Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
866
Views
0
Helpful
2
Replies

Need official reference for port-bounce after applying dot1x configuration on switch-port?

vishrana
Cisco Employee
Cisco Employee

‎07-24-2018 10:52 AM

Hi All,

 

I have a customer who is looking for some documentation/reference which says port bounce is recommended after dot1x configuration on the switch port. We are able to see authentication sessions on most of the switch ports - mab auth,  but not all of them (endpoints are connected) after we configured the switch for dot1x/mab authentication. The authentication works once we bounce the port (link state change).

Is there any document/reference that says port bounce is required/recommended after dot1x configuration on switch interfaces?

 

My customer is looking for a reasonable explanation on why port bounce is required when we can see some of the auth sessions doing the mab auth without port bounce but we can’t see the auth session for the other ports.

0 Helpful
2 Replies 2

saxenanitesh8522
Level 4
Level 4

‎07-24-2018 11:37 AM

hi, 

Why do you require to do port bounce, the newer way is to do by ACL and call ACL or do DACL configuration which is called in the ISE authorization policy.


why do you want to do port bounce? Do you want to assign the user into a new VLAN and assign them a different IP address post authentication?

0 Helpful

vishrana
Cisco Employee
Cisco Employee
In response to saxenanitesh8522

‎07-24-2018 01:22 PM

Hi Nitesh,

 

This is for initial auth of the endpoints (agentless devices) which are already connected to the switch.

 

We see successful auth sessions on some of the ports when we configure the switchport for dot1x/mab without doing the port bounce, however we do not see auth sessions for other ports. ISE wouldn't push any CoA if there is no auth session at first. All the devices connected have no supplicants. Ideally we bounce the ports when we fist configure the switch ports for dot1x/mab (verified with other AS engineers as well) but there is no reference material that recommends to bounce port.

 

I am just looking  for some documentation to provide it to the customer for their reference.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents