Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

dot1x confusion

I have posted about this subject before, dot1x behavior and dot1x behavior 2. My problem is max-req and max-rerauth-req. The definition of each provided do not appear to match the definition in this Cisco doc "http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/sw8021x.html#wp1025468" Specifically, sections "setting the switch to client retransmission number" and " setting the reauthentication number" the document states max-req is the number of EAP request identity frames that are sent to authenticate the client before restarting the authentication process. The prior answer provided appears to be in conflict with the documentation, can someone provide some insight as what these parameters are?

3 REPLIES
Cisco Employee

Re: dot1x confusion

max-reauth-req:

This is the timer for EAPOL-Identity-Request frames (only). So, if you plug in a device incapable of 802.1X, 3 EAPOL-Id-Req frames will go out on the wire before the state machine resets. Alternatively, if you have the Guest-VLAN configured, 3 will go out on the wire before the port is enabled. This parameter has a default value of 2.

max-req:

This value affects the number of times EAPOL DATA packets are re-transmitted (if lost, or not replied to). For example, if you have a supplicant in the middle of authenticating and it has a problem, the authenticator will re-transmit requests for data 3 times before giving up on the authentication request.

Both of these timers indicate responsibility of the authenticator to retransmit frames if that warrant a response by a supplicant and have gone unanswered.

Hope this helps,

New Member

Re: dot1x confusion

From the doc I specified above:

dot1x max-req

Set the number of times that the switch sends an EAP-request/identity frame to the client before restarting the authentication process. The range is 1 to 10; the default is 2.

dot1x max-reauth-req

Set the number of times that the switch restarts the authentication process before the port changes to the unauthorized state. The range is 1 to 10; the default is 2

The document appears to be in conflict with your definition and thats why I am confused.

Cisco Employee

Re: dot1x confusion

I'll file a documentation bug. This is old info.

max-reauth-req ~= reAuthMax as defined by IEEE 802.1X.

Hope this helps,

229
Views
0
Helpful
3
Replies
CreatePlease login to create content