Solved: Manually re-authenticate dot1x client?

jmandersson · ‎01-18-2013

Hi Guys,

I was looking for a way the manually re-authenticate dot1x client from cli and found this:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/15.0_2_se/configuration/guide/sw8021x.html#wp1195665

"You manually reauthenticate the client by entering the dot1x reauthenticate interface interface-id privileged EXEC command"

I've tried it 2960 with 12.2(58)SE and 15.0(2)SE, but it doesn't seems to be implemented.

Have I missunderstood something? Or do you guys have any other command to accomplish a manually re-auth?

Thanks,

Johan

Michal Garcarz · ‎01-18-2013

Johan, i can confirm, tested on version 15 - i do not have that command "dot1x reauthenticate interface"

You are right: this is a documentation bug.

It does not make sense to have two command which does something similar. "clear dot1x interface" does the same - after 2 seconds my switch sent EAP request identity.

---

Michal

View solution in original post

Michal Garcarz · ‎01-18-2013

Hi,

I use "clear dot1x interface e0/0"

---

Michal

jmandersson · ‎01-18-2013

Hi Michal!

Thanks for answering.

But does that command do the same thing? Shouldn't dot1x reauthenticate interface force a new authentication and clear dot1x interface just deauthenticate the client?

And I really fint it intressting that commands from Configuration Guide does not exist i real life.

Again, thanks for your efforts!

//

Johan

Michal Garcarz · ‎01-18-2013

You are right, should.

I am not sure what is the trigger for "dot1x reauthenticate interface". Maybe we need to have configured periodic reauthentication to have it working, example:

Switch(config-if)# dot1x reauthentication

Switch(config-if)# dot1x timeout reauth-period 4000

Could you try that ?

You can also enable "debug dot1x all" and verify if any packet has been send by switch ("

EAPOL pak dump Tx").

If you will still have the problem i will build a lab and test it myself.

---

Michal

jmandersson · ‎01-18-2013

Okey, i think some of my problems are related to Authentication Manager commands and pre Authentication Manager commands.

dot1x reauthentication --> authentication periodic

dot1x timeout reauth-period 4000 --> authentication timer reauthenticate 4000

But still, I can't find any equivalent to my dot1x reauthenticate interface

//

Johan

Michal Garcarz · ‎01-18-2013

Johan, i can confirm, tested on version 15 - i do not have that command "dot1x reauthenticate interface"

You are right: this is a documentation bug.

It does not make sense to have two command which does something similar. "clear dot1x interface" does the same - after 2 seconds my switch sent EAP request identity.

---

Michal

jmandersson · ‎01-18-2013

Great, then I'l satisfy with clear dot1x interface

Thanks!

Johan

Andrii Oliinyk · ‎08-23-2017

Hi,

thought not in timely manner but just for ultimate clarity on the subject :)
b0202094-01#dot1x re-authenticate interface g2/39
b0202094-01#

RAINER ADAM · ‎09-04-2017

Hmmm, if I do a "clear dot1x interface gigabitEthernet 1/0/41" the client will lost his connectivity and will never be reachable till I shut and no-shut the interface (or unplug and replug the clients ethernet interface).

I have also enabled fot testing the reauthentication enabled.

It stays in this state:

2960XR#sh authentication sessions interface gigabitEthernet 1/0/41

Interface Identifier Method Domain Status Fg Session ID
-----------------------------------------------------------------------------
Gi1/0/41 5c26.0a01.ed64 N/A UNKNOWN Unauth 000000000000002F00A291E6

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
8 0 dot1xSupp
7 5 dot1x
18 10 mab
16 15 webauth

2960XR#

After a shutdown and no-shutdown of the interface all is fine again.

2960XR#sh authentication sessions interface gigabitEthernet 1/0/41

Interface Identifier Method Domain Status Fg Session ID
-----------------------------------------------------------------------------
Gi1/0/41 5c26.0a01.ed64 dot1x DATA Auth 000000000000003000A407B3

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
8 0 dot1xSupp
7 5 dot1x
18 10 mab
16 15 webauth

2960XR#

Do you have any ideas whats going wrong here?

jalemanp · ‎01-17-2018

You can do "clear authentication session interface gigabitEthernet 1/0/41" I believe.

Then "show authentication session interface gigabitEthernet 1/0/41 details"