https://community.cisco.com/t5/network-access-control/dot1x-clients-not-authenticated-after-reload/m-p/2049449#M158400 <HTML><HEAD></HEAD><BODY><P>I believe you will need to tell your ports what action to take when the AAA server becomes available. It knows what to do when it's dead or unavailable, but has the default setting when it is returned to service. Likely the switch is tripping AAA dead or non-responsive for a bit during boot and its a race. You want the port to reauth when the AAA server becomes avail. </P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Mon, 24 Sep 2012 10:55:10 GMT PAUL SHELTON 2012-09-24T10:55:10Z https://community.cisco.com/t5/network-access-control/dot1x-clients-not-authenticated-after-reload/m-p/2049448#M158399 <P>Hi all,</P><P></P><P>I have a switch setup with dynamic vlan assignment. Everything works fine until the switch is rebooted. Then none of the pc's are authenticated anymore. I have to do a shut/no shut of all the user ports to start the re-authentication of the pc's.</P><P></P><P>This is the config I have so far. Am I missing something?</P><P></P><P>Thanks,</P><P></P><P>Best Regards,</P><P></P><P>Joris</P><P></P><P><SPAN style="text-decoration: underline;">Global commands</SPAN></P><P></P><P>aaa new-model<BR />aaa authentication dot1x default group radius<BR />aaa authorization network default group radius <BR />aaa accounting dot1x default start-stop group radius<BR />aaa accounting system default start-stop group radius<BR />aaa authorization exec default local if-authenticated<BR />aaa authorization commands 1 default local if-authenticated<BR />aaa authorization commands 15 default local if-authenticated<BR />dot1x system-auth-control<BR />dot1x guest-vlan supplicant<BR />dot1x critical eapol<BR />radius-server host x.x.x.x auth-port 1645 acct-port 1646 key *****<BR />radius-server vsa send accounting<BR />radius-server vsa send authentication</P><P></P><P><SPAN style="text-decoration: underline;">Interface-specific commands</SPAN></P><P></P><P>switchport mode access<BR />switchport nonegotiate<BR />switchport port-security maximum 5<BR />switchport port-security<BR />switchport port-security violation restrict<BR />authentication event fail action authorize vlan 200<BR />authentication event server dead action authorize vlan 110<BR />authentication event no-response action authorize vlan 200<BR />authentication order mab dot1x<BR />authentication priority dot1x mab<BR />authentication port-control auto<BR />authentication periodic<BR />mab<BR />no snmp trap link-status<BR />dot1x pae authenticator<BR />dot1x timeout quiet-period 3<BR />dot1x timeout tx-period 3<BR />dot1x max-req 1<BR />storm-control broadcast level 1.00<BR />storm-control multicast level 1.00<BR />storm-control action shutdown<BR />storm-control action trap<BR />no cdp enable<BR />no cdp tlv server-location <BR />no cdp tlv app<BR />spanning-tree portfast<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Mon, 11 Mar 2019 02:34:58 GMT https://community.cisco.com/t5/network-access-control/dot1x-clients-not-authenticated-after-reload/m-p/2049448#M158399 Joris Deprouw 2019-03-11T02:34:58Z https://community.cisco.com/t5/network-access-control/dot1x-clients-not-authenticated-after-reload/m-p/2049449#M158400 <HTML><HEAD></HEAD><BODY><P>I believe you will need to tell your ports what action to take when the AAA server becomes available. It knows what to do when it's dead or unavailable, but has the default setting when it is returned to service. Likely the switch is tripping AAA dead or non-responsive for a bit during boot and its a race. You want the port to reauth when the AAA server becomes avail. </P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Mon, 24 Sep 2012 10:55:10 GMT https://community.cisco.com/t5/network-access-control/dot1x-clients-not-authenticated-after-reload/m-p/2049449#M158400 PAUL SHELTON 2012-09-24T10:55:10Z https://community.cisco.com/t5/network-access-control/dot1x-clients-not-authenticated-after-reload/m-p/2049450#M158401 <HTML><HEAD></HEAD><BODY><P> Hello Paul,</P><P></P><P>So If I add the following line to my interface specific config it should be ok.</P><P></P><P>"authentication timer reauthenticate server"</P><P></P><P>I'll give it a try.</P><P></P><P>Thanks,</P><P></P><P>Best Regards,</P><P></P><P>Joris</P></BODY></HTML> Mon, 24 Sep 2012 10:58:19 GMT https://community.cisco.com/t5/network-access-control/dot1x-clients-not-authenticated-after-reload/m-p/2049450#M158401 Joris Deprouw 2012-09-24T10:58:19Z https://community.cisco.com/t5/network-access-control/dot1x-clients-not-authenticated-after-reload/m-p/2049451#M158402 <HTML><HEAD></HEAD><BODY><P>More like</P><P></P><P>Authentication event server alive action reinitialize (or reauthenticate). It's an R word. The command is definitely an auth event command not a timer however. Think of it as post failure recovery. </P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Mon, 24 Sep 2012 11:03:36 GMT https://community.cisco.com/t5/network-access-control/dot1x-clients-not-authenticated-after-reload/m-p/2049451#M158402 PAUL SHELTON 2012-09-24T11:03:36Z