>/Deadly Technology_ Deadly Technology RSS Feed

EAPOL settings and troubleshooting

I had just installed a new AP onto a wireless network of ours that is configured using PEAP with 802.1x authentication this week and was having no end of trouble with clients connecting to it. It seemed to work for about one minute and then things turned decidedly pear shaped and eventually the entire laptop would lock up requiring a restart to correct.

All of my IAS logs indicated that nothing was wrong and neither did the event viewer on the client PC. At my wits end I started messing around with the EAPOL settings on the clients, and within 30 minutes it was fixed.

A little research into what exactly EAPOL is returned, "EAPOL is the Extensible Authentication Protocol over LAN, it is used for 802.1X Port Access Control. 802.1X can be used to authenticate at "network connect time" when using either wired or wireless LAN adapters".

I investigated further as to what these settings meant and came up with the following:

EAPOL-Start message specifies the transmission behavior of the EAPOL-Start message when authenticating. You can select from the following:

  • Do not transmit Specifies that EAPOL-Start messages are not sent.
  • Transmit Determines when to send EAPOL-Start messages and, if needed, sends an EAPOL-Start message.
  • Transmit per 802.1x Sends an EAPOL-Start message upon association to initiate the 802.1X authentication process.

Max Start Specifies the number of successive EAPOL-Start messages that are sent out when no response to the initial EAPOL-Start messages is received.

Start period Specifies the interval, in seconds, between the retransmission of EAPOL-Start messages when no response to the previously sent EAPOL-Start message is received.

Held period Specifies the period, in seconds, for which the authenticating client will not perform any 802.1X authentication activity after it has received an authentication failure indication from the authenticator.

Authentication period Specifies the interval, in seconds, for which the authenticating client will wait before retransmitting any 802.1X requests after end-to-end 802.1X authentication has been initiated.

I found the following settings worked for me:

Max start : 3
Start period : 10
Held period : 10
Authentication period : 10