11-17
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-11350-01
Chapter11 Configuring Authentication Types
Configuring Authentication Types
Use the no form of these commands to reset the values to default settings.
Creating and Applying EAP Method Profiles for the 802.1X Supplicant
This section describes the optional configuration of an EAP method list for the 802.1X supplicant.
Configuring EAP method profiles enables the supplicant not to acknowledge some EAP methods, even
though they are available on the supplicant. For example, if a RADIUS server supports EAP-FAST and
LEAP, under certain configurations, the server might initially employ LEAP instead of a more secure
method. If no preferred EAP method list is defined, the supplicant supports LEAP, but it may be
advantageous to force the supplicant to force a more secure method such as EAP-FAST.
Note The 8021X supplicant is available on 1130AG, 1240AG, and 1300 series access points. It is not available
on 1100 and 1200 series access points.
See Creating a Credentials Profile, page 4-31 for additional information about the 802.1X supplicant.
Step5 dot1x reauth-period { seconds |
server }
Enter the interval in seconds that the access point waits before
forcing an authenticated client to reauthenticate.
Enter the server keyword to configure the access point to use
the reauthentication period specified by the authentication
server. If you use this option, configure your authentication
server with RADIUS attribute 27, Session-Timeout. This
attribute sets the maximum number of seconds of service to be
provided to the client before termination of the session or
prompt. The server sends this attribute to the access point when
a client device performs EAP authentication.
Note If you configure both MAC address authentication and
EAP authentication for an SSID, the server sends the
Session-Timeout attribute for both MAC and EAP
authentications for a client device. The access point
uses the Session-Timeout attribute for the last
authentication that the client performs. For example, if
a client performs MAC address authentication and then
performs EAP authentication, the access point uses the
server’s Session-Timeout value for the EAP
authentication. To avoid confusion on which
Session-Timeout attribute is used, configure the same
Session-Timeout value on your authentication server
for both MAC and EAP authentication.
Step6 countermeasure tkip hold-time
seconds
Configure a TKIP MIC failure holdtime. If the access point
detects two MIC failures within 60 seconds, it blocks all the
TKIP clients on that interface for the holdtime period.
Step7 end Return to privileged EXEC mode.
Step8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose