Setting The 802.1X Authentication Timeout Timers; Configuring The Online User Handshake Feature - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
To set the maximum number of authentication request attempts:
Step
1.
Enter system view.
2.
Set the maximum number of attempts
for sending an authentication request.
Setting the 802.1X authentication timeout timers
The network device uses the following 802.1X authentication timeout timers:
•
Client timeout timer—Starts when the access device sends an EAP-Request/MD5 Challenge
packet to a client. If no response is received when this timer expires, the access device
retransmits the request to the client.
•
Server timeout timer—Starts when the access device sends a RADIUS Access-Request
packet to the authentication server. If no response is received when this timer expires, the
access device retransmits the request to the server.
In most cases, the default settings are sufficient. You can edit the timers, depending on the network
conditions.
•
In a low-speed network, increase the client timeout timer.
•
In a network with authentication servers of different performance, adjust the server timeout
timer.
To set the 802.1X authentication timeout timers:
Step
1.
Enter system view.
2.
Set the client timeout
timer.
3.
Set the server
timeout timer.
Configuring the online user handshake feature
The online user handshake feature checks the connectivity status of online 802.1X users. The
access device sends handshake messages to online users at the interval specified by the dot1x
timer handshake-period command. If the device does not receive any responses from an online
user after it has made the maximum handshake attempts, the device sets the user to offline state. To
set the maximum handshake attempts, use the dot1x retry command.
Typically, the device does not reply to 802.1X clients' EAP-Response/Identity packets with
EAP-Success packets. Some 802.1X clients will go offline if they do not receive the EAP-Success
packets for handshake. To avoid this problem, enable the online user handshake reply feature.
If iNode clients are deployed, you can also enable the online user handshake security feature to
check authentication information in the handshake packets from clients. This feature can prevent
802.1X users who use illegal client software from bypassing iNode security check, such as dual
network interface cards (NICs) detection. If a user fails the handshake security checking, the device
sets the user to the offline state.
Command
system-view
dot1x retry max-retry-value
Command
system-view
dot1x timer supp-timeout
supp-timeout-value
dot1x timer server-timeout
server-timeout-value
88
Remarks
N/A
The default setting is
2.
Remarks
N/A
The default is 30 seconds.
The default is 100 seconds.
Advertisement
Table of Contents
Troubleshooting
