dot1x confusion

Unanswered Question

I have posted about this subject before, dot1x behavior and dot1x behavior 2. My problem is max-req and max-rerauth-req. The definition of each provided do not appear to match the definition in this Cisco doc "http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/sw8021x.html#wp1025468" Specifically, sections "setting the switch to client retransmission number" and " setting the reauthentication number" the document states max-req is the number of EAP request identity frames that are sent to authenticate the client before restarting the authentication process. The prior answer provided appears to be in conflict with the documentation, can someone provide some insight as what these parameters are?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jafrazie Wed, 09/05/2007 - 06:22
User Badges:
  • Cisco Employee,

max-reauth-req:

This is the timer for EAPOL-Identity-Request frames (only). So, if you plug in a device incapable of 802.1X, 3 EAPOL-Id-Req frames will go out on the wire before the state machine resets. Alternatively, if you have the Guest-VLAN configured, 3 will go out on the wire before the port is enabled. This parameter has a default value of 2.


max-req:

This value affects the number of times EAPOL DATA packets are re-transmitted (if lost, or not replied to). For example, if you have a supplicant in the middle of authenticating and it has a problem, the authenticator will re-transmit requests for data 3 times before giving up on the authentication request.


Both of these timers indicate responsibility of the authenticator to retransmit frames if that warrant a response by a supplicant and have gone unanswered.


Hope this helps,



From the doc I specified above:


dot1x max-req

Set the number of times that the switch sends an EAP-request/identity frame to the client before restarting the authentication process. The range is 1 to 10; the default is 2.


dot1x max-reauth-req

Set the number of times that the switch restarts the authentication process before the port changes to the unauthorized state. The range is 1 to 10; the default is 2


The document appears to be in conflict with your definition and thats why I am confused.


jafrazie Wed, 09/05/2007 - 08:12
User Badges:
  • Cisco Employee,

I'll file a documentation bug. This is old info.


max-reauth-req ~= reAuthMax as defined by IEEE 802.1X.


Hope this helps,

Actions

This Discussion