Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
0
Helpful
3
Replies

dot1x confusion

mjohnson
Level 1
Level 1

‎09-05-2007 03:38 AM - edited ‎03-09-2019 06:45 PM

I have posted about this subject before, dot1x behavior and dot1x behavior 2. My problem is max-req and max-rerauth-req. The definition of each provided do not appear to match the definition in this Cisco doc "http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/sw8021x.html#wp1025468" Specifically, sections "setting the switch to client retransmission number" and " setting the reauthentication number" the document states max-req is the number of EAP request identity frames that are sent to authenticate the client before restarting the authentication process. The prior answer provided appears to be in conflict with the documentation, can someone provide some insight as what these parameters are?

Labels:
0 Helpful
3 Replies 3

jafrazie
Cisco Employee
Cisco Employee

‎09-05-2007 06:22 AM

max-reauth-req:

This is the timer for EAPOL-Identity-Request frames (only). So, if you plug in a device incapable of 802.1X, 3 EAPOL-Id-Req frames will go out on the wire before the state machine resets. Alternatively, if you have the Guest-VLAN configured, 3 will go out on the wire before the port is enabled. This parameter has a default value of 2.

max-req:

This value affects the number of times EAPOL DATA packets are re-transmitted (if lost, or not replied to). For example, if you have a supplicant in the middle of authenticating and it has a problem, the authenticator will re-transmit requests for data 3 times before giving up on the authentication request.

Both of these timers indicate responsibility of the authenticator to retransmit frames if that warrant a response by a supplicant and have gone unanswered.

Hope this helps,

0 Helpful

mjohnson
Level 1
Level 1
In response to jafrazie

‎09-05-2007 07:57 AM

From the doc I specified above:

dot1x max-req

Set the number of times that the switch sends an EAP-request/identity frame to the client before restarting the authentication process. The range is 1 to 10; the default is 2.

dot1x max-reauth-req

Set the number of times that the switch restarts the authentication process before the port changes to the unauthorized state. The range is 1 to 10; the default is 2

The document appears to be in conflict with your definition and thats why I am confused.

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to mjohnson

‎09-05-2007 08:12 AM

I'll file a documentation bug. This is old info.

max-reauth-req ~= reAuthMax as defined by IEEE 802.1X.

Hope this helps,

0 Helpful
Customers Also Viewed These Support Documents