cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
886
Views
0
Helpful
6
Replies

dot1x session persistent on switches?

I seem to recall that if a switch looses connection to all PSN nodes, the authentication session will remain active for a during of time? Is this correct or I'm remembering it wrongly?

2 Accepted Solutions

Accepted Solutions

If you want to rely on ISE to push the re-authentication timer you can do so in your Authz profiles under common tasks. The timer is in seconds so 3600 would be one hour re-auth timer. HTH!

View solution in original post

As per your configuration, as Mike said in the reply, If there is a re-authentication timer configuration set in the authorization profile, switch will re-authenticate the clients.

View solution in original post

6 Replies 6

Surendra
Cisco Employee
Cisco Employee
The session will remain active till the reauthentication timer expires or if you have configured actions based on radius server status on the switch.

Thanks - In my case I haven't configured the interface level "dot1x reauthentication" command so the clients will be persistent if ISE fails.

Where is the configuration set in ISE?

Do you have “authentication periodic” configured ? Can you share your switchport configuration ?

interface GigabitEthernet2/0/14
description DYNAMIC-USER
switchport mode access
switchport voice vlan 40
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 2104
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer restart 5
authentication timer inactivity server dynamic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
spanning-tree bpduguard enable

As per your configuration, as Mike said in the reply, If there is a re-authentication timer configuration set in the authorization profile, switch will re-authenticate the clients.

If you want to rely on ISE to push the re-authentication timer you can do so in your Authz profiles under common tasks. The timer is in seconds so 3600 would be one hour re-auth timer. HTH!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: