Cisco Support Community
Community Member

dot1x behavior

I performed a "dot1x debug packet" on a XP supplicant. I had reauth-max-req set to 2

but I observered 3 EAP code=1 (requests) frames, why ? Also, how does reauth-max-req

differ from maxreq? My opinion is that maxreq is for managing the flow from authenticator to server and reauthmaxreq is to manage supplicant to authenticator flow?

Cisco Employee

Re: dot1x behavior

dot1x max-reauth-req: This is the timer for EAPOL-Identity-Request frames themselves. The reason you see is b/c the value is set to 2 by default.

dot1x max-req: affects the number of times EAPOL data (i.e. Non-ID-Request) frames are re-transmitted (if lost, or not replied to).

Both of these timers indicate responsibility of the supplicant to retransmit the frames if they've gone unanswered.

There shouldn't be anything 1X-related to manage flow from authenticator to authentication server, other than maybe a high-water/give-up timer. And I wouldn't suggest trying to use something like this anyway. This should be managed from AAA/RADIUS.

Does this help?

Community Member

Re: dot1x behavior

ok, so one is for data frames and the other is for the initial authentication attempt, correct?

Also, if max-reauth-req is set to 2 why are 3 EAP identity request frames sent? Is it because the first is an authentication attempt and the other 2 are reauth attempts?

This doe shelp but I am not quite all the way there.

CreatePlease to create content