Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Delay in dot1x authentication between Infranet Controller and Active Directory

0

0

Article ID: KB21576 KB Last Updated: 04 Mar 2017Version: 2.0
Summary:
This article show how to correctly implement dot1x authentication when having delay between Infranet Controller and Active Directory.

Symptoms:
Configuration steps to be followed when having a delay/latency between Infranet Controller and Active Directory.

Cause:

Solution:
Topology:

Supplicant-----Switch/EX-------IC-------AD

  1. Server-timeout:

  2. There are two redundant configurations for the same server-timeout functionality in EX-switch, the authenticator responds to the any of the timer expiry.
    Below are the two different method of server-timeout configuration.

    1. In dot1x stanza

        i. set protocols dot1x authenticator interface (all | [interface-name]) server-timeout seconds
        http://www.juniper.net/techpubs/en_US/junos/topics/reference/configuration-statement/server-timeout-802-1x.html

    2. In access stanza

        i. set access radius-server server-address timeout seconds
        http://www.juniper.net/techpubs/en_US/junos/topics/reference/configuration-statement/timeout-edit-access.html

        ii. set access radius-server server-address retry attempts
        http://www.juniper.net/techpubs/en_US/junos/topics/reference/configuration-statement/retry-edit-access.html

      The server-time out in access is calculated by this formula [(number of retries +1) * timeout] in seconds.
      For example Default value is : [ ( 3 + 1) * 3)] = 12 seconds

  3. Supplicant’s timeout (OAC’s authperiod):
    The default OAC supplicant’s timeout (authperiod) is ‘20’ seconds, which is different from 802.1x standard which says ‘30’ seconds.

  4. In any dot1x deployment, please make sure the supplicant’s timeout (authperiod) should be greater than the time taken for whole authentication process. In other words the authperiod should be in sync with server-timeout value.

  5. Please make sure the latency and bandwidth is adequate if the Infranet Controller and Active Directory is connected over WAN.

We could achieve this by increasing the supplicant time-out value.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search