Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
547
Views
1
Helpful
4
Replies

dot1x max-reauth-req

Go to solution
Mukesh-Kumar
Level 1
Level 1

‎03-30-2025 05:59 PM

 

As per Cisco Deployment Guidelines "ISE Secure Wired Access Prescriptive Deployment Guide"  , dot1x max-reauth-req 3 is defined on interface level. As per MAC Authentication Bypass Deployment Guide - Cisco, while configuring both MAB and dot1x on a interface , "switch waits for a period of time defined by dot1x timeout tx-period and then sends another Request- Identity frame. The number of times it resends the Request-Identity frame is defined by dot1x max-reauth-req.

The combination of tx-period and max-reauth-req is especially important to MAB endpoints in an IEEE 802.1X- enabled environment. MAB endpoints must wait until IEEE 802.1X times out before attempting network access through a fallback mechanism. The total time it takes for IEEE 802.1X to time out is determined by the following formula:

Timeout = (max-reauth-req +1) * tx-period

Question:  Is there any initial attempt by default,  so (1 initial + 2 re-attempts). So the interface configuration should look like dot1x max-reauth-req 2 instead of dot1x max-reauth-req 3.

@PSM @Greg Gibbs @Rob Ingram @MHM Cisco World 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to Mukesh-Kumar

‎04-01-2025 05:07 PM

Hi @Mukesh-Kumar 

One important thing to remember, is that the dot1x timer only starts when the session starts, and not when the interface link goes up. It's very possible and also very common that if the switch interface link goes UP/UP, but there is no MAC address learned on the interface yet, then the session will not be created. As soon as the switch learns a MAC address, the session manager comes to life. In your case, with DOT1X 1st, the switch will now wait (3 + 1) * 7 seconds (28 seconds) for an EAPOL frame from the supplicant, or for a response to its own EAPOL frame request. I tested in the lab and it's exactly 28 seconds. So the formula is correct.

You can play around with either of these two values

dot1x timeout tx-period 7
dot1x max-reauth-req 3

to come to the same result - if you want roughly 30 seconds, then those values are good. If you want less, then adjust either of them.

if you make max-reauth-req 2

then you have a wait of 21 seconds.

I was testing in my lab with ISE 3.4p1, a virtual C9000v switch (CML) and an ubuntu CML client. The ubuntu client has wpasupplicant on the Ethernet interface for testing purposes. But in this case I disabled the supplicant to force the timeout to occur. I also tested the supplicant authentication (I kept it simple with EAP-PEAP MSCHAPv2) and it worked flawlessly. 

 

 

View solution in original post

4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎03-31-2025 04:39 PM

What do you mean by "initial attempt by default" ? 

In my lab I have this

rnolab-cml-v9k#show run int gi 1/0/1
Building configuration...

Current configuration : 392 bytes
!
interface GigabitEthernet1/0/1
 description PC1
 switchport access vlan 10
 switchport mode access
 device-tracking attach-policy IPDT_POLICY
 authentication periodic
 authentication timer reauthenticate server
 access-session port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 5
 spanning-tree portfast
 service-policy type control subscriber PORT-AUTH-POLICY-I
end

 

rnolab-cml-v9k#show dot1x interface gigabitEthernet 1/0/1
Dot1x Info for GigabitEthernet1/0/1
--------------------------------------------
PAE                       = AUTHENTICATOR
QuietPeriod               = 60
ServerTimeout             = 0
SuppTimeout               = 30
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 5

 

0 Helpful

Go to solution
Mukesh-Kumar
Level 1
Level 1
In response to Arne Bier

‎04-01-2025 06:34 AM

Firstly, Thank you @Arne Bier for your feedback and time. Highly appreciate.

Here is configuration , I have, given below.   Mab devices , in this case, I am particularly referring for Avaya Phone. Those phones, reboot, before IP being assigned. In our IBNS 2.0 Policy, dot1x is first preference, followed by MAB. Mab device (Avaya Phone) must wait until 802.1x times out before access network through MAB. As per Cisco documentation, Cisco Catalyst switches have default values of tx-period = 30 seconds and max-reauth-req = 2.

Cisco documentation shows formula Timeout = (max-reauth-req +1) * tx-period.    I meant initial was to, if by default max-reauth-req is 2 and as per Timeout formula 1 is being added to number of attempts (max-reauth-req). 

My question is , if at interface level I should define max-reauth-req to  2 or 3.   I am referring to formula in this documentation ( Figure 6  https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html).  If I look at formula 1 is being added to make dot1x attempts to 3.

I want to minimize the timeout period, so that Avaya phones get assigned IP, hence, thereafter, get authenticate using MAB. 

  

ISETestSwitch-3#show dot1x interface gigabitEthernet 1/0/14
Dot1x Info for GigabitEthernet1/0/14
--------------------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 3
MaxReq = 2
TxPeriod = 7

ISETestSwitch-3#show running-config interface gigabitEthernet 1/0/14
Building configuration...

Current configuration : 691 bytes
!
interface GigabitEthernet1/0/14
description "Closed Mode"
switchport access vlan 288
switchport mode access
switchport voice vlan 3288
device-tracking attach-policy IPDT_POLICY
no cdp enable
authentication periodic
authentication timer reauthenticate server
authentication timer unauthorized 600
access-session control-direction in
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
auto qos trust
spanning-tree portfast
service-policy type control subscriber DOT1X_MAB_POLICY
service-policy input AutoQos-4.0-Trust-Cos-Input-Policy
service-policy output AutoQos-4.0-Output-Policy

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Mukesh-Kumar

‎04-01-2025 05:07 PM

Hi @Mukesh-Kumar 

One important thing to remember, is that the dot1x timer only starts when the session starts, and not when the interface link goes up. It's very possible and also very common that if the switch interface link goes UP/UP, but there is no MAC address learned on the interface yet, then the session will not be created. As soon as the switch learns a MAC address, the session manager comes to life. In your case, with DOT1X 1st, the switch will now wait (3 + 1) * 7 seconds (28 seconds) for an EAPOL frame from the supplicant, or for a response to its own EAPOL frame request. I tested in the lab and it's exactly 28 seconds. So the formula is correct.

You can play around with either of these two values

dot1x timeout tx-period 7
dot1x max-reauth-req 3

to come to the same result - if you want roughly 30 seconds, then those values are good. If you want less, then adjust either of them.

if you make max-reauth-req 2

then you have a wait of 21 seconds.

I was testing in my lab with ISE 3.4p1, a virtual C9000v switch (CML) and an ubuntu CML client. The ubuntu client has wpasupplicant on the Ethernet interface for testing purposes. But in this case I disabled the supplicant to force the timeout to occur. I also tested the supplicant authentication (I kept it simple with EAP-PEAP MSCHAPv2) and it worked flawlessly. 

 

 

Go to solution
Mukesh-Kumar
Level 1
Level 1

‎04-03-2025 05:56 AM

Thank you very much for your time and support @Arne Bier 

0 Helpful
Customers Also Viewed These Support Documents