93
Setting the maximum number of authentication
request attempts
The network access device retransmits an authentication request if it receives no response to the
request it has sent to the client within a period of time (specified by using the dot1x timer tx-period
tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command). The
network access device stops retransmitting the request, if it has made the maximum number of
request transmission attempts but still received no response.
To set the maximum number of authentication request attempts:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Set the maximum number of attempts
for sending an authentication request.
dot1x retry
max-retry-value
The default setting is
2.
Setting the 802.1X authentication timeout timers
The network device uses the following 802.1X authentication timeout timers:
• Client timeout timer—Starts when the access device sends an EAP-Request/MD5 Challenge
packet to a client. If no response is received when this timer expires, the access device
retransmits the request to the client.
• Server timeout timer—Starts when the access device sends a RADIUS Access-Request
packet to the authentication server. If no response is received when this timer expires, the
access device retransmits the request to the server.
You can set the client timeout timer to a high value in a low-performance network, and adjust the
server timeout timer to adapt to the performance of different authentication servers. In most cases,
the default settings are sufficient.
To set the 802.1X authentication timeout timers:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Set the client timeout timer.
dot1x timer supp-timeout
supp-timeout-value
The default is 30 seconds.
3. Set the server timeout timer.
dot1x timer server-timeout
server-timeout-value
The default is 100 seconds.
Configuring the online user handshake function
The online user handshake function checks the connectivity status of online 802.1X users. The
network access device sends handshake messages to online users at the interval specified by the
dot1x timer handshake-period command. If no response is received from an online user after the
maximum number of handshake attempts (set by the dot1x retry command) has been made, the
network access device sets the user in the offline state.
If iNode clients are deployed, you can also enable the online handshake security function to check
for 802.1X users that use illegal client software to bypass security inspection such as proxy detection
and dual network interface cards (NICs) detection. This function checks the authentication
To Next Page
Loading...
Need help?
General
