Solved: For 802.1x monitor and closed mode, need to shut and no shut (reset) or reboot the switch?

getaway51 · ‎10-22-2019

Hi,

For 802.1x monitor and closed mode, need to "shut and no shut" (reset) or reboot the switch?

Is it the normal practice when activating 802.1X? otherwise ISE wont be able to see the session?

OR let say if the end-user device is powered On and Off/ network connection unplug and plug, then it is possible to see the session initialize when device is connected again?

Colby LeMaire · ‎10-22-2019

As soon as you apply the 802.1x configuration to the switchport, the switch will attempt to authenticate the device. Then, you can use a reauthentication timer to reauthenticate every 12 hours or so. There is never a need to reboot the switch for this. And if you have a device that just isn't responding to 802.1x from the switch but it should, then you can shut/no shut the port or unplug and plug the device back in. You can also just do a "clear auth sessions" and that will reset all of the authentication sessions on the switch. Or you can "clear auth sessions int g x/y" to clear just one port. But again, once you apply the configuration to the port, the switch will attempt to authenticate the device automatically. There is nothing that you need to do unless you want to force it to try again for troubleshooting purposes.

View solution in original post

#Mat · ‎10-22-2019

Hi getaway51! 802.1x has particular timers that will make the endpoint authenticate/reauthenticate automatically.

If you do a shut/no shut or disconnect/connect the endpoint it will force to authenticate immediately.

Regards.-

HTH.

.

getaway51 · ‎10-22-2019

Hi ,

Wht do u mean when u said authenticate/re-authenticate automatically frm time-to-time? is this for permanent connected devices like cctv, door access tht will nt shutdown power?

Is it i do not need to reset (shut & no shut) the port?

I do not need to authenticate immediately, it is fine as long ISE authenticate with the end-point during monitor mode. I heard if no shut and shut, those permanent connected devices will not get authenticated as it remains in previous state (before 802.1x config)

Colby LeMaire · ‎10-22-2019

As soon as you apply the 802.1x configuration to the switchport, the switch will attempt to authenticate the device. Then, you can use a reauthentication timer to reauthenticate every 12 hours or so. There is never a need to reboot the switch for this. And if you have a device that just isn't responding to 802.1x from the switch but it should, then you can shut/no shut the port or unplug and plug the device back in. You can also just do a "clear auth sessions" and that will reset all of the authentication sessions on the switch. Or you can "clear auth sessions int g x/y" to clear just one port. But again, once you apply the configuration to the port, the switch will attempt to authenticate the device automatically. There is nothing that you need to do unless you want to force it to try again for troubleshooting purposes.

getaway51 · ‎10-22-2019

Hi Colby,

Thanks for yr great explanation!!!

For device like CCTV, Door access, Voip phone, it will re-authenticate even if no port reset?

Can i clarify tht the current session of devices (CCTV, Door access, Voip phone,laptop,etc) will be re-authenticate once i add in the 802.1X config to the interface?

Colby LeMaire · ‎10-23-2019

That is correct. It will authenticate the device once the configuration is added to the port. If you want to reauthenticate periodically after that, then you need to set a reauth timer to tell it how often you want to reauthenticate.

getaway51 · ‎10-26-2019

Hi Colby,

I appreciate yr reply. It really helps a lot.

May I knw which settings tht controls the port to authenticate after I insert "802.1x cfg" into the interface?

By default, how long the port will initialize authentication after inserting "802.1x cfg"?

Out of curiosity, may I knw why many ISE vendors still "shut and no shut" the port after they configure 802.1x on interface?

getaway51 · ‎10-29-2019

Hi,

Is it normal that Avaya device will not authentication (once 802.1x settings configured in the interface) until "shut no shut"?

I waited like a day and no entry observed in the ISE. sh authentication in switch also nothing.

getaway51 · ‎10-28-2019

Hi Colby,

I have tried to activate a port on 802.1x. The device connected is powered ON all time which is an Avaya voiceIP device.

I noticed there is nothing observed in the ISE logs, etc

In the switch, also no authentication sessions observed.

Is this situation normal to those devices like Avaya voiceIP which is powered ON all time?

getaway51 · ‎11-03-2019

Hi,

Does "clear auth sessions" causes all devices to lose connectivity? meaning all devices will negotiate DHCP and re-establish session? Or all devices will not hv a single ping timeout.

getaway51 · ‎10-27-2019

Hi Mat,

Can i knw whch settings controls the timer for authenticate/reauthenticate?