topic Re: Force authentication on newly configured port in Network Access Control

Force authentication on newly configured port

jeremy.hinton — Wed, 29 Jan 2020 16:29:44 GMT

When first configuring authentication on a switch (in this case a 2960X running 15.2(2)E10), how can you authenticate a port for the first time without bouncing it? I've got a port that is already up, with a device connected, and no authentication configured. When I then configure dot1x/mab on the port, it stays up and running without attempting to authenticate. In order for the initial authentication to happen, I have to bounce the port. I'm trying to find a way to just have a newly configured port authenticate without having to bounce it first. I've tried clearing authentication on the port, clearing mac addresses, setting it to force-authorized, nothing seems to work.

The issue is, if I have to bounce the port, it cuts PoE to any phone attached and causes a multi-minute outage. Since our initial rollout is low-impact mode with authentication open, if I can force a newly configured port to authenticate without a bounce, I can do it non-disruptively and outside of a maintenance window. Any suggestions?

Re: Force authentication on newly configured port

Colby LeMaire — Wed, 29 Jan 2020 18:15:53 GMT

Usually I would recommend to clear the sessions on the port using "clear auth sess int gx/y" but it sounds like you already tried that. What about removing the "dot1x port-control auto" command and then putting back in?

Re: Force authentication on newly configured port

jeremy.hinton — Wed, 29 Jan 2020 18:41:14 GMT

It was "authentication port-control auto", but that did it. Thank you very much!

Re: Force authentication on newly configured port

Colby LeMaire — Wed, 29 Jan 2020 19:03:33 GMT

Excellent, glad that worked!