EAPoL start - identity request

oron.yaniv · ‎02-07-2025

Hi All,

I am wondering about which scenarios should trigger an EAPoL identity request to the host/endpoint.

i know port DOWN/UPEAPoL identity request from switch toward the client.

the question is, in which other scenarios will the switch trigger the EAPoL identity request?

* session termination - default?

* session termination - RADIUS Request?

I did a lab and did not see any identity request on Wireshark on the client; however, maybe it's a bug on the switch version code.

on a document of an old version code (15), is saw the following:

If the Termination-Action attribute is present and its value is RADIUS-Request, the device port reauthenticates the host. If the Termination-Action attribute is not present, or its value is Default, the device port terminates the session.

in newer version codes (17.9.x) this specific process did not mention the switch will issue EAPoL identity request,

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/17-9/configuration_guide/sec/b_179_sec_9400_cg/configuring_ieee_802_1x_port_based_authentication.html

Flavio Miranda · ‎02-07-2025

@oron.yaniv

The document mention EAPol identity request. It may use It slightly different.

About your lab, not all switch model suports 802.1x. which switch model is It?

Port-Based Authentication Initiation and Message Exchange

"During 802.1x authentication, the switch or the client can initiate authentication. If you enable authentication on a port by using the authentication port-control auto interface configuration command, the switch initiates authentication when the link state changes from down to up or periodically as long as the port remains up and unauthenticated. The switch sends an EAP-request/identity frame to the client to request its identity. Upon receipt of the frame, the client responds with an EAP-response/identity frame."

oron.yaniv · ‎02-08-2025

thank you, we are using a 9300/9400 catalyst with a 17.9.5 version code.

the question is in the Re-Authentication (in default or RADIUS-Request), does the switch should trigger EAPoL identity request?

Flavio Miranda · ‎02-08-2025

Yes, it will. You can disable periodic re-authentication

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/220919-troubleshoot-dot1x-on-catalyst-9000-seri.html

oron.yaniv · ‎02-08-2025

Can you clarify why we can disable periodic authentication?

can you direct me to the part of the document you shared?

Flavio Miranda · ‎02-08-2025

@oron.yaniv

Actually the re-authentication is disabled by default and you can enabled it with the command

authentication periodic

Search for "Periodic Re-Authentication" on the document.

Periodic Re-Authentication

You can enable periodic 802.1x client re-authentication and specify how often it occurs:

authentication periodic - enables periodic re-authentication of the client
inactivity— Interval in seconds after which if there is no activity from the client then it is unauthorized
reauthenticate— Time in seconds after which an automatic re-authentication attempt is initiated
restartvalue— Interval in seconds after which an attempt is made to authenticate an unauthorized port
unauthorizedvalue— Interval in seconds after which an unauthorized session gets deleted

authentication periodic 
authentication timer {{[inactivity | reauthenticate | restart | unauthorized]} {value}}

oron.yaniv · ‎02-08-2025

We have an SDA network, and we use server authentication.

What I am looking at in the authentication is an EAPoL identity request (on Wireshark, I did not see the EAPoL identity request).

Meaning, in Remediation/Unknown VLAN, I think to change the timer, to lower him down (maybe 5 min), so the endpoint will get from the switch an EAPoL identity, and will remediate once the endpoint will answer to EAPoL.