dot1x timer
Function
The dot1x timer command configures the parameters of each 802.1X timer.
The undo dot1x timer command restores the default settings.
For the default parameter settings of each 802.1X timer, see the parameter description.
Format
dot1x timer { client-timeout client-timeout-value | reauthenticate-period reauthenticate-period-value | handshake-period handshake-period-value | eth-trunk-access handshake-period handshake-period-value }
undo dot1x timer { client-timeout | reauthenticate-period | handshake-period | eth-trunk-access handshake-period }
Parameters
Parameter |
Description |
Value |
|---|---|---|
client-timeout client-timeout-value |
Specifies the client authentication timeout interval. You are advised to set this parameter to 30 seconds for wired users. NOTE:
On the network, some terminals may delay in responding to EAP-Request/MD5 Challenge packets sent from the device. If the delay is long, you can increase client-timeout client-timeout-value so that these terminals can go online. The adjustment rule is as follows: 3 x client-timeout client-timeout-value > Terminal response delay |
The value is an integer in the range from 1 to 120, in seconds. By default, the client authentication timeout interval is 5 seconds. |
reauthenticate-period reauthenticate-period-value |
Specifies the periodic re-authentication period for online 802.1X users. |
The value is an integer that ranges from 1 to 65535, in seconds. By default, the periodic re-authentication period is 3600 seconds for online 802.1X users. |
handshake-period handshake-period-value |
Specifies the interval at which the device handshakes with an 802.1X client on a non-Eth-Trunk interface. For details, see dot1x handshake. |
The value is an integer in the range from 5 to 7200, in seconds. By default, the interval for sending handshake packets is 15 seconds. |
eth-trunk-access handshake-period handshake-period-value |
Specifies the interval at which the device handshakes with an 802.1X client on an Eth-Trunk. For details, see dot1x handshake. |
The value is an integer in the range from 30 to 7200, in seconds. By default, the interval for sending handshake packets is 120 seconds. |
Usage Guidelines
During 802.1X authentication, multiple timers are started to implement proper and orderly interactions between access users, access devices, and the authentication server. You can change the values of timers by running the dot1x timer command to adjust the interaction process. (The values of some timers cannot be changed.) This command is necessary in special network environments. It is recommended that you retain the default settings of the timers.
This command only sets the values of the timers. To enable the timers, perform corresponding configurations or use default settings.
- The client authentication timeout timer and the interval for sending authentication requests are enabled by default. You can run the dot1x retry command to configure the number of retransmissions of authentication request packets when the client authentication times out.
- The re-authentication timer for online 802.1X users is disabled by default. To enable this timer, run the dot1x reauthenticate command.
- The online 802.1X user handshake function is disabled by default. You can run the dot1x handshake command to enable the online 802.1X user handshake function. The handshake function takes effect only for the wired users.
It is recommended that the re-authentication interval be set to the default value. If multiple ACLs need to be delivered during user authorization, you are advised to disable the re-authentication function or set a longer re-authentication interval to improve the device's processing performance.
In remote authentication and authorization, if the re-authentication interval is set to a shorter time, the CPU usage may be higher.
To reduce the impact on the device performance when many users exist, the user re-authentication interval may be longer than the configured re-authentication interval.