[f-nsp] moving dot1x ports to restricted-vlan on logout
Raja Subramanian
rajasuperman at gmail.com
Wed Apr 11 02:35:05 EDT 2007
Hi All,
I'm trying to get dot1x authentication working with dynamic
and restricted VLANs.
When my user logs into the desktop, everything works perfectly,
and his switch port is moved to the RADIUS assigned VLAN. But
when he logs off, the port stays in his assigned VLAN, and does
not move to the restricted VLAN, until the reauth timeout kicks
in, or a new login occurs.
Here is my setup:
I'm using a FastIron SX1600 running firmware 3.2.00. Win2k3
server running AD/IAS, and WinXP SP2 clients using the native
dot1x supplicant. My running config looks like:
dot1x-enable
auth-max 10
timeout re-authperiod 600 ! reauth every 10 minutes
timeout tx-period 15
re-authentication
restrict-forward-non-dot1x
timeout restrict-fwd-period 15 ! this setting is ignored, why?
auth-fail-action restricted-vlan
auth-fail-vlanid 100
enable ethe 6/4
On logout, port e6/4 goes to the restricted VLAN only after the
10 minute re-authperiod timeout expires. The restrict-fwd-period
setting is being completely ignored!
Reducing the re-authperiod is a work around, but that means the
IAS servers get over loaded with authentication requests every few
minutes.
What am I missing out on?
Thanks for your time and help!
- Raja
More information about the foundry-nsp
mailing list