10:53:d4                -   -    

 

The interval between the eap-id-req is 5 seconds by default. "timer idrequest_period" is knob used to tweak this value. 

Below is a sample auth-tracebuf output with all the above mentioned values modified:

(master) #show aaa authentication dot1x "akhil-.1x" | include Max,Req
Interval between Identity Requests                                          7 sec
Max number of requests sent during an Auth attempt        2
Max Number of Reauthentication Attempts                           2
 

Nov 25 10:29:27  eap-start             ->  3c:a9:f4:7f:84:54  18:64:72:ed:62:a0  -  - 
Nov 25 10:29:27  eap-id-req            <-  3c:a9:f4:7f:84:54  18:64:72:ed:62:a0  1  5
Nov 25 10:29:34  eap-id-req            <-  3c:a9:f4:7f:84:54  18:64:72:ed:62:a0  1  5
Nov 25 10:29:41  eap-id-req            <-  3c:a9:f4:7f:84:54  18:64:72:ed:62:a0  2  5
Nov 25 10:29:48  eap-id-req            <-  3c:a9:f4:7f:84:54  18:64:72:ed:62:a0  2  5
Nov 25 10:29:55  station-down           *  3c:a9:f4:7f:84:54  18:64:72:ed:62:a0  -  -

 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.