Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
939
Views
0
Helpful
6
Replies

dot1x session persistent on switches?

Go to solution
Michael Bartholomæussen
Level 1
Level 1

‎07-22-2019 04:01 AM - edited ‎07-22-2019 04:01 AM

I seem to recall that if a switch looses connection to all PSN nodes, the authentication session will remain active for a during of time? Is this correct or I'm remembering it wrongly?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Michael Bartholomæussen

‎07-22-2019 05:27 AM

If you want to rely on ISE to push the re-authentication timer you can do so in your Authz profiles under common tasks. The timer is in seconds so 3600 would be one hour re-auth timer. HTH!

View solution in original post

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to Michael Bartholomæussen

‎07-22-2019 05:34 AM

As per your configuration, as Mike said in the reply, If there is a re-authentication timer configuration set in the authorization profile, switch will re-authenticate the clients.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎07-22-2019 04:28 AM

The session will remain active till the reauthentication timer expires or if you have configured actions based on radius server status on the switch.
0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to Surendra

‎07-22-2019 05:15 AM

Thanks - In my case I haven't configured the interface level "dot1x reauthentication" command so the clients will be persistent if ISE fails.

Where is the configuration set in ISE?

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to Michael Bartholomæussen

‎07-22-2019 05:19 AM

Do you have “authentication periodic” configured ? Can you share your switchport configuration ?
0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to Surendra

‎07-22-2019 05:26 AM

interface GigabitEthernet2/0/14
description DYNAMIC-USER
switchport mode access
switchport voice vlan 40
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 2104
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer restart 5
authentication timer inactivity server dynamic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
spanning-tree bpduguard enable

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to Michael Bartholomæussen

‎07-22-2019 05:34 AM

As per your configuration, as Mike said in the reply, If there is a re-authentication timer configuration set in the authorization profile, switch will re-authenticate the clients.
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Michael Bartholomæussen

‎07-22-2019 05:27 AM

If you want to rely on ISE to push the re-authentication timer you can do so in your Authz profiles under common tasks. The timer is in seconds so 3600 would be one hour re-auth timer. HTH!
0 Helpful
Customers Also Viewed These Support Documents