How to Minimum EAPOL time-out value and EAP retry amount on Cisco 3560G

Unanswered Question
May 28th, 2008

I have an Windows and ACS authentication issue. Microsoft engineer suggested I followed Microsoft KB931856 - A Windows XP-based wired client computer will not obtain a valid IP address from a guest VLAN or from an "Authentication failed-VLAN". I did step 1 and 2. But not sure how to do step 3 and 4. Any help?

3. Use the default settings in which the SupplicantMode registry entry is not present, and change the Ethernet switch settings to a value of 1 for the following settings:

" Minimum EAPOL time-out value

" EAP retry amount

4. Change the Ethernet switch VLAN setup. Use one default VLAN, and then use one or more VLANs for 802.1X authenticated computers and users.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
didyap Tue, 06/03/2008 - 12:16

Use the dot1x test eapol-capable privileged EXEC command to monitor IEEE 802.1x activity on all the switch ports and to display information about the devices that are connected to the ports that support IEEE 802.1x.

dot1x test eapol-capable [interface interface-id]

This example shows how to enable the IEEE 802.1x readiness check on a switch to query a port. It also shows the response received from the queried port verifying that the device connected to it is IEEE 802.1x-capable:

switch# dot1x test eapol-capable interface gigabitethernet1/0/13

3.

interface fa0/x

dot1x timeout tx-period

dot1x max-req

"tx-period" is the number of seconds between "EAP Request Identity" switch messages (how much time the switch waits for the client reply). "max-req" is the number of "EAP Request Identity" switch messages. If there is no response, the client is declared agentless (no supplicant) and the Guest VLAN assigned. If there is a response, but the password is invalid so many times, the Auth-fail VLAN is assigned (if configured). So, these parameters should make things faster.

4.

Read everything you can find about Machine and User 802.1x authentication. This is really complex subject. In general, machine authentication can be performed first, then user. If VLAN, assigned to the machine, is different than the VLAN, assigned to the user, the DHCP address (re)assignment may not work (never works for M$ supplicant?). However, so far as I remember, the "SupplicantMode registry entry is not present" means "the client does not initiate 802.1x exchange". Thi means that user authentication will not be performed after the machine authentication, because the switchport is already authorized from the switch point of view.

HTH, sorrym this is a complex subject.

Actions

This Discussion