User's Manual

ManualsBrandsCisco Systems ManualsWelding SystemCisco Systems IOS Software 0L-11350-01

241

242

243

244

245

246

247

248

249

250

11-17

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter 11 Configuring Authentication Types

Configuring Authentication Types

Use the no form of these commands to reset the values to default settings.

Creating and Applying EAP Method Profiles for the 802.1X Supplicant

This section describes the optional configuration of an EAP method list for the 802.1X supplicant.

Configuring EAP method profiles enables the supplicant not to acknowledge some EAP methods, even

though they are available on the supplicant. For example, if a RADIUS server supports EAP-FAST and

LEAP, under certain configurations, the server might initially employ LEAP instead of a more secure

method. If no preferred EAP method list is defined, the supplicant supports LEAP, but it may be

advantageous to force the supplicant to force a more secure method such as EAP-FAST.

Note The 8021X supplicant is available on 1130AG, 1240AG, and 1300 series access points. It is not available

on 1100 and 1200 series access points.

See Creating a Credentials Profile, page 4-31 for additional information about the 802.1X supplicant.

Step 5

dot1x reauth-period { seconds |

server }

Enter the interval in seconds that the access point waits before

forcing an authenticated client to reauthenticate.

Enter the server keyword to configure the access point to use

the reauthentication period specified by the authentication

server. If you use this option, configure your authentication

server with RADIUS attribute 27, Session-Timeout. This

attribute sets the maximum number of seconds of service to be

provided to the client before termination of the session or

prompt. The server sends this attribute to the access point when

a client device performs EAP authentication.

Note If you configure both MAC address authentication and

EAP authentication for an SSID, the server sends the

Session-Timeout attribute for both MAC and EAP

authentications for a client device. The access point

uses the Session-Timeout attribute for the last

authentication that the client performs. For example, if

a client performs MAC address authentication and then

performs EAP authentication, the access point uses the

server’s Session-Timeout value for the EAP

authentication. To avoid confusion on which

Session-Timeout attribute is used, configure the same

Session-Timeout value on your authentication server

for both MAC and EAP authentication.

Step 6

countermeasure tkip hold-time

seconds

Configure a TKIP MIC failure holdtime. If the access point

detects two MIC failures within 60 seconds, it blocks all the

TKIP clients on that interface for the holdtime period.

Step 7

end Return to privileged EXEC mode.

Step 8

copy running-config startup-config (Optional) Save your entries in the configuration file.

Command Purpose