Solved: Re-authentication force dot1X

victguti · ‎09-20-2018

Hello,

I have a switch port configured to authenticate with order first MAB and then dot1X. The priority has been setup in the opposite way, first dot1X then MAB. I would like to re-authenticate devices (phones in this case) but it seems when I run "clear dot1x int ..." or "clear authentication sessions int ..." the switch is not sending the EAP-Request/Identity and MAB occurs after running them.

Is there any command to force the switch to use dot1X send the EAP-Request/Identity to the endpoint? Unfortunately, I cannot change the switch port configuration and shut/no shut is not allowed either.

Thanks and regards,

Víctor.

paul · ‎09-20-2018

I believe that is the downside of doing mab first, which is something I never do. When you do MAB first you are forcing the connecting device to initiate Dot1x which some devices like Macs are only responders. In addition, as you are seeing you may have issues during reauthentication.

View solution in original post

paul · ‎09-20-2018

I believe that is the downside of doing mab first, which is something I never do. When you do MAB first you are forcing the connecting device to initiate Dot1x which some devices like Macs are only responders. In addition, as you are seeing you may have issues during reauthentication.

howon · ‎09-20-2018

You can force reauthentcation using 802.1X by adding Cisco VSA:termination-action-modifier=1 to the authorization profile along with the reauthentication parameters even when the ordering dictates MAB first. Please see '802.1X and MAB ordering section' of the following document for more information:

https://community.cisco.com/t5/security-documents/top-ten-mis-configured-cisco-ios-switch-settings-for-ise/ta-p/3643912#toc-hId--1759816418