This article show how to correctly implement dot1x authentication when having delay between Infranet Controller and Active Directory.
Configuration steps to be followed when having a delay/latency between Infranet Controller and Active Directory.
Topology:
Supplicant-----Switch/EX-------IC-------AD
- Server-timeout:
There are two redundant configurations for the same server-timeout functionality in EX-switch, the authenticator responds to the any of the timer expiry.
Below are the two different method of server-timeout configuration.
- In dot1x stanza
i. set protocols dot1x authenticator interface (all | [interface-name]) server-timeout seconds
http://www.juniper.net/techpubs/en_US/junos/topics/reference/configuration-statement/server-timeout-802-1x.html
- In access stanza
i. set access radius-server server-address timeout seconds
http://www.juniper.net/techpubs/en_US/junos/topics/reference/configuration-statement/timeout-edit-access.html
ii. set access radius-server server-address retry attempts
http://www.juniper.net/techpubs/en_US/junos/topics/reference/configuration-statement/retry-edit-access.html
The server-time out in access is calculated by this formula [(number of retries +1) * timeout] in seconds.
For example Default value is : [ ( 3 + 1) * 3)] = 12 seconds
- Supplicant’s timeout (OAC’s authperiod):
The default OAC supplicant’s timeout (authperiod) is ‘20’ seconds, which is different from 802.1x standard which says ‘30’ seconds.
- In any dot1x deployment, please make sure the supplicant’s timeout (authperiod) should be greater than the time taken for whole authentication process. In other words the authperiod should be in sync with server-timeout value.
- Please make sure the latency and bandwidth is adequate if the Infranet Controller and Active Directory is connected over WAN.
We could achieve this by increasing the supplicant time-out value.