Hi there, I'm having some trouble with dot1x timers for wired authentication. The idea is to keep timers low so I can easily use features like mac-radius and guest-vlan. I'm using the built-in supplicant on windows xp/vista/7 and macosx/linux.
Actually the timers are set like this: client-1x { supplicant multiple; retries 1; quiet-period 1; transmit-period 1; mac-radius; no-reauthentication; supplicant-timeout 1; server-timeout 10; maximum-requests 1; guest-vlan guest-1x; server-reject-vlan guest-1x; server-fail use-cache; } If I connect a Win7 client with the supplicant configured and the user password saved, I have no problems. The trouble starts when I try to connect a windows client with the dot1x set-up but without credentials set. The windows credentials pop-up shows up correctly but the authentication fails. Digging a little deeper in the problem showed that: - When configured like that, the windows client sends a first EAPOL Start to te switch - The switch answers correcly with an EAP Request Identity and starts a timeout timer, based on the "transmit-period" value in the config - Windows shows up the pop-up for the credentials but is already too late because the timer on the switch expired, and the authentication fails Raising the "transmit-period" timer is not a good option, because the switch uses that timer for every EAP request identity it sends out. If i put a decent timer to let people wite their credentials, the switch waits that amount of time even for a client not configured with 802.1x (printers!) before failing out on mac-radius authentication / guest-vlan. I'm using the doc found here: https://www.juniper.net/techpubs/en_US/junos12.3/topics/reference/configuration-statement/interface-802-1x.html But that's not very exaustive... Is there any possibility to setup the switch so it will behave differently when managing EAPOL start requests from clients ? I know that a good option would be to use a different supplicant, and i'm actually mitigating this with open1x, but i would like to have a "clean" solution without additional software. I'm having this problem on ex-4200 series with jtac recommended junos. marco _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp