Hi
I need your clarification.
We can see the below for AP-5131 configuration file. (V2.2.2.0-001R)
1) What is this for? Is this for the parameter between AP and MU? (4-way handshake?)
2) Is this only available via CLI?
3) If timeout happens or retry-count exceeds, what will happen?
// Dot11i retry timeout and counter configuration
network
wireless
dot11i-retry
set handshake-timeout 1 2000
set handshake-retry-count 1 3 Best Regards
3 Replies
This setting is for the 4-way handshake. The defualt setting is 2000ms (2 seconds). In my opinion this default is too high for our devices and should be set for ~250ms by default. I always recommend tweaking this setting to optimize the network for roaming when using WPA or WPA2. There isnt any specification as to how long to wait to send the initial(first) key in the sequence. What I have seen is that the AP usually sends out the first key in 1-2 ms after a successful association ( i have seen this on most vendors WLAN infrastructure). Most times the client device misses this and thus does not RA this key. In turn the AP has to retransmit it, so the client has to wait for this from the AP. That is 2 seconds before it gets the retransmitted key and this goes for any of the keys in the sequence. As you can see if you are roaming often any missed keys can result in long roam times. This is only available in the cli At the default setting the AP will retry the key every 2000ms for the retry amount if the AP gets no response from the client, the client has to begin the association process over again. Hope this helps.
If the client exceeds the timeout value and it's amount of allowed retries, the AP will deauthenticate the client with a Reason Code 15 (4-Way Handshake timeout), or Reason code 16 (Group Key Handshake timeout), depending on which key exchange the client is performing.
Hi Thank you for all your clarification. Your input was very helpful for me to understand how to work, including the time out behavior. Please clarify one more thing. Is this parameter used for EAP farmes? Meaning, this parameter also aftect 802.1x EAP? Thanks in advance