cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

11206
Views
15
Helpful
9
Replies
Highlighted
Beginner

Manually re-authenticate dot1x client?

Hi Guys,

I was looking for a way the manually re-authenticate dot1x client from cli and found this:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/15.0_2_se/configuration/guide/sw8021x.html#wp1195665                 

"You manually reauthenticate the client by entering the dot1x reauthenticate interface interface-id privileged EXEC command"

I've tried it 2960 with 12.2(58)SE and 15.0(2)SE, but it doesn't seems to be implemented.

Have I missunderstood something? Or do you guys have any other command to accomplish a manually re-auth?

Thanks,

Johan

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Johan, i can confirm, tested on version 15 - i do not have that command "dot1x reauthenticate interface"

You are right: this is a documentation bug.

It does not make sense to have two command which does something similar. "clear dot1x interface" does the same - after 2 seconds my switch sent EAP request identity.

---

Michal

View solution in original post

9 REPLIES 9
Highlighted
Cisco Employee

Hi,

I use "clear dot1x interface e0/0"

---

Michal

Highlighted

Hi Michal!

Thanks for answering.

But does that command do the same thing?  Shouldn't dot1x reauthenticate interface force a new authentication and clear dot1x interface just deauthenticate the client?

And I really fint it intressting that commands from Configuration Guide does not exist i real life.

Again, thanks for your efforts!

//

Johan

Highlighted

You are right, should.

I am not sure what is the trigger for "dot1x reauthenticate interface". Maybe we need to have configured periodic reauthentication to have it working, example:

Switch(config-if)# dot1x reauthentication

Switch(config-if)# dot1x timeout reauth-period 4000

Could you try that ?

You can also enable "debug dot1x all" and verify if any packet has been send by switch ("

EAPOL pak dump Tx").

If you will still have the problem i will build a lab and test it myself.

---

Michal


Highlighted

Okey, i think some of my problems are related to Authentication Manager commands and pre Authentication Manager commands.

dot1x reauthentication                -->      authentication periodic

dot1x timeout reauth-period 4000 -->     authentication timer reauthenticate 4000

But still, I can't find any equivalent to my dot1x reauthenticate interface

//

Johan

Highlighted

Johan, i can confirm, tested on version 15 - i do not have that command "dot1x reauthenticate interface"

You are right: this is a documentation bug.

It does not make sense to have two command which does something similar. "clear dot1x interface" does the same - after 2 seconds my switch sent EAP request identity.

---

Michal

View solution in original post

Highlighted

Great, then I'l satisfy with clear dot1x interface

Thanks!

Johan

Highlighted

Hi,

thought not in timely manner but just for ultimate clarity on the subject :)
b0202094-01#dot1x re-authenticate interface g2/39
b0202094-01#

Highlighted

Hmmm, if I do a "clear dot1x interface gigabitEthernet 1/0/41" the client will lost his connectivity and will never be reachable till I shut and no-shut the interface (or unplug and replug the clients ethernet interface).

 

I have also enabled fot testing the reauthentication enabled.

 

It stays in this state:

 

2960XR#sh authentication sessions interface gigabitEthernet 1/0/41

Interface Identifier Method Domain Status Fg Session ID
-----------------------------------------------------------------------------
Gi1/0/41 5c26.0a01.ed64 N/A UNKNOWN Unauth 000000000000002F00A291E6


Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
8 0 dot1xSupp
7 5 dot1x
18 10 mab
16 15 webauth

2960XR#

 

After a shutdown and no-shutdown of the interface all is fine again.

 

2960XR#sh authentication sessions interface gigabitEthernet 1/0/41

Interface Identifier Method Domain Status Fg Session ID
-----------------------------------------------------------------------------
Gi1/0/41 5c26.0a01.ed64 dot1x DATA Auth 000000000000003000A407B3


Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
8 0 dot1xSupp
7 5 dot1x
18 10 mab
16 15 webauth

2960XR#

 

 

Do you have any ideas whats going wrong here?

 

 

 

 

Highlighted

You can do "clear authentication session interface gigabitEthernet 1/0/41" I believe.

 

Then "show authentication session interface gigabitEthernet 1/0/41 details"

Content for Community-Ad