Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
322
Views
2
Helpful
5
Replies

Lose connection between access switch and ISE servers

Go to solution
dcasey
Level 1
Level 1

‎04-01-2025 07:51 AM

I'm migrating from an older WS-C3750X switch stack over to a C9300 switch stack. The C9300 switch stack is configured the same as the existing stack and will be racked up, stacking cabled up, and powered up alongside the existing switch. To minimize downtime in this medical environment, I'm going to shut down the management VLAN of the WS-C3750X switch stack and bring the C9300 switch stack onto the network. This will allow me to move the RJ-45 connections one at a time from the old to the new and the biggest impact to the end-users will be a momentary loss of connection or waiting for a VoIP device to reboot.

My question is, when I shut down the management VLAN interface on the old switch stack it will lose connection to the ISE servers. I realize no new connections will be authenticated but I wanted to make sure existing connections will continue to be authorized until their timer runs out. In short, I want to make sure that loss of connection to the ISE servers won't cause existing connections to switch to unauthorized and stop passing traffic.

Thank you!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎04-01-2025 08:33 AM

 

-   But in the end they will become unauthorized when the  reauthentication timer interval expires
     and the radius servers can no longer be reached. 
     On the switch the reauthentication timer interval (session timer) can be downloaded to the switch
     from the RADIUS server using :  Sw(config-if)#authentication timer reauthenticate server
     For the settings on ISE (radius) checkout  https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/2315595/highlight/true#M96972

    But then one sufficient high timer value should have been provisioned on the previous authentication of the device.
    That there will be no troubles can not be guaranteed in my opinion. Consider a flow  for dedicated migrating of
    equipment to the new stack taking into account the medical environment,

 M.
    



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

0 Helpful
5 Replies 5

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎04-01-2025 08:33 AM

 

-   But in the end they will become unauthorized when the  reauthentication timer interval expires
     and the radius servers can no longer be reached. 
     On the switch the reauthentication timer interval (session timer) can be downloaded to the switch
     from the RADIUS server using :  Sw(config-if)#authentication timer reauthenticate server
     For the settings on ISE (radius) checkout  https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/2315595/highlight/true#M96972

    But then one sufficient high timer value should have been provisioned on the previous authentication of the device.
    That there will be no troubles can not be guaranteed in my opinion. Consider a flow  for dedicated migrating of
    equipment to the new stack taking into account the medical environment,

 M.
    



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
dcasey
Level 1
Level 1
In response to marce1000

‎04-01-2025 09:07 AM

That is how I understood it I just needed a sanity check to make sure before I say one thing and something else happens. Thank you!

Go to solution
MHM Cisco World
VIP
VIP

‎04-01-2025 09:01 AM

You can not do that 

Re-auth happened when timer end or interface is up/down

When you disconnect device from SW-A and connect it to SW-B the SW-B will treat it as new auth even if timer is not end yet.

What you want is open port for 802.1x and then close port for 802.1x one by one.

It risky but there are no other options 

Sorry 

MHM

0 Helpful

Go to solution
dcasey
Level 1
Level 1
In response to MHM Cisco World

‎04-01-2025 09:09 AM

"When you disconnect device from SW-A and connect it to SW-B the SW-B will treat it as new auth even if timer is not end yet."

That's actually perfect and what I want. I just wanted to make sure if I shut down the management VLAN interface on the old switch stack (so I could bring the new switch stack online using the same management IP address) the connected devices on the old switch stack wouldn't all go unauthorized immediately. Once I move the RJ-45 cable from the old to the new stack I'm fine with them going through the authorization process again and being able to pass traffic.

Thank you for your reply!

Go to solution
MHM Cisco World
VIP
VIP
In response to dcasey

‎04-01-2025 09:17 AM

Let me check log off message.

I will update you if I get something useful.

MHM

0 Helpful
Customers Also Viewed These Support Documents