I'm labbing up a wired 802.1x config - initially using a Ruckus ICX7450 and Aruba 335 AP.
I'm using NPS as a RADIUS server. Authenticating wireless clients via 802.1x isn't a problem.
The AP switch port is enabled for 802.1x in multi-host mode, and correctly authenticates - allowing wired & wireless traffic to pass.
I was wondering how session-timeouts and re-auth periods etc are handled normally? By default, the NPS server sends the switch a 30s session timeout parameter which seems a little short but I can override this easily if required.
The problem with the re-auth process at the end of the session timeout is that it puts the switch port in an unauthorised state in a different VLAN for a very short time. Some packets will drop from wired clients (and the AP on the management VLAN) while the re-auth process takes place which means I can't roll it out in this state.
Do people generally set long session-timeout values? That doesn't seem like the best solution as it could still result in some disruption unless we are careful and ensure sessions timeout after hours.
I have an active support contract so will see what Ruckus have to say but I'd be interested in your thoughts as well.
No comments:
Post a Comment