Client Auth Question

deanwebb · April 01, 2016, 02:46:05 PM

Is it normal for a wireless endpoint (a Win7 box) to complete an 802.1X authentication process roughly once every 20 seconds? I'm seeing that on multiple devices in one of our locations.

SimonV · April 01, 2016, 03:06:41 PM

Against the same AP?

deanwebb · April 01, 2016, 03:37:29 PM

It seems that way, yes.

SimonV · April 01, 2016, 03:58:37 PM

Do all those clients have the same type of NIC? Could be driver-related. If you do a debug client <mac> on the WLC you might see what's causing the re-authentication.

deanwebb · April 01, 2016, 04:01:22 PM

Could be... they are Intel cards. Lucky me, only our outsourcing partner has access to the WLC at this time...

wintermute000 · April 02, 2016, 04:34:38 AM

That's interesting. As someone who is supposed to be doing their CWNA at some stage (pukes again)... who defines the reauth time in 802.1x? Is it up to the specific EAP mechanism? Is it the wild west?

deanwebb · April 02, 2016, 10:30:21 AM

My understanding is that it's supposed to be less frequent than every 20 dang seconds. I know that the re-auth runs in the background on the client and triggers after moving to a new AP or after a certain amount of time on the original AP.

This is not to be confused with the re-auth attempts that fire when the first auth fails. By default, there are two re-auth attempts allowed after a failed auth, each 30 seconds apart. So, if a guy has a crappy card/supplicant/cert, then it's 90 seconds of limbo before 802.1X will release him to another network with a COA. That can be after the DHCP request times out, though, so it takes some tricky work to take care of that on the wired network. On the wireless, DHCP goes on out to the client before the auth, so he's OK.

Client Auth Question

deanwebb

SimonV

deanwebb

SimonV

deanwebb

wintermute000

deanwebb