R3303-HP HSR6800 Routers Security Configuration Guide
94
Configuring the quiet timer
The quiet timer enables the network access device to wait a period of time before it can process any
authentication request from a client that has failed an 802.1X authentication.
You can set the quiet timer to a high value in a vulnerable network or a low value for quicker
authentication response.
To configure the quiet timer:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable the quiet timer.
dot1x quiet-period
By default, the timer is disabled.
3. Set the quiet timer.
dot1x timer quiet-period
quiet-period-value
Optional.
The default setting is 60 seconds.
Enabling the periodic online user re-authentication
function
Periodic online user re-authentication tracks the connection status of online users and updates the
authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS. The
re-authentication interval is user configurable.
To enable the periodic online user re-authentication function:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Set the periodic
re-authentication timer.
dot1x timer reauth-period
reauth-period-value
Optional.
The default setting is 3600
seconds.
3. Enter Ethernet interface view.
interface interface-type
interface-number
N/A
4. Enable periodic online user
re-authentication.
dot1x re-authenticate By default, the function is disabled.
The periodic online user re-authentication timer can also be set by the authentication server in the
session-timeout attribute. The server-assigned timer overrides the timer setting on the access device, and
enables periodic online user re-authentication, even if the function is not configured. Support for the
server assignment of re-authentication timer and the re-authentication timer configuration on the server
vary with servers.
The VLAN assignment status must be consistent before and after re-authentication. If the authentication
server has assigned a VLAN before re-authentication, it must also assign a VLAN at re-authentication. If
the authentication server has assigned no VLAN before re-authentication, it must not assign one at
re-authentication. Violation of either rule can cause the user to be logged off. The VLANs assigned to an
online user before and after re-authentication can be the same or different.