Hi, We hope someone is "shark" enough to assist us in this little quest.
We use a setup containing of a windows RADIUS server, 200+ Cisco 877W supplicants and Windows7 / XP clients.
The setup works but we have a seriously irritating issue when the router is restarted.
When the user reboots the Cisco 877W with a PC connected, the DSL line needs to train before the authentification
may be completed. This retrain may in some situations last for several minutes.
The result is often that the authentification fails and the cisco (as supplicant) takes the port down administratively
instead of granting access to the guest VLAN.
In the below (anonymized) "show running", you will see that VLAN40 is the trusted and VLAN1 is guest, also we supplied a "show dot1x interface x details" for an authorized and a non-authorized etherport.
A "shutdown / no shutdown" on the port restarts the auth. correctly enabling either trusted or guest VLAN access as does a disconnect/reconnect of cable or "on/off" wireless on the PC.
We tried setting the "ReauthPeriod" to as little as 30 seconds without much success (port is down, thus nothing is communicated to the client).
If the DSL needs to retrain for some reason, having the re-auth set to 30 seconds destroys the auth. leaving the PC in VLAN1 with IP address matching VLAN40 rendering the connection useless even for Internet access.
Also packet loss or RADIUS stress may disconnect the user if re-auth is impossible, therefore we find that the default re-auth setting of 3600 seconds (or even higher) seem more appropriate.
Are we missing a setting or is it simply required to have the users reconnect their PC if the DSL connection drops or
As you have rightly pointed out, the problem is that the PC comes up first and straightaway sends the EAPOL frame to the switch and because the switch cannot reach the RADIUS server (the dsl line is still training) and forces the port into vlan 1.
unfortunately, IMHO this is the limitation of DSL lines is that sometimes they some time several minutes to train.
AFAIK you can't tell the router to advise that PC to send the frame a bit later . and also you are using a router which doesnt have the err-disable recovery mechanism that switches have.
Also, I would suggest you use the below dot1x config. Its pretty stable. Having the re-auth period to a low value is not recommended. Once the PC is authenticated, the only time it should reauthenticate when the arp on the router is about to expire otherwise I see no reason why it should keep reauthenticating every now and then.
dot1x pae authenticator
dot1x port-control auto
dot1x timeout reauth-period 14400
dot1x timeout tx-period 15
dot1x max-req 5
dot1x auth-fail vlan 1
dot1x guest-vlan 1
There are heaps of dot1x timers but they are to circumvent the issues but not to create an issue( telling the PC to send the frame a bit later) if you what i mean.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.