How to Check/Change: Cisco Controller/Mobility Express (Access Point) Local EAP settings, commands

Last Updated on

EAP-Identity-Request Timeout (seconds)
EAP-Identity-Request Max Retries
EAP Key-Index for Dynamic WEP
EAP Max-Login Ignore Identity Response
EAP-Request Timeout (seconds)
EAP-Request Max Retries
EAPOL-Key Timeout (milliseconds)
EAPOL-Key Max Retries
EAP-Broadcast Key Interval
RSN Capability Validation

Show current Local EAP settings

1 Login to Cisco Controller (Mobility Express) via console or SSH

2 Type following command

show advanced eap
show advanced eap
show advanced eap

Change Local EAP settings

config advanced eap [name] [value]
config advanced eap ?
config advanced eap ?

Bonus

Increase value for “EAP-Identity-Request Max Retries” may fix or reduce following error

[Date] [Time] [AP IP address] [AP Name]: *Dot1x_NW_MsgTask_0: [Date] [Time]: %DOT1X-4-MAX_EAP_RETRIES: 1x_auth_pae.c:6710 Max EAP identity request retries (3) exceeded for client [Client MAC Address]

More information about EAP-* (non-Cisco official)

EAP-Identity-Request Timeout:

This timer affects how long we wait between EAP Identity  Requests.  By default this is one second (4.1 and lower) and 30 seconds  (4.2 and greater.  The reason for this change was, we found that some  clients, hand helds, phones, scanners etc, had a hard time responding  fast enough.  Devices like laptops, usually do not require a  manipulation of these values.  Available value is from 1 to 120.

So, what happens with this attribute set to a value of 30?  When  the client first connects, it sends and EAPOL Start to the network, the  WLC sends down an EAP packet, requesting the user or machines Identity.   If the WLC does not receive the Identity Response, it sends another  Identity Request 30 seconds after the first.  This happens on initial  connection, and when the client roams.

What happens when we increase this timer?  If everything is good,  there is no impact.  However, if there is an issue in the network  (including client issues, AP issues, RF issues), this can cause delays  in network connectivity.  For example, if you set the timer to the  maximum value of 120 seconds, the WLC waits 2 minutes between Identity  Requests.  If the client is roaming, and the Response is not received by  the WLC, we have created, at minimum, a two minute outage for this  client.

Recommendations for this timer is to set it at 5.  There is no  current reason, to place this timer at it’s maximum value.

EAP-Identity-Request Max Retries

So, for max retries, what does this value do?  In short, this is  the number of times the WLC will send the Identity Request to the  client, before removing it’s entry from the MSCB.  Once the Max Retries  is reached, the WLC sends a de-authentication frame to the client,  forcing them to restart the EAP process.  Available value is 1 to 20.   So let’s look at this for a moment.

The Max Retries is going to work with the Identity Timeout.  If  you have your Identity Timeout set to 120, and your Max Retries to 20  how long does it take for the client to be removed?  120 * 20 = 2400.   So it would take 40 minutes for the client to be removed, and to start  the EAP process over again.  If instead you set the Identity timeout to  5, with the Max Retires of 12, 5 * 12 = 60.  So there is one minute  until the client is removed, and it has to start EAP over.

Recommendations for the Max Retries is 12.

EAPOL-Key Timeout

For the EAPOL-Key Timeout value, the default is 1 second or 1000  milliseconds.  What this means is when it comes time to exchange the  EAPOL keys between the AP and client, the AP will send the key and wait  up to 1 second by default for the client to respond.  After waiting the  defined time value, the AP will re-transmit the key again.  You can use  the command “config advanced eap eapol-key-timeout <time>” to alter this setting.  The available values in 6.0 are between 200 and  5000 milliseconds, while codes prior to 6.0 allow for values between 1  and 5 seconds.  Keep in mind that if you have a client which isn’t  responding to a key attempt, extending the timers out can give them a  little more time to respond….however, this could also prolong the time  it takes for the WLC/AP to deauthenticate the client in order for the  whole 802.1x process to start fresh.

EAPOL-Key Max Retries

For the EAPOL-Key Max Retries value, the default is 2.  What this  means is that we will retry the original key attempt to the client 2  times.  This setting can be altered using the command “config  advanced eap eapol-key-retries <retries>”.  The available  values are between 0 and 4 retries.  Using the default value for the  eapol key timeout (1 sec) and the default value for the eapol key retry  (2) the process would go as follows if a client doesn’t respond to the  initial key attempt:

1 – AP sends key attempt to the client
2 – Wait 1 second for a reply
3 – If no reply, then send eapol key retry attempt #1
4 – Wait 1 second for a reply
5 – If no reply, then send eapol key retry attempt #2
6 – If there is still not a response from the client and the retry value  is met, then deauthenticate the client.

Again, as with the EAPOL-Key Timeout, extending the EAPOL-Key  retry value could in some circumstances be beneficial, however setting  it to the max may again be harmful as the deauthenticate message would  be prolonged. [2]

Resources

[1] Information About Local EAP
[2] EAP Timers on Wireless Lan Controllers


Leave a Reply

Your email address will not be published. Required fields are marked *