09-25-2011 05:52 AM
Hallo,
I am using the CISCO SG300-28 switches with freeRADIUS, dynamic VLAN, Guest VLAN and MAC based authentication without any problems.
I have got a question to the fuction "re-authentication" in "SECURITY -> Port Authentication". The default time is 3600s.
For me this means that the switch is authenticating the port every hour against the freeRADIUS if a client is connected.
But what is happening if I disconnect a client and reconnect the LAN cable of the client with the same MAC address ? Is the switch then re-authenticating the client against the RADIUS or is the switch waiting till the 3600s has elapsed (because the client connected has the same MAC address?)
I am asking this because sometimes I have the problem that a client comes into the Guest VLAN. Then I disconnected the LAN cable and reconnected it in hope that the switch starts a new reauthentication against the radius. But this isn't working in my case.
It would be nice if someone could explain me the re-authentication option more in detail as the user guide.
Thank you very much in advance!
09-29-2011 01:22 PM
Hello Alexander,
Thank you for posting. On the Host and Session Authentication Page, is the affected port set for Single, Multiple Host, or Multiple Sessions?
01-28-2012 11:40 PM
Hi Alexander,
I did quite some testing around with the SG300-20 I have here, which has the latest (1.1.2.0) firmware on it. And I have some problems with the reauthentication too. So my findings about your problem. There are two kinds of "reauthentication". The first kind is when the switch asks the radius server using the USER INFORMATION STORED IN THE SWITCH, whether the user can connect or not. This occurs also (unfortunately in my case), when I directly reauthenticate a port (dot1x re-authenticate gi1). The second kind is when for whatever reason the authenticated user is removed from the port, and as a reaction for the first traffic from that user the switch asks for NEW USER INFORMATION from the user, and authenticates using that information. Note, that this information may be simply the MAC address of the machine, so the actual user of the computer might not even know, that he is reauthenticated.
To your question. If the machine is connected directly to the switch and you diconnect it, then the port goes down, all authentications are removed from the port, and whatever you reconnect to that port must be reauthenticated using the second method. If the machine is connected to (say) an unmanaged switch, which is in turn connected to your SG300-28, then the SG300-28 cannot possibly know that the client has been disconnected and no reauthentication occurs.
Best regards,
Geza
01-29-2012 09:55 AM
Thank you for your feedback - in this and other threads :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide