I am trying to implement a guest vlan, and I came across an issue with the default 802.1x timers. It appears that the default 30 second timers and the dot1x max-req # of 2 will cause a 90 second delay before the port switches to auth-fail or guest-vlan. The windows DHCP will fail at 62 seconds, and the user will get a APIPA address of 169.254.0.0. This could cause the user to think they are connected but they are not. DHCP will eventually try again after 5 minutes which is way too long. I have played around with the dot1x timers and wanted to know what other people are using and what Cisco recommends for this issue. Portfast is configured on these ports as well. Here is what I have tried;
This gives a EAP success for Guest-VLAN after 30 seconds;
dot1x timeout tx-period seconds 10
dot1x max-req 2
This gives EAP Suceess after 20 seconds
dot1x timeout tx-period seconds 10
dot1x max-req 1;
Just trying to figure out what are the best timers. Also I was going to change the dot1x timeout quiet-period to about 5 seconds for quicker response when a true 802.1x supplicant user with correct credentials connects and has problems. The last question is what about remote users that authenticate across a WAN with a TTL of 40-80ms? What would be good timers or would these work? Thanks!
The timer in question for 1X-timeout is the tx-period. The default is 30-sec. The variable in question for 1X-timeout is the max-reauth-req parameter. The default is 2.
From a security perspective, 802.1X typically means no data-plane or port-access at all until 802.1X has completed. Analogy is there's a lock on all your doors (switch ports).
The Guest-VLAN is a fallback mechanism to provide network access even though a device on the other end may not be 1X-capable (or have no key).
The tx-period and max-reauth-req parameters can be tuned down to 2-sec (instead of the default of 90) to enable the Guest-VLAN. So, even though you can attempt to provide differentiated access with the Guest-VLAN, please consider this when planning your deployments.
So this depends on your policy; since you're really examining how quickly you would like to allow someone without a key through your otherwise locked door anyway.
Good point about the startup. I guess I should try to get close to the 62 second DHCP timeout say 45 seconds and that should be good. we are trying to get our conferance rooms to where someone plugs in, they either get on our corporate network with their valid certificate, or fail, get a DHCP in our guest network and go out the BBSM. Just wanted to see anybody out there that is running this now with now issues and what timere they are using. I think I will stick with the 15 for the tx-period and leave the max-reauth-req parameter at 2 for a total EAP timeout of 45 seconds for Guest VLAN. This still gives another 17 seconds for DHCP.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...