11-17
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter11 Configuring Authentication Types
Configuring Authentication Types
Use the no form of these commands to reset the values to default settings.
Creating and Applying EAP Method Profiles for the 802.1X SupplicantThis section describes the optional configuration of an EAP method list for the 802.1X supplicant.
Configuring EAP method profiles enables the supplicant not to acknowledge some EAP methods, even
though they are available on the supplicant. For example, if a RADIUS server supports EAP-FAST and
LEAP, under certain configurations, the server might initially employ LEAP instead of a more secure
method. If no preferred EAP method list is defined, the supplicant supports LEAP, but it may be
advantageous to force the supplicant to force a more secure method such as EAP-FAST.
See Creating a Credentials Profile, page 4-26 for additional information about the 802.1X supplicant.
Step5 dot1x reauth-period { seconds |
server }
Enter the interval in seconds that the access point waits before
forcing an authenticated client to reauthenticate.
Enter the server keyword to configure the access point to use
the reauthentication period specified by the authentication
server. If you use this option, configure your authentication
server with RADIUS attribute 27, Session-Timeout. This
attribute sets the maximum number of seconds of service to be
provided to the client before termination of the session or
prompt. The server sends this attribute to the access point when
a client device performs EAP authentication.
Note If you configure both MAC address authentication and
EAP authentication for an SSID, the server sends the
Session-Timeout attribute for both MAC and EAP
authentications for a client device. The access point
uses the Session-Timeout attribute for the last
authentication that the client performs. For example, if
a client performs MAC address authentication and then
performs EAP authentication, the access point uses the
server’s Session-Timeout value for the EAP
authentication. To avoid confusion on which
Session-Timeout attribute is used, configure the same
Session-Timeout value on your authentication server
for both MAC and EAP authentication.
Step6 countermeasure tkip hold-time
seconds
Configure a TKIP MIC failure holdtime. You can specify a
hold-time in the range 0 to 65535 seconds. The default is 60
seconds.
If the access point detects two MIC failures within, for example
60 seconds, it blocks all the TKIP clients on that interface for
the holdtime period.
Step7 end Return to privileged EXEC mode.
Step8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose