Chapter 6 Configuring Authentication Types

Configure Authentication Types

Use the no form of the dot11 aaa mac-authenfilter-cachecommand to disable MAC authentication caching. This example shows how to enable MAC authentication caching with a one-hour timeout:

ap# configure terminal

ap(config)# dot11 aaa authentication mac-authen filter-cache timeout 3600

ap(config)# end

Configuring Authentication Holdoffs, Timeouts, and Intervals

Beginning in privileged EXEC mode, follow these steps to configure holdoff times, reauthentication periods, and authentication timeouts for client devices authenticating through your access point:

 

Command

Purpose

Step 1

 

 

configure terminal

Enter global configuration mode.

Step 2

 

 

dot11 holdoff-time seconds

Enter the number of seconds a client device must wait before it

 

 

can reattempt to authenticate following a failed authentication.

 

 

The holdoff time is invoked when a client fails three login

 

 

attempts or fails to respond to three authentication requests

 

 

from the access point. Enter a value from 1 to 65555 seconds.

Step 3

 

 

interface dot11radio { 0 1 }

Enter interface configuration mode for the radio interface. The

 

 

2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

Step 4

 

 

dot1x client-timeout seconds

Enter the number of seconds the access point should wait for a

 

 

reply from a client attempting to authenticate before the

 

 

authentication fails. Enter a value from 1 to 65555 seconds.

Step 5

 

 

dot1x reauth-period { seconds

Enter the interval in seconds that the access point waits before

 

server }

forcing an authenticated client to reauthenticate.

 

 

Enter the server keyword to configure the access point to use

 

 

the reauthentication period specified by the authentication

 

 

server. If you use this option, configure your authentication

 

 

server with RADIUS attribute 27, Session-Timeout. This

 

 

attribute sets the maximum number of seconds of service to be

 

 

provided to the client before termination of the session or

 

 

prompt. The server sends this attribute to the access point when

 

 

a client device performs EAP authentication.

 

 

Note If you configure both MAC address authentication and

 

 

EAP authentication for an SSID, the server sends the

 

 

Session-Timeout attribute for both MAC and EAP

 

 

authentications for a client device. The access point

 

 

uses the Session-Timeout attribute for the last

 

 

authentication that the client performs. For example, if

 

 

a client performs MAC address authentication and then

 

 

performs EAP authentication, the access point uses the

 

 

server’s Session-Timeout value for the EAP

 

 

authentication. To avoid confusion on which

 

 

Session-Timeout attribute is used, configure the same

 

 

Session-Timeout value on your authentication server

 

 

for both MAC and EAP authentication.

 

 

 

Cisco Wireless ISR and HWIC Access Point Configuration Guide

 

OL-6415-04

6-15

 

 

 

Page 103
Image 103
Cisco Systems OL-6415-04 Dot11 holdoff-time seconds, Dot1x client-timeout seconds, Dot1x reauth-period seconds, Server