Just started playing with dot1x and dot1x authentication on Meraki APs. I have several questions. Authentication using an external RADIUS server works. Is there a default time period before the user is prompted to authenticate again? It seems the only way that we can force the user to reauthenticate is when the user deletes the SSID and re-joins.
Does the per user VLAN tagging using a RADIUS group policy attribute really work?
Looking at the do1x logging, we see numerous RADIUS response, 802.1X EAP success, 802.1X authentication event types for each client that seem to come at random time intervals. Are these message related to the client going through sleep/wake cycles?
If we change the user password on the RADIUS server, should the user be prompted to re-authenticate? That doesn't seem to happen.
Where, how are the credentials caches so authentication is not required each join you connect to the SSID?
One of the major advantages with 802.1x is the user is not prompted to keep authenticating. If it is a windows machine you typically authenticate using their Active Directory credentials - automatically - without them having to do anything. Otherwwse you usually just enter the username/password once, it gets saved on the machine, and used each time.
Yes, you can assign a group policy via RADIUS using the Filter-ID tag.
Not sure about the logging. I've just got used to seeing the events a lot, so I ignore things that don't mention errors.
If you change the users password, and you are using AD authentication, the user wont need to do anything. Otherwise the next time the user tries to authenticate it will fail and they will usually get prompted again.