During Authetication the AP just acts as a go-between for the Radius server and the XSupplicant. It just passes info and waits for the radius server to tell it all is OK (that's an over simplication of the process as I understand it). Since the AP is not a participant in the conversation its not a matter of how many attempts but rather how long it takes. In Cisco IOS the default time the AP give the client to autheticate is 30 seconds. If the client does not authenticate in that time interval then the AP dis-associates the client and the association/authentication cycle has to be restarted by the client. That value can be changed to suit your needs. In the WebAdmin interface goto "Security | Advanced Security | EAP Authentication" and change the "EAP Client Timeout".
OR
from global configuration mode (config t)
interface Dot11Radio0
dotx client-timeout <seconds>
Reauthentication happens at regular intervals starting from the time of successful authentication as set by the Radius server OR the AP can force reauthetication at a regular interval of your setting. Note: if you force reauthentication at the AP make sure you use a time interval less then that provided by the radius server.
In the WebAdmin interface goto "Security | Advanced Security | EAP Authentication" and change the "EAP Reauthentication Interval".
OR
from global configuration mode (config t)
interface Dot11Radio0
dot1x reauth-period <seconds>
There is no way (that I know of) to automatically force reauthentication at a set time (e.g 9:00am, top of the hour, half-past, etc.).
To manually force reauthentication go to the "Association" menu in WebAdmin and dis-associate the specific client. That restarts the Association/Authentication cycle.
If you are running a dynamic key authentication protocal like EAP-TLS or PEAP the radius server *should* serve up new keys with each new authentication.
I hope that answers your question.
Mark C.
[EMAIL PROTECTED] wrote:
Hi Mark,
Actually I want to know, howto set the total number of authentication/reauthentication params inside CISCO 1100 AP. It means, I want to set the maximum number of authentication attempt after which the trusted port in AP will be finally unauthorized. Also how can I force the AP to start reauthentication? It seems to me that I can set reauthentication interval inside AP, but I am not able to force reauthentication at any time (does not depend on interal) inside AP.
Regards Ankan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
