10-29-2020 05:26 AM
Hi all,
I have some doubts regarding the real behavoiur of Cisco IOS and IOS XE when a device that failed dot1x authentication is put in the fail vlan.
From documentation I see that :
Users who fail authentication remain in the restricted VLAN until the next re-authentication attempt. A port
in the restricted VLAN tries to re-authenticate at configured intervals (the default is 60 seconds). If
re-authentication fails, the port remains in the restricted VLAN. If re-authentication is successful, the port
moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable
re-authentication.
But what I see is that the reauthentication never happen; to force re-authentication I have to configure local reauthentication timers ( authentication timer reauthenticate …. ) , but this solution is not feasible in general because it ovverrides the timers pushed by radius in case device is authenticated.
The scope is that the device in restricted vlan after it is checked and fixed need to be reauthenticated and put the correct vlan.Is it possible ?
Thanks for all feedbacks !!
This is our typical config :
Solved! Go to Solution.
11-07-2020 10:04 PM - edited 11-07-2020 10:06 PM
According to ISE Secure Wired Access Prescriptive Deployment Guide ,
authentication timer reauthenticate server
Should allow any reauthentication timers assigned by ISE / RADIUS to override any local settings.
You did not show any ISE LiveLog details so it's unclear what you assigned the port from ISE and why.
Verify you are downloading reauthentication timers from ISE in your Authorization Profile under
Policy > Policy Elements > Results > Authorization > Authorization Profiles :
11-07-2020 10:04 PM - edited 11-07-2020 10:06 PM
According to ISE Secure Wired Access Prescriptive Deployment Guide ,
authentication timer reauthenticate server
Should allow any reauthentication timers assigned by ISE / RADIUS to override any local settings.
You did not show any ISE LiveLog details so it's unclear what you assigned the port from ISE and why.
Verify you are downloading reauthentication timers from ISE in your Authorization Profile under
Policy > Policy Elements > Results > Authorization > Authorization Profiles :
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide