Planet WGSW-24040 User Manual page 145

•
RADIUS Secret
•
Reauthentication
Enabled
•
Reauthentication
Period
• EAP Timeout
• Age Period
• Hold Time
The secret - up to 29 characters long - shared between the RADIUS Server and
the switchstack.
If checked, clients are reauthenticated after the interval specified by the
Reauthentication Period. Reauthentication for 802.1X-enabled ports can be used
to detect if a new device is plugged into a switch port.
For MAC-based ports, reauthentication is only useful if the RADIUS server
configuration has changed. It does not involve communication between the
switch and the client, and therefore doesn't imply that a client is still present on a
port (see Age Period below).
Determines the period, in seconds, after which a connected client must be
reauthenticated. This is only active if the Reauthentication Enabled checkbox is
checked. Valid values are in the range 1 to 3600 seconds.
Determines the time the switch shall wait for the supplicant response before
retransmitting a packet. Valid values are in the range 1 to 255 seconds. This has
no effect for MAC-based ports.
This setting applies to ports running MAC-based authentication, only.
Suppose a client is connected to a 3rd party switch or hub, which in turn is
connected to a port on this switch that runs MAC-based authentication, and
suppose the client gets successfully authenticated. Now assume that the client
powers down his PC. What should make the switch forget about the
authenticated client? Reauthentication will not solve this problem, since this
doesn't require the client to be present, as discussed under Reauthentication
Enabled above. The solution is aging of authenticated clients. The Age Period,
which can be set to a number between 10 and 1000000 seconds, works like this:
A timer is started when the client gets authenticated. After half the age period, the
switch starts looking for frames sent by the client. If another half age period
elapses and no frames are seen, the client is considered removed from the
system, and it will have to authenticate again the next time a frame is seen from
it. If, on the other hand, the client transmits a frame before the second half of the
age period expires, the switch will consider the client alive, and leave it
authenticated, and restart the age timer.
This setting applies to ports running MAC-based authentication, only.
If the RADIUS server denies a client access, or a RADIUS server request times
out (after 40 seconds with two retries), the client is put on hold in the
Unauthorized state. In this state, frames from the client will not cause the switch
to attempt to reauthenticate the client. The Hold Time, which can be set to a
number between 10 and 1000000 seconds, determines the time after an EAP
Failure indication or RADIUS timeout that a client is not allowed access.
145
User's Manual of WGSW-24040 / WGSW-24040R
SGSW-24040 / SGSW-24040R