[j-nsp] wired dot1x timer problems (ex series)

Marco Nesler satunz at gmail.com
Thu Oct 3 04:09:36 EDT 2013 

Hi there,
I'm having some trouble with dot1x timers for wired authentication. The
idea is to keep timers low so I can easily use features like mac-radius and
guest-vlan.
I'm using the built-in supplicant on windows xp/vista/7 and macosx/linux.

Actually the timers are set like this:
client-1x {
    supplicant multiple;
    retries 1;
    quiet-period 1;
    transmit-period 1;
    mac-radius;
    no-reauthentication;
    supplicant-timeout 1;
    server-timeout 10;
    maximum-requests 1;
    guest-vlan guest-1x;
    server-reject-vlan guest-1x;
    server-fail use-cache;
}


If I connect a Win7 client with the supplicant configured and the user
password saved, I have no problems.

The trouble starts when I try to connect a windows client with the dot1x
set-up but without credentials set. The windows credentials pop-up shows up
correctly but the authentication fails.
Digging a little deeper in the problem showed that:
- When configured like that, the windows client sends a first EAPOL Start
to te switch
- The switch answers correcly with an EAP Request Identity and starts a
timeout timer, based on the "transmit-period" value in the config
- Windows shows up the pop-up for the credentials but is already too late
because the timer on the switch expired, and the authentication fails

Raising the "transmit-period" timer is not a good option, because the
switch uses that timer for every EAP request identity it sends out.
If i put a decent timer to let people wite their credentials, the switch
waits that amount of time even for a client not configured with 802.1x
(printers!) before failing out on mac-radius authentication / guest-vlan.

I'm using the doc found here:
https://www.juniper.net/techpubs/en_US/junos12.3/topics/reference/configuration-statement/interface-802-1x.html
But that's not very exaustive...

Is there any possibility to setup the switch so it will behave differently
when managing EAPOL start requests from clients ?


I know that a good option would be to use a different supplicant, and i'm
actually mitigating this with open1x, but i would like to have a "clean"
solution without additional software.

I'm having this problem on ex-4200 series with jtac recommended junos.


marco

More information about the juniper-nsp mailing list