EAP-Timers and You

On the WLC, we have a couple of EAP timers that we can manipulate to help with client authentication, they are listed below:

EAP-Identity-Request Timeout
EAP-Identity-Request Max Retries
EAP-Request Timeout (seconds)
EAP-Request Max Retries
EAPOL-Key Timeout
EAPOL-Key Max Retries

Before we can manipulate these values, we need to understand what they do, and how changing them will affect the network

EAP-Identity-Request Timeout:

This timer affects how long we wait between EAP Identity Requests. By default this is one second (4.1 and lower) and 30 seconds (4.2 and greater. The reason for this change was, we found that some clients, hand helds, phones, scanners etc, had a hard time responding fast enough. Devices like laptops, usually do not require a manipulation of these values. Available value is from 1 to 120.

So, what happens with this attribute set to a value of 30? When the client first connects, it sends and EAPOL Start to the network, the WLC sends down an EAP packet, requesting the user or machines Identity. If the WLC does not receive the Identity Response, it sends another Identity Request 30 seconds after the first. This happens on initial connection, and when the client roams.

What happens when we increase this timer? If everything is good, there is no impact. However, if there is an issue in the network (including client issues, AP issues, RF issues), this can cause delays in network connectivity. For example, if you set the timer to the maximum value of 120 seconds, the WLC waits 2 minutes between Identity Requests. If the client is roaming, and the Response is not received by the WLC, we have created, at minimum, a two minute outage for this client.

Recommendations for this timer is to set it at 5. There is no current reason, to place this timer at it’s maximum value.

EAP-Identity-Request Max Retries

So, for max retries, what does this value do? In short, this is the number of times the WLC will send the Identity Request to the client, before removing it’s entry from the MSCB. Once the Max Retries is reached, the WLC sends a de-authentication frame to the client, forcing them to restart the EAP process. Available value is 1 to 20. So let’s look at this for a moment.

The Max Retries is going to work with the Identity Timeout. If you have your Identity Timeout set to 120, and your Max Retries to 20 how long does it take for the client to be removed? 120 * 20 = 2400. So it would take 40 minutes for the client to be removed, and to start the EAP process over again. If instead you set the Identity timeout to 5, with the Max Retires of 12, 5 * 12 = 60. So there is one minute until the client is removed, and it has to start EAP over.

Recommendations for the Max Retries is 12.

EAPOL-Key Timeout

For the EAPOL-Key Timeout value, the default is 1 second or 1000 milliseconds. What this means is when it comes time to exchange the EAPOL keys between the AP and client, the AP will send the key and wait up to 1 second by default for the client to respond. After waiting the defined time value, the AP will re-transmit the key again. You can use the command “config advanced eap eapol-key-timeout ” to alter this setting. The available values in 6.0 are between 200 and 5000 milliseconds, while codes prior to 6.0 allow for values between 1 and 5 seconds. Keep in mind that if you have a client which isn’t responding to a key attempt, extending the timers out can give them a little more time to respond….however, this could also prolong the time it takes for the WLC/AP to deauthenticate the client in order for the whole 802.1x process to start fresh.

EAPOL-Key Max Retries

For the EAPOL-Key Max Retries value, the default is 2. What this means is that we will retry the original key attempt to the client 2 times. This setting can be altered using the command “config advanced eap eapol-key-retries “. The available values are between 0 and 4 retries. Using the default value for the eapol key timeout (1 sec) and the default value for the eapol key retry (2) the process would go as follows if a client doesn’t respond to the initial key attempt:

1 – AP sends key attempt to the client
2 – Wait 1 second for a reply
3 – If no reply, then send eapol key retry attempt #1
4 – Wait 1 second for a reply
5 – If no reply, then send eapol key retry attempt #2
6 – If there is still not a response from the client and the retry value is met, then deauthenticate the client.

Again, as with the EAPOL-Key Timeout, extending the EAPOL-Key retry value could in some circumstances be beneficial, however setting it to the max may again be harmful as the deauthenticate message would be prolonged.

Previous post

Cisco WLC - Multicast

Next post

Still Alive!

Steve Rodriguez

Steve Rodriguez

Over 10 years of telecom/datacom experience. I spent almost 5 years in Cisco TAC, with 3 of those years as a Lead for the Wireless Team. Extensive experience with all of the wireless solutions from IOS AP up to the CUWN Controllers. As well as experience working with ACS 3.3/4.x, and some 5.x, and IAS/NPS. I hold the follwoing certifications CCIE 23102 R&S CCNA CCNA - Wireless MCSE - 2000 MCSA - 2000

No Comment

Leave a Reply