dot1x timer
Syntax
dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value }
undo dot1x timer { handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout | tx-period }
View
System view
Default level
2: System level
Parameters
handshake-period-value: Sets the handshake timer in seconds, in the range of 5 to 1024.
quiet-period-value: Sets the quiet timer in seconds, in the range of 10 to 120.
reauth-period-value: Sets the periodic re-authentication timer in seconds, in the range of 60 to 7200.
server-timeout-value: Sets the server timeout timer in seconds, in the range of 100 to 300.
supp-timeout-value: Sets the client timeout timer in seconds, in the range of 1 to 120.
tx-period-value: Sets the username request timeout timer in seconds. The value range for this argument is 1 to 120.
Description
Use dot1x timer to set 802.1X timers.
Use undo dot1x timer to restore the defaults.
By default, the handshake timer is 15 seconds, the quiet timer is 60 seconds, the periodic re-authentication timer is 3600 seconds, the server timeout timer is 100 seconds, the client timeout timer is 30 seconds, and the username request timeout timer is 30 seconds.
You can set the client timeout timer to a high value in a low-performance network, set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response, or adjust the server timeout timer to adapt to the performance of different authentication servers. In most cases, the default settings are sufficient.
The network device uses the following 802.1X timers:
Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off.
Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client.
Periodic re-authentication timer (reauth-period)—Sets the interval at which the network device periodically re-authenticates online 802.1X users. To enable periodic online user re-authentication on a port, use the dot1x re-authenticate command. The change to the periodic re-authentication timer applies to the users that have been online only after the old timer expires.
Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server.
Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5 Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.
Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request. If the device receives no response before this timer expires, it retransmits the request. The timer also sets the interval at which the network device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.
Related commands: display dot1x.
Examples
# Set the server timeout timer to 150 seconds.
<Sysname> system-view [Sysname] dot1x timer server-timeout 150