HP ProCurve 9304M Security Manual page 99

Configuring 802.1X Port Security
specified amount of time and then retransmits the EAP-request/identity frame. You can specify the amount of time
the HP device waits before retransmitting the EAP-request/identity frame to the Client. This amount of time is
specified with the tx-period parameter. The tx-period parameter can be from 0 – 4294967295 seconds. The
default is 30 seconds.
For example, to cause the HP device to wait 60 seconds before retransmitting an EAP-request/identity frame to a
Client, enter the following command:
ProCurveRS(config-dot1x)# timeout tx-period 60
Syntax: [no] timeout tx-period <seconds>
If the Client does not send back an EAP-response/identity frame within 60 seconds, the device will transmit
another EAP-request/identity frame.
Specifying the Security Hold Time
The multiple-hosts command (see "Allowing Access to Multiple Hosts" on page 4-14) allows more than one
802.1X Client to connect on an interface. However, when the multiple-hosts command is not used in a interface's
configuration, only one Client can connect on the interface. If the HP device detects multiple Clients trying to
connect on an interface when the multiple-hosts command is not present in the interface's configuration, the
interface enters the unauthorized state for a specified amount of time. This amount of time is specified with the
security-hold-time parameter. The security-hold-time parameter can be from 1 – 4294967295 seconds. The
default is 60 seconds.
For example, the following command causes the device to place an interface in the unauthorized state for 120
seconds when it detects more than one 802.1X Client trying to connect on the interface:
ProCurveRS(config-dot1x)# timeout security-hold-time 120
Syntax: [no] timeout security-hold-time <seconds>
NOTE: When the port-control parameter on an 802.1X-enabled interface is set to force-authorized, the HP
device allows connections from multiple Clients, regardless of whether the multiple-hosts parameter is used in
the interface's configuration.
Specifying the Number of EAP-Request/Identity Frame Retransmissions
If the HP device does not receive a EAP-response/identity frame from a Client, the device waits 30 seconds (or the
amount of time specified with the timeout tx-period command), then retransmits the EAP-request/identity frame.
By default, the HP device retransmits the EAP-request/identity frame a maximum of two times. If no EAP-
response/identity frame is received from the Client after two EAP-request/identity frame retransmissions, the
device restarts the authentication process with the Client.
You can optionally specify between 1 – 10 frame retransmissions. For example, to configure the device to
retransmit an EAP-request/identity frame to a Client a maximum of three times, enter the following command:
ProCurveRS(config-dot1x)# maxreq 3
Syntax: maxreq <value>
Specifying a Timeout for Retransmission of Messages to the Authentication
Server
When performing authentication, the HP device receives EAPOL frames from the Client and passes the
messages on to the RADIUS server. The device expects a response from the RADIUS server within 30 seconds.
If the RADIUS server does not send a response within 30 seconds, the HP device retransmits the message to the
RADIUS server. The time constraint for retransmission of messages to the Authentication Server can be between
0 – 4294967295 seconds.
For example, to configure the device to retransmit a message if the Authentication Server does not respond within
45 seconds, enter the following command:
ProCurveRS(config-dot1x)# servertimeout 45
June 2005 4 - 13