01-18-2013 02:06 AM - edited 03-10-2019 07:59 PM
Hi Guys,
I was looking for a way the manually re-authenticate dot1x client from cli and found this:
"You manually reauthenticate the client by entering the dot1x reauthenticate interface interface-id privileged EXEC command"
I've tried it 2960 with 12.2(58)SE and 15.0(2)SE, but it doesn't seems to be implemented.
Have I missunderstood something? Or do you guys have any other command to accomplish a manually re-auth?
Thanks,
Johan
Solved! Go to Solution.
01-18-2013 05:31 AM
Johan, i can confirm, tested on version 15 - i do not have that command "dot1x reauthenticate interface"
You are right: this is a documentation bug.
It does not make sense to have two command which does something similar. "clear dot1x interface" does the same - after 2 seconds my switch sent EAP request identity.
---
Michal
01-18-2013 02:32 AM
Hi,
I use "clear dot1x interface e0/0"
---
Michal
01-18-2013 04:17 AM
Hi Michal!
Thanks for answering.
But does that command do the same thing? Shouldn't dot1x reauthenticate interface force a new authentication and clear dot1x interface just deauthenticate the client?
And I really fint it intressting that commands from Configuration Guide does not exist i real life.
Again, thanks for your efforts!
//
Johan
01-18-2013 04:37 AM
You are right, should.
I am not sure what is the trigger for "dot1x reauthenticate interface". Maybe we need to have configured periodic reauthentication to have it working, example:
Switch(config-if)# dot1x reauthentication
Switch(config-if)# dot1x timeout reauth-period 4000
Could you try that ?
You can also enable "debug dot1x all" and verify if any packet has been send by switch ("
EAPOL pak dump Tx").
If you will still have the problem i will build a lab and test it myself.
---
Michal
01-18-2013 05:13 AM
Okey, i think some of my problems are related to Authentication Manager commands and pre Authentication Manager commands.
dot1x reauthentication --> authentication periodic
dot1x timeout reauth-period 4000 --> authentication timer reauthenticate 4000
But still, I can't find any equivalent to my dot1x reauthenticate interface
//
Johan
01-18-2013 05:31 AM
Johan, i can confirm, tested on version 15 - i do not have that command "dot1x reauthenticate interface"
You are right: this is a documentation bug.
It does not make sense to have two command which does something similar. "clear dot1x interface" does the same - after 2 seconds my switch sent EAP request identity.
---
Michal
01-18-2013 05:47 AM
Great, then I'l satisfy with clear dot1x interface
Thanks!
Johan
08-23-2017 01:03 AM
Hi,
thought not in timely manner but just for ultimate clarity on the subject :)
b0202094-01#dot1x re-authenticate interface g2/39
b0202094-01#
09-04-2017 07:18 AM
Hmmm, if I do a "clear dot1x interface gigabitEthernet 1/0/41" the client will lost his connectivity and will never be reachable till I shut and no-shut the interface (or unplug and replug the clients ethernet interface).
I have also enabled fot testing the reauthentication enabled.
It stays in this state:
2960XR#sh authentication sessions interface gigabitEthernet 1/0/41
Interface Identifier Method Domain Status Fg Session ID
-----------------------------------------------------------------------------
Gi1/0/41 5c26.0a01.ed64 N/A UNKNOWN Unauth 000000000000002F00A291E6
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Runnable methods list:
Handle Priority Name
8 0 dot1xSupp
7 5 dot1x
18 10 mab
16 15 webauth
2960XR#
After a shutdown and no-shutdown of the interface all is fine again.
2960XR#sh authentication sessions interface gigabitEthernet 1/0/41
Interface Identifier Method Domain Status Fg Session ID
-----------------------------------------------------------------------------
Gi1/0/41 5c26.0a01.ed64 dot1x DATA Auth 000000000000003000A407B3
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Runnable methods list:
Handle Priority Name
8 0 dot1xSupp
7 5 dot1x
18 10 mab
16 15 webauth
2960XR#
Do you have any ideas whats going wrong here?
01-17-2018 11:07 AM - edited 01-17-2018 11:08 AM
You can do "clear authentication session interface gigabitEthernet 1/0/41" I believe.
Then "show authentication session interface gigabitEthernet 1/0/41 details"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide