R2511-HP MSR Router Series Security Command Reference(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

151

152

153

154

155

156

157

158

159

160

140

Default

The handshake timer is 15 seconds, the quiet timer is 60 seconds, the periodic re-authentication timer is

3600 seconds, the server timeout timer is 100 seconds, the client timeout timer is 30 seconds, and the

username request timeout timer is 30 seconds.

Views

System view

Default command level

2: System level

Parameters

handshake-period-value: Sets the handshake timer in seconds. It is in the range of 5 to 1024.

quiet-period-value: Sets the quiet timer in seconds. It is in the range of 10 to 120.

reauth-period-value: Sets the periodic re-authentication timer in seconds. It is in the range of 60 to

86400.

server-timeout-value: Sets the server timeout timer in seconds. It is in the range of 100 to 300.

supp-timeout-value: Sets the client timeout timer in seconds. It is in the range of 1 to 120.

tx-period-value: Sets the username request timeout timer in seconds. It is in the range of 10 to 120.

Usage guidelines

You can set the client timeout timer to a high value in a low-performance network, set the quiet timer to

a high value in a vulnerable network or a low value for quicker authentication response, or adjust the

server timeout timer to adapt to the performance of different authentication servers. In most cases, the

default settings are sufficient.

The network device uses the following 802.1X timers:

• Handshake timer (handshake-period)—Sets the interval at which the access device sends client

handshake requests to check the online status of a client that has passed authentication. If the

device receives no response after sending the maximum number of handshake requests, it considers

that the client has logged off.

• Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait

the time period before it can process the authentication attempts from the client.

• Periodic re-authentication timer (reauth-period)—Sets the interval at which the network device

periodically re-authenticates online 802.1X users. To enable periodic online user re-authentication

on a port, use the dot1x re-authenticate command. The change to the periodic re-authentication

timer applies to the users that have been online only after the old timer expires.

• Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS

Access-Request packet to the authentication server. If no response is received when this timer

expires, the access device retransmits the request to the server.

• Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5

Challenge packet to a client. If no response is received when this timer expires, the access device

retransmits the request to the client.

• Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity

packet to a client in response to an authentication request. If the device receives no response before

this timer expires, it retransmits the request. The timer also sets the interval at which the network

device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request

authentication.