cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4992
Views
0
Helpful
3
Replies

802.1x timers and DHCP

miwitte
Level 4
Level 4

I am trying to implement a guest vlan, and I came across an issue with the default 802.1x timers. It appears that the default 30 second timers and the dot1x max-req # of 2 will cause a 90 second delay before the port switches to auth-fail or guest-vlan. The windows DHCP will fail at 62 seconds, and the user will get a APIPA address of 169.254.0.0. This could cause the user to think they are connected but they are not. DHCP will eventually try again after 5 minutes which is way too long. I have played around with the dot1x timers and wanted to know what other people are using and what Cisco recommends for this issue. Portfast is configured on these ports as well. Here is what I have tried;

This gives a EAP success for Guest-VLAN after 30 seconds;

dot1x timeout tx-period seconds 10

dot1x max-req 2

This gives EAP Suceess after 20 seconds

dot1x timeout tx-period seconds 10

dot1x max-req 1;

Just trying to figure out what are the best timers. Also I was going to change the dot1x timeout quiet-period to about 5 seconds for quicker response when a true 802.1x supplicant user with correct credentials connects and has problems. The last question is what about remote users that authenticate across a WAN with a TTL of 40-80ms? What would be good timers or would these work? Thanks!

3 Replies 3

dominic.caron
Level 5
Level 5

I'm looking into this myself right now. I just want to add one point...

Let say you connect a laptop to a dot1x enable port and then you start the laptop. The network interface will come up but the pc wont have it's dot1x client loaded.

If you put the timer to 20 Seconds, the PC will be put in the Guest Vlan.

jafrazie
Cisco Employee
Cisco Employee

The timer in question for 1X-timeout is the tx-period. The default is 30-sec. The variable in question for 1X-timeout is the max-reauth-req parameter. The default is 2.

From a security perspective, 802.1X typically means no data-plane or port-access at all until 802.1X has completed. Analogy is there's a lock on all your doors (switch ports).

The Guest-VLAN is a fallback mechanism to provide network access even though a device on the other end may not be 1X-capable (or have no key).

The tx-period and max-reauth-req parameters can be tuned down to 2-sec (instead of the default of 90) to enable the Guest-VLAN. So, even though you can attempt to provide differentiated access with the Guest-VLAN, please consider this when planning your deployments.

So this depends on your policy; since you're really examining how quickly you would like to allow someone without a key through your otherwise locked door anyway.

Hope this helps,

Good point about the startup. I guess I should try to get close to the 62 second DHCP timeout say 45 seconds and that should be good. we are trying to get our conferance rooms to where someone plugs in, they either get on our corporate network with their valid certificate, or fail, get a DHCP in our guest network and go out the BBSM. Just wanted to see anybody out there that is running this now with now issues and what timere they are using. I think I will stick with the 15 for the tx-period and leave the max-reauth-req parameter at 2 for a total EAP timeout of 45 seconds for Guest VLAN. This still gives another 17 seconds for DHCP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: