Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

802.1X - configuring authentication attempts

Can you configure multiple attempts (more then the defaule=3)with 802.1X & radius (cisco acs 4.0) in a wired environment?

4 REPLIES
New Member

Re: 802.1X - configuring authentication attempts

You can use "dot1x max-req" under the interface to control how many times the suppliant can try to communicate with RADIUS server.

Cisco Employee

Re: 802.1X - configuring authentication attempts

Actually, max-req represents the maximum number of retries a switch attempts (if it needs to) for EAP-Request frames of types other than EAP-Identity-Request.

Or in other words, say a supplicant disappears (or goes bonkers) in the middle of an authentication attempt. The switch would re-transmit an EAP-Data-Request frame it did not get a response to twice (if you assume max-req = 3) before giving up on the auth attempt completely.

So apologies for being too literal, but what do you meand by "configure multiple attempts"?

Thanks,

New Member

Re: 802.1X - configuring authentication attempts

My customer wants the user to be able to have more no of attempts to provide the username & password in the event of the user providing wrong information. AT the moment the switch provides 3 attempts. I have configured the max req = 5 but still it provides only 3 attempts in total. Is there some thing i am missing?

Re: 802.1X - configuring authentication attempts

What supplicant are you using? I have been doing some testing using the Windows built-in supplicant (Windows 2000) and have found that Windows seems to surpress subsequent authentication attempts after the 3rd failure. Debugging shows the switch still sending the EAPOL frames to the client but the client just ignores them. You can manually restart the 'Wireless Configuration Service' on the client and the logon dialogue box appears again, either that or unplug the ethernet cable and re-connect it.

It maybe soemthing that can be increased on the client through a registry setting but I haven't found anything yet.

HTH

Andy

117
Views
0
Helpful
4
Replies
CreatePlease to create content