This article show how to correctly implement dot1x authentication when having delay between Infranet Controller and Active Directory.

Configuration steps to be followed when having a delay/latency between Infranet Controller and Active Directory.

Topology:

Supplicant-----Switch/EX-------IC-------AD

1. Server-timeout:

There are two redundant configurations for the same server-timeout functionality in EX-switch, the authenticator responds to the any of the timer expiry.
Below are the two different method of server-timeout configuration.


1. In dot1x stanza
   
   
   i. set protocols dot1x authenticator interface (all | [interface-name]) server-timeout seconds
   http://www.juniper.net/techpubs/en_US/junos/topics/reference/configuration-statement/server-timeout-802-1x.html
   
   
2. In access stanza
   
   
   i. set access radius-server server-address timeout seconds
   http://www.juniper.net/techpubs/en_US/junos/topics/reference/configuration-statement/timeout-edit-access.html
   
   ii. set access radius-server server-address retry attempts
   http://www.juniper.net/techpubs/en_US/junos/topics/reference/configuration-statement/retry-edit-access.html
   
   
   The server-time out in access is calculated by this formula [(number of retries +1) * timeout] in seconds.
   For example Default value is : [ ( 3 + 1) * 3)] = 12 seconds


2. Supplicant’s timeout (OAC’s authperiod):
   The default OAC supplicant’s timeout (authperiod) is ‘20’ seconds, which is different from 802.1x standard which says ‘30’ seconds.


3. In any dot1x deployment, please make sure the supplicant’s timeout (authperiod) should be greater than the time taken for whole authentication process. In other words the authperiod should be in sync with server-timeout value.


4. Please make sure the latency and bandwidth is adequate if the Infranet Controller and Active Directory is connected over WAN.

We could achieve this by increasing the supplicant time-out value.