https://community.cisco.com/t5/network-access-control/re-authentication-force-dot1x/m-p/3710294#M507476 <P>Hello,</P> <P>&nbsp;</P> <P>I have a switch port configured to authenticate with order first MAB and then dot1X. The priority has been setup in the opposite way, first dot1X then MAB. I would like to re-authenticate devices (phones in this case) but it seems when I run "clear dot1x int ..." or "clear authentication sessions int ..." the switch is not sending the EAP-Request/Identity and MAB occurs after running them.</P> <P>&nbsp;</P> <P>Is there any command to force the switch to use dot1X send the&nbsp;<SPAN>EAP-Request/Identity to the endpoint? Unfortunately, I cannot change the switch port configuration and shut/no shut is not allowed either.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks and regards,</SPAN></P> <P>&nbsp;</P> <P><SPAN>Víctor.</SPAN></P> Thu, 20 Sep 2018 09:31:07 GMT victguti 2018-09-20T09:31:07Z https://community.cisco.com/t5/network-access-control/re-authentication-force-dot1x/m-p/3710294#M507476 <P>Hello,</P> <P>&nbsp;</P> <P>I have a switch port configured to authenticate with order first MAB and then dot1X. The priority has been setup in the opposite way, first dot1X then MAB. I would like to re-authenticate devices (phones in this case) but it seems when I run "clear dot1x int ..." or "clear authentication sessions int ..." the switch is not sending the EAP-Request/Identity and MAB occurs after running them.</P> <P>&nbsp;</P> <P>Is there any command to force the switch to use dot1X send the&nbsp;<SPAN>EAP-Request/Identity to the endpoint? Unfortunately, I cannot change the switch port configuration and shut/no shut is not allowed either.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks and regards,</SPAN></P> <P>&nbsp;</P> <P><SPAN>Víctor.</SPAN></P> Thu, 20 Sep 2018 09:31:07 GMT https://community.cisco.com/t5/network-access-control/re-authentication-force-dot1x/m-p/3710294#M507476 victguti 2018-09-20T09:31:07Z https://community.cisco.com/t5/network-access-control/re-authentication-force-dot1x/m-p/3710397#M507478 <P>I believe that is the downside of doing mab first, which is something I never do.&nbsp; When you do MAB first you are forcing the connecting device to initiate Dot1x which some devices like Macs are only responders.&nbsp; In addition, as you are seeing you may have issues during reauthentication.</P> Thu, 20 Sep 2018 12:39:10 GMT https://community.cisco.com/t5/network-access-control/re-authentication-force-dot1x/m-p/3710397#M507478 paul 2018-09-20T12:39:10Z https://community.cisco.com/t5/network-access-control/re-authentication-force-dot1x/m-p/3710674#M507483 <P>You can force reauthentcation using 802.1X by adding Cisco VSA:termination-action-modifier=1 to the authorization profile along with the reauthentication parameters even when the ordering dictates MAB first. Please see '802.1X and MAB ordering section' of the following document for more information:&nbsp;</P> <P><A href="https://community.cisco.com/t5/security-documents/top-ten-mis-configured-cisco-ios-switch-settings-for-ise/ta-p/3643912#toc-hId--1759816418" target="_blank">https://community.cisco.com/t5/security-documents/top-ten-mis-configured-cisco-ios-switch-settings-for-ise/ta-p/3643912#toc-hId--1759816418</A></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="115156_Screen Shot 2018-02-11 at 8.43.48 AM.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/19009i733666665DB80D3E/image-size/large?v=v2&amp;px=999" role="button" title="115156_Screen Shot 2018-02-11 at 8.43.48 AM.png" alt="115156_Screen Shot 2018-02-11 at 8.43.48 AM.png" /></span></P> Thu, 20 Sep 2018 19:20:03 GMT https://community.cisco.com/t5/network-access-control/re-authentication-force-dot1x/m-p/3710674#M507483 howon 2018-09-20T19:20:03Z