topic dot1x max-reauth-req in Network Access Control

dot1x max-reauth-req

Mukesh-Kumar — Mon, 31 Mar 2025 00:59:37 GMT

As per Cisco Deployment Guidelines "ISE Secure Wired Access Prescriptive Deployment Guide" , dot1x max-reauth-req 3 is defined on interface level. As per MAC Authentication Bypass Deployment Guide - Cisco, while configuring both MAB and dot1x on a interface , "switch waits for a period of time defined by dot1x timeout tx-period and then sends another Request- Identity frame. The number of times it resends the Request-Identity frame is defined by dot1x max-reauth-req.

The combination of tx-period and max-reauth-req is especially important to MAB endpoints in an IEEE 802.1X- enabled environment. MAB endpoints must wait until IEEE 802.1X times out before attempting network access through a fallback mechanism. The total time it takes for IEEE 802.1X to time out is determined by the following formula:

Timeout = (max-reauth-req +1) * tx-period

Question: Is there any initial attempt by default, so (1 initial + 2 re-attempts). So the interface configuration should look like dot1x max-reauth-req 2 instead of dot1x max-reauth-req 3.

@PSM @Greg Gibbs @Rob Ingram @MHM Cisco World

Re: dot1x max-reauth-req

Arne Bier — Mon, 31 Mar 2025 23:39:20 GMT

What do you mean by "initial attempt by default" ?

In my lab I have this

rnolab-cml-v9k#show run int gi 1/0/1 Building configuration... Current configuration : 392 bytes ! interface GigabitEthernet1/0/1 description PC1 switchport access vlan 10 switchport mode access device-tracking attach-policy IPDT_POLICY authentication periodic authentication timer reauthenticate server access-session port-control auto mab dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast service-policy type control subscriber PORT-AUTH-POLICY-I end

rnolab-cml-v9k#show dot1x interface gigabitEthernet 1/0/1 Dot1x Info for GigabitEthernet1/0/1 -------------------------------------------- PAE = AUTHENTICATOR QuietPeriod = 60 ServerTimeout = 0 SuppTimeout = 30 ReAuthMax = 2 MaxReq = 2 TxPeriod = 5

Re: dot1x max-reauth-req

Mukesh-Kumar — Tue, 01 Apr 2025 13:34:10 GMT

Firstly, Thank you @Arne Bier for your feedback and time. Highly appreciate.

Here is configuration , I have, given below. Mab devices , in this case, I am particularly referring for Avaya Phone. Those phones, reboot, before IP being assigned. In our IBNS 2.0 Policy, dot1x is first preference, followed by MAB. Mab device (Avaya Phone) must wait until 802.1x times out before access network through MAB. As per Cisco documentation, Cisco Catalyst switches have default values of tx-period = 30 seconds and max-reauth-req = 2.

Cisco documentation shows formula Timeout = (max-reauth-req +1) * tx-period. I meant initial was to, if by default max-reauth-req is 2 and as per Timeout formula 1 is being added to number of attempts (max-reauth-req).

My question is , if at interface level I should define max-reauth-req to 2 or 3. I am referring to formula in this documentation ( Figure 6 https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html). If I look at formula 1 is being added to make dot1x attempts to 3.

I want to minimize the timeout period, so that Avaya phones get assigned IP, hence, thereafter, get authenticate using MAB.

ISETestSwitch-3#show dot1x interface gigabitEthernet 1/0/14
Dot1x Info for GigabitEthernet1/0/14
--------------------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 3
MaxReq = 2
TxPeriod = 7

ISETestSwitch-3#show running-config interface gigabitEthernet 1/0/14
Building configuration...

Current configuration : 691 bytes
!
interface GigabitEthernet1/0/14
description "Closed Mode"
switchport access vlan 288
switchport mode access
switchport voice vlan 3288
device-tracking attach-policy IPDT_POLICY
no cdp enable
authentication periodic
authentication timer reauthenticate server
authentication timer unauthorized 600
access-session control-direction in
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
auto qos trust
spanning-tree portfast
service-policy type control subscriber DOT1X_MAB_POLICY
service-policy input AutoQos-4.0-Trust-Cos-Input-Policy
service-policy output AutoQos-4.0-Output-Policy

Re: dot1x max-reauth-req

Arne Bier — Wed, 02 Apr 2025 00:07:10 GMT

Hi @Mukesh-Kumar

One important thing to remember, is that the dot1x timer only starts when the session starts, and not when the interface link goes up. It's very possible and also very common that if the switch interface link goes UP/UP, but there is no MAC address learned on the interface yet, then the session will not be created. As soon as the switch learns a MAC address, the session manager comes to life. In your case, with DOT1X 1st, the switch will now wait (3 + 1) * 7 seconds (28 seconds) for an EAPOL frame from the supplicant, or for a response to its own EAPOL frame request. I tested in the lab and it's exactly 28 seconds. So the formula is correct.

You can play around with either of these two values

dot1x timeout tx-period 7
dot1x max-reauth-req 3

to come to the same result - if you want roughly 30 seconds, then those values are good. If you want less, then adjust either of them.

if you make max-reauth-req 2

then you have a wait of 21 seconds.

I was testing in my lab with ISE 3.4p1, a virtual C9000v switch (CML) and an ubuntu CML client. The ubuntu client has wpasupplicant on the Ethernet interface for testing purposes. But in this case I disabled the supplicant to force the timeout to occur. I also tested the supplicant authentication (I kept it simple with EAP-PEAP MSCHAPv2) and it worked flawlessly.

Re: dot1x max-reauth-req

Mukesh-Kumar — Thu, 03 Apr 2025 12:56:47 GMT

Thank you very much for your time and support @Arne Bier