Unsolved
This post is more than 5 years old
1 Rookie
•
13 Posts
0
2704
December 18th, 2019 03:00
802.1x MAB and DHCP Timeout issues
We have enabled 802.1x with MAB bypass on our Dell N3048 Switches however were running into issues with our secondary authentication devices and them getting DHCP.
The port configuration we are applying is as follows:
spanning-tree portfast
switchport access vlan 43
dot1x port-control mac-based
dot1x reauthentication
dot1x timeout quiet-period 1
dot1x timeout supp-timeout 2
dot1x timeout tx-period 5
dot1x max-req 1
dot1x unauth-vlan 242
dot1x max-reauth-req 1
mab
default mab pap
authentication order dot1x mab
switchport voice vlan 44
It is my understanding in the Cisco world that timeout tx-period 5 is 5 seconds before it attempts to reauth which we have the following set: dot1x max-reauth-req 1 so based on that after 5 seconds it should try to auth with MAB after 5 seconds, however, MAB doesn't take place for around 60 seconds. Should we change the following command: authentication order dot1x mab to authentication order mab dot1x then the dot1x client doesn't get an IP Address from DHCP due to the timeout.
The version of firmware we are using is 6.5.4.10 and we were running 6.5.1.6 with the same issue.
Any help with this would be appreciated.
DELL-Josh Cr
Moderator
•
9.5K Posts
0
December 18th, 2019 07:00
Hi,
Yes that should help or increase the timeout to longer than 60 seconds.
TalanWestby
1 Rookie
•
13 Posts
0
December 18th, 2019 08:00
Hi Josh,
Thanks for getting back to me. We want to reduce the timers to be less than 60 seconds so devices that use MAB for auth are able to make a DHCP request which is forwarded to the DHCP server without being blocked for authentication purposes. Obviously the timers are set that the transmit is 5 seconds so I would have thought that after five seconds it would reattempt to auth with the same mechanism or it would begin trying the secondary mechanism.
Unfortunately, this is not the case and the switch waits for 60 seconds before accepting that the device is not an 802.1x supplicant and then moving over to MAB.
Is there any way we can force the switch to accept that after 5 seconds that the devices are not an 802.1x compliant supplicant and then performing MAB?
Thanks,
Talan