Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
3
Helpful
2
Replies

dot1x behavior

mjohnson
Level 1
Level 1

‎07-29-2007 09:39 AM - edited ‎03-09-2019 06:29 PM

I performed a "dot1x debug packet" on a XP supplicant. I had reauth-max-req set to 2

but I observered 3 EAP code=1 (requests) frames, why ? Also, how does reauth-max-req

differ from maxreq? My opinion is that maxreq is for managing the flow from authenticator to server and reauthmaxreq is to manage supplicant to authenticator flow?

Labels:
0 Helpful
2 Replies 2

jafrazie
Cisco Employee
Cisco Employee

‎07-29-2007 09:48 AM

dot1x max-reauth-req: This is the timer for EAPOL-Identity-Request frames themselves. The reason you see is b/c the value is set to 2 by default.

dot1x max-req: affects the number of times EAPOL data (i.e. Non-ID-Request) frames are re-transmitted (if lost, or not replied to).

Both of these timers indicate responsibility of the supplicant to retransmit the frames if they've gone unanswered.

There shouldn't be anything 1X-related to manage flow from authenticator to authentication server, other than maybe a high-water/give-up timer. And I wouldn't suggest trying to use something like this anyway. This should be managed from AAA/RADIUS.

Does this help?

mjohnson
Level 1
Level 1
In response to jafrazie

‎07-29-2007 10:25 AM

ok, so one is for data frames and the other is for the initial authentication attempt, correct?

Also, if max-reauth-req is set to 2 why are 3 EAP identity request frames sent? Is it because the first is an authentication attempt and the other 2 are reauth attempts?

This doe shelp but I am not quite all the way there.

0 Helpful
Customers Also Viewed These Support Documents