netlogin dot1x timers

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
I have setup a lab evironment for 802.1x auth that is ment to be used by around 400 people in an office with "mobile" workspaces. meaning, people will not have a specific workdesk.

I have around 10+ summit x440 swiches. These will only use L2 because they are connected to a Juniper EX3300 that does the actual routing.

The Radius is a Microsoft NPS server that tells the switch which vlan each host will be e elected.

I have a guest vlan, an auth vlan, and client specific vlans(sales, tech, economy and so on).
this works very well and all. but i'm trying to tweak the timers for auth failiure and if the host does not have 802.1x enable.

not sure if i'm doing this correct but i have setup a few specific timers.
But i'm wondering if someone has a good working setup for this?
At the moment it takes a good few minutes for the switch to failover to the guest vlan if the connected host has 802.1x enables but is missing some credentials like a correct certificate.
It also take some time (bot not as much) to failover to guest vlan for hosts that do not have 802.1x enable.

this is my netlogin conf

configure netlogin vlan authvlan
enable netlogin dot1x mac web-based
configure netlogin dot1x timers server-timeout 5
configure netlogin dot1x timers supp-resp-timeout 5
enable netlogin ports 1 dot1x
enable netlogin dot1x guest-vlan ports 1
configure netlogin dot1x guest-vlan guest ports 1
configure netlogin ports 1 mode port-based-vlans
configure netlogin ports 1 no-restart
enable netlogin authentication failure vlan ports 1-24
enable netlogin authentication service-unavailable vlan ports 1-24
configure netlogin authentication failure vlan nodotx ports 1
configure netlogin authentication service-unavailable vlan guest ports 1
Photo of Per Lejon

Per Lejon

  • 200 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Per Lejon

Per Lejon

  • 200 Points 100 badge 2x thumb
solved it. i just change the following settings.


configure netlogin dot1x timers quiet-period 5 (default was 60)


now everything works as intended.

when a computer bootsup. it will be in the guest network.

and when a user logs in, they are placed in their assigned vlan from the NPs server.
(Edited)