I have got a problem with the critical authentication vlan. The connection to the radius-server works. If I cut the connection to the server, then moves the cisco cathalyst all new hosts in the critical vlan.
When the radius-server is reachable again, the hosts will remain for 20 minutes in the critical VLAN. Why is this so?
And another problem is that despite the switch "dot1x critical EAPOL" sends no eap-success to the supplicant. The connection manager shows the compound to have failed, although it works.
What can that be?
Her some commands:
authentication critical recovery delay 2000
dot1x critical eapol
radius-server dead-criteria time 10 tries 3
switchport mode access
authentication event server dead action authorize vlan 3000
authentication event server alive action reinitialize
authentication port-control auto
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period
Thanks for the help.
Good find, I completely forgot to take the radius server dead criteria into play. Here are some settings which you can use to speed up the time if you dont want to use the probe method:
It says the default is set to 0, can you verify to see if this was set to 20 (radius-server deadtime)?
*Please rate helpful posts*
Afaik windows supplicant default behaviour is to not process any access request from the switch during 20 minutes after getting an explicit access-reject. See kb957931 on ms site support.microsoft.com/kb/957931. May be this applies even when a supplicant request has got timed-out because of an un-responsive radius server, but I am not sure.