Cisco Systems OL-6415-04 Configuring Authentication Holdoffs, Timeouts, and Intervals

6-15

Cisco Wireless ISR and HWIC Access Point Configuration Guide

OL-6415-04

Chapter 6 Configuring Authentication Types

Configure Authentication Types

Use the no form of the dot11 aaa mac-authen filter-cache command to disable MAC authentication

caching. This example shows how to enable MAC authentication caching with a one-hour timeout:

ap# configure terminal

ap(config)# dot11 aaa authentication mac-authen filter-cache timeout 3600

ap(config)# end

Configuring Authentication Holdoffs, Timeouts, and Intervals

Beginning in privileged EXEC mode, follow these steps to configure holdoff times, reauthentication

periods, and authentication timeouts for client devices authenticating through your access point:

Command Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 dot11 holdoff-time seconds Enter the number of seconds a client device must wait before it

can reattempt to authenticate following a failed authentication.

The holdoff time is invoked when a client fails three login

attempts or fails to respond to three authentication requests

from the access point. Enter a value from 1 to 65555 seconds.

Step 3 interface dot11radio { 0 | 1 }Enter interface configuration mode for the radio interface. The

2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

Step 4 dot1x client-timeout seconds Enter the number of seconds the access point should wait for a

reply from a client attempting to authenticate before the

authentication fails. Enter a value from 1 to 65555 seconds.

Step 5 dot1x reauth-period { seconds |

server }

Enter the interval in seconds that the access point waits before

forcing an authenticated client to reauthenticate.

Enter the server keyword to configure the access point to use

the reauthentication period specified by the authentication

server. If you use this option, configure your authentication

server with RADIUS attribute 27, Session-Timeout. This

attribute sets the maximum number of seconds of service to be

provided to the client before termination of the session or

prompt. The server sends this attribute to the access point when

a client device performs EAP authentication.

Note If you configure both MAC address authentication and

EAP authentication for an SSID, the server sends the

Session-Timeout attribute for both MAC and EAP

authentications for a client device. The access point

uses the Session-Timeout attribute for the last

authentication that the client performs. For example, if

a client performs MAC address authentication and then

performs EAP authentication, the access point uses the

server’s Session-Timeout value for the EAP

authentication. To avoid confusion on which

Session-Timeout attribute is used, configure the same

Session-Timeout value on your authentication server

for both MAC and EAP authentication.