Time considerations for reauthenticating clients

When radius-server is not reachable, switch will try to connect each radius-server three times to check whether server is available or not. The default value of radius-timeout is 5 seconds and radius-server retransmit is 3. Switch will take 20 seconds ((3+1)*5=20) to connect with each server.

Time considerations for 802.1X clients on windows

  • If radius-server is not reachable, the client sends an EAPOL (Extensible Authentication Protocol Over LAN) start message after 18 seconds.

  • Authenticator considers EAPOL start as a new authentication request from the client. So, the existing authentication session is stopped.

  • Identity request and response are exchanged between authenticator and client. Even then client does not wait for the next authentication packets and sends another EAPOL start message after 18 minutes.

    Two issues are noticed due to this behavior:

    • Authentication of a new client: General behavior is that if first radius-server is not reachable, switch will send authentication request to second server after 20 seconds. Client on windows sends EAPOL start message after every 18 seconds. On receiving EAPOL start, existing session is stopped and authentication with second server is not tried.

    • Cached reauthentication is not triggered: When reauthentication is triggered, it tries for three times to check server availability. After every try (before cached reauth is triggered), client sends EAPOL start message. Authenticator starts new authentication session and stops existing session. Hence, cached reauthentication is not triggered.

    NOTE:

    The issue Windows 7 does not respond to 802.1X authentication requests after initial 802.1X authentication fails is already reported to Microsoft. You can see reference here: https://support.microsoft.com/en-in/kb/980295

Configuration to avoid issues with 802.1X clients on windows.

Following configurations can be used with the commands radius-server retransmit x and radius-server timeout y.

Case Retransmit x Timeout y
a 1 8
b 2 6
c 2 5
d 3 5
e 3 4
f 3 3

Time considerations for 802.1X clients on linux

When server is not reachable, there is no EAPOL start from the client after 18 seconds. Hence, there is no deviation from general behavior.