R0106-HP MSR Router Series Security Command Reference(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR2003 AC Router

141

142

143

144

145

146

147

148

149

150

133

server-timeout server-timeout-value: Sets the server timeout timer in seconds. The value range for the

server-timeout-value argument is 100 to 300.

supp-timeout supp-timeout-value: Sets the client timeout timer in seconds. The value range for the

supp-timeout-value argument is 1 to 120.

tx-period tx-period-value: Sets the username request timeout timer in seconds. The value range for the

tx-period-value argument is 10 to 120.

Usage guidelines

In most cases, the default settings are sufficient. You can edit the timers, depending on your network

conditions:

• In a low-speed network, increase the client timeout timer.

• In a vulnerable network, set the quiet timer to a high value.

• In a high-performance network with quick authentication response, set the quiet timer to a low

value.

• In a network with authentication servers of different performance, adjust the server timeout timer.

The periodic reauthentication timer does not take effect if the server has assigned a session timeout timer

to the device.

The network device uses the following 802.1X timers:

• Handshake timer (handshake-period)—Sets the interval at which the access device sends client

handshake requests to check the online status of a client that has passed authentication. If the

device receives no response after sending the maximum number of handshake requests, it considers

that the client has logged off.

• Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait

the time period before it can process the authentication attempts from the client.

• Periodic reauthentication timer (reauth-period)—Sets the interval at which the network device

periodically reauthenticates online 802.1X users. To enable periodic online user reauthentication

on a port, use the dot1x re-authenticate command. The change to the periodic reauthentication

timer applies to the users who have been online only after the old timer expires.

• Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS

Access-Request packet to the authentication server. If no response is received when this timer

expires, the access device retransmits the request to the server.

• Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5

Challenge packet to a client. If no response is received when this timer expires, the access device

retransmits the request to the client.

• Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity

packet to a client in response to an authentication request. If the device receives no response before

this timer expires, it retransmits the request. The timer also sets the interval at which the network

device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request

authentication.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] dot1x timer server-timeout 150

Related commands

display dot1x