This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hi Guys,
I was looking for a way the manually re-authenticate dot1x client from cli and found this:
"You manually reauthenticate the client by entering the dot1x reauthenticate interface interface-id privileged EXEC command"
I've tried it 2960 with 12.2(58)SE and 15.0(2)SE, but it doesn't seems to be implemented.
Have I missunderstood something? Or do you guys have any other command to accomplish a manually re-auth?
Thanks,
Johan
Solved! Go to Solution.
Johan, i can confirm, tested on version 15 - i do not have that command "dot1x reauthenticate interface"
You are right: this is a documentation bug.
It does not make sense to have two command which does something similar. "clear dot1x interface" does the same - after 2 seconds my switch sent EAP request identity.
---
Michal
Hi,
I use "clear dot1x interface e0/0"
---
Michal
Hi Michal!
Thanks for answering.
But does that command do the same thing? Shouldn't dot1x reauthenticate interface force a new authentication and clear dot1x interface just deauthenticate the client?
And I really fint it intressting that commands from Configuration Guide does not exist i real life.
Again, thanks for your efforts!
//
Johan
You are right, should.
I am not sure what is the trigger for "dot1x reauthenticate interface". Maybe we need to have configured periodic reauthentication to have it working, example:
Switch(config-if)# dot1x reauthentication
Switch(config-if)# dot1x timeout reauth-period 4000
Could you try that ?
You can also enable "debug dot1x all" and verify if any packet has been send by switch ("
EAPOL pak dump Tx").
If you will still have the problem i will build a lab and test it myself.
---
Michal
Okey, i think some of my problems are related to Authentication Manager commands and pre Authentication Manager commands.
dot1x reauthentication --> authentication periodic
dot1x timeout reauth-period 4000 --> authentication timer reauthenticate 4000
But still, I can't find any equivalent to my dot1x reauthenticate interface
//
Johan
Johan, i can confirm, tested on version 15 - i do not have that command "dot1x reauthenticate interface"
You are right: this is a documentation bug.
It does not make sense to have two command which does something similar. "clear dot1x interface" does the same - after 2 seconds my switch sent EAP request identity.
---
Michal
Great, then I'l satisfy with clear dot1x interface
Thanks!
Johan
Hi,
thought not in timely manner but just for ultimate clarity on the subject :)
b0202094-01#dot1x re-authenticate interface g2/39
b0202094-01#
Hmmm, if I do a "clear dot1x interface gigabitEthernet 1/0/41" the client will lost his connectivity and will never be reachable till I shut and no-shut the interface (or unplug and replug the clients ethernet interface).
I have also enabled fot testing the reauthentication enabled.
It stays in this state:
2960XR#sh authentication sessions interface gigabitEthernet 1/0/41
Interface Identifier Method Domain Status Fg Session ID
-----------------------------------------------------------------------------
Gi1/0/41 5c26.0a01.ed64 N/A UNKNOWN Unauth 000000000000002F00A291E6
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Runnable methods list:
Handle Priority Name
8 0 dot1xSupp
7 5 dot1x
18 10 mab
16 15 webauth
2960XR#
After a shutdown and no-shutdown of the interface all is fine again.
2960XR#sh authentication sessions interface gigabitEthernet 1/0/41
Interface Identifier Method Domain Status Fg Session ID
-----------------------------------------------------------------------------
Gi1/0/41 5c26.0a01.ed64 dot1x DATA Auth 000000000000003000A407B3
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
Runnable methods list:
Handle Priority Name
8 0 dot1xSupp
7 5 dot1x
18 10 mab
16 15 webauth
2960XR#
Do you have any ideas whats going wrong here?
You can do "clear authentication session interface gigabitEthernet 1/0/41" I believe.
Then "show authentication session interface gigabitEthernet 1/0/41 details"