211
Parameter
Description
Mode
: Indicates if the NAS is globally enabled or disabled on the switchstack. If it is
globally disabled, all ports are allowed to forward the frames.
Reauthentication Enabled:
If checked, successfully authenticated supplicants/clients
are reauthenticated after the interval specified by the “Reauthentication Period”.
Reauthentication for 802.1X
-
enabled ports can be used to detect if a new device is
plugged into a switch port or if a supplicant is no longer attached.
For MAC
-
based ports, reauthentication is only useful if the RADIUS server
configuration has changed. It does not involve communication between the switch
and the client. Therefore, it doesn't imply that a client is still present on a port (see
“Aging Period” below).
Reauthentication Period:
Determines the period, in seconds, after which a
connected client must be reauthenticated. This is only active if the
“Reauthentication Enabled” checkbox is checked. The valid values are in the range 1
to 3600 seconds.
EASPOL Timeout:
Determines the time for retransmission of “Request Identity
EAPOL Frames”.
The valid values are in the range 1 to 255 seconds. This has no effect for MAC
-
based
ports.
Aging Period:
This setting applies to the following modes (e.g. modes using the port
security functionality to secure MAC addresses):
Single 802.1X
Multi 802.1X
MAC
-
Based Auth
When the NAS module uses the port security module to secure MAC addresses, the
port security module needs to check for activity on the MAC address in question at
regular intervals, and free any resources if there is no activity within a given period
of time. This parameter controls exactly this period and can be set to a number
between 10 and 1000000 seconds.
If reauthentication is enabled and the port is in an 802.1X
-
based mode, this is not
critical since the supplicants are no longer attached to the port. They will get
removed upon the next failed reauthentication. But if reauthentication is not
enabled, the only way to free resources is by aging the entries.
For ports in MAC
-
based Auth. mode, reauthentication doesn't cause direct
communication between the switch and the client. This will not detect whether the
client is still attached or not. The only way to free any resources is to age the entries.
Hold Time:
This setting applies to the following modes (e.g. modes using the port
security functionality to secure MAC addresses):
Single 802.1X
Multi 802.1X
MAC
-
Based Auth.
If a client is denied access
-
either because the RADIUS server denies the client
access or because the RADIUS server request times out (according to the timeout
specified on the "Configuration→Security→AAA" page)
-
the client is put on hold in
the “Unauthorized” state. The hold timer does not count during an on
-
going
authentication.
