Configuring Authentication Holdoffs, Timeouts, And Intervals - Cisco ISR Configuration Manual

Chapter 6 Configuring Authentication Types
Use the no form of the dot11 aaa mac-authen filter-cache command to disable MAC authentication
caching. This example shows how to enable MAC authentication caching with a one-hour timeout:
ap# configure terminal
ap(config)# dot11 aaa authentication mac-authen filter-cache timeout 3600
ap(config)# end

Configuring Authentication Holdoffs, Timeouts, and Intervals

Beginning in privileged EXEC mode, follow these steps to configure holdoff times, reauthentication
periods, and authentication timeouts for client devices authenticating through your access point:
Command
Step 1 configure terminal
Step 2 dot11 holdoff-time seconds
Step 3
interface dot11radio { 0 | 1 }
Step 4
dot1x client-timeout seconds
Step 5
dot1x reauth-period { seconds |
server }
OL-6415-04
Purpose
Enter global configuration mode.
Enter the number of seconds a client device must wait before it
can reattempt to authenticate following a failed authentication.
The holdoff time is invoked when a client fails three login
attempts or fails to respond to three authentication requests
from the access point. Enter a value from 1 to 65555 seconds.
Enter interface configuration mode for the radio interface. The
2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
Enter the number of seconds the access point should wait for a
reply from a client attempting to authenticate before the
authentication fails. Enter a value from 1 to 65555 seconds.
Enter the interval in seconds that the access point waits before
forcing an authenticated client to reauthenticate.
Enter the server keyword to configure the access point to use
the reauthentication period specified by the authentication
server. If you use this option, configure your authentication
server with RADIUS attribute 27, Session-Timeout. This
attribute sets the maximum number of seconds of service to be
provided to the client before termination of the session or
prompt. The server sends this attribute to the access point when
a client device performs EAP authentication.
If you configure both MAC address authentication and
Note
EAP authentication for an SSID, the server sends the
Session-Timeout attribute for both MAC and EAP
authentications for a client device. The access point
uses the Session-Timeout attribute for the last
authentication that the client performs. For example, if
a client performs MAC address authentication and then
performs EAP authentication, the access point uses the
server's Session-Timeout value for the EAP
authentication. To avoid confusion on which
Session-Timeout attribute is used, configure the same
Session-Timeout value on your authentication server
for both MAC and EAP authentication.
Cisco Wireless ISR and HWIC Access Point Configuration Guide
Configure Authentication Types
6-15