Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
832
Views
5
Helpful
2
Replies

Reauthentication of MAB devices at the end of reauth timer

Go to solution
cpaquet
Level 1
Level 1

‎10-07-2019 03:16 PM

How does the reauthentication works for a MAB devices, once the intf reaches the end of the reauth timer, let's say, after 180min?

With 1X, the switch will send EAPoL request to the endpoint.  But how does the switch proceed for a MAB device?  In an IoT environment, one of my customer says that its devices can stay silent for hours.  So, how would the switch port know if the device is still there?

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎10-07-2019 04:07 PM

For MAB, authentication requests are sent using whatever MAC address the switched learned on that particular interface.  If the link state stays up and the reauth timer expires, the switch will reauthenticate the device using the MAC address it already knows for the device.  If the device goes to sleep and the link state goes down, then the session expires and a new authentication process will happen when the device wakes up as a totally new session.  If the link state stays up and the device is silent long enough for the switch to age out the MAC address, then no authentication request will be sent until the device attempts to communicate again and the switch learns the MAC again.

View solution in original post

2 Replies 2

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎10-07-2019 04:07 PM

For MAB, authentication requests are sent using whatever MAC address the switched learned on that particular interface.  If the link state stays up and the reauth timer expires, the switch will reauthenticate the device using the MAC address it already knows for the device.  If the device goes to sleep and the link state goes down, then the session expires and a new authentication process will happen when the device wakes up as a totally new session.  If the link state stays up and the device is silent long enough for the switch to age out the MAC address, then no authentication request will be sent until the device attempts to communicate again and the switch learns the MAC again.

Go to solution
cpaquet
Level 1
Level 1
In response to Colby LeMaire

‎10-08-2019 07:21 AM

Great explanations.  Make sense.  Thanks Colby.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents