cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
165
Views
0
Helpful
2
Replies

DOT1x port authentication drops as CA restarts

IES Sys Admin
Level 1
Level 1

We have dot1x configured on some ports on our C9300s. Lately we have been seeing when we restart the CA server for patching, as it restarts all the dot1x ports drop out because they aren't authenticated until the server comes back on and the ports are shut down and turned back on. I am thinking it is the timer set on the port to reauthenticate the port.

Per this information the default timeout for 802.1X and MAB is 90 seconds which is about how long the connection remains connected. So what I am thinking is I should add this line to my config

dot1x timeout reauth-period 7200

The reauthentication is not dictated through our RADIUS so it runs on the switch default. Is this the correct control to allow it to run for about 2 hours without reauthentication? Should I lower it to 30 minutes or an hour for a secure connection? What is the correct command because the documentation is confusing to me

Full Port Configuration

switchport vlan access 25
switchport mode access
switchport block unicast
authentication periodic
access-session host-mode single-host
access-session closed
access-session port-control auto
dot1x pae authenticator
dot1x timeout auth-period 60
storm-control broadcast level bps 62m
storm-control unicast level bps 1g
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
service-policy type control subscriber DOT1x
ip verify source tracking

2 Replies 2

even action server dead authorize vlan x <<- this command help you to make new authc client authz to specific VLAN when the server is dead 

MHM

balaji.bandi
Hall of Fame
Hall of Fame
We have dot1x configured on some ports on our C9300s. Lately we have been seeing when we restart the CA server for patching, as it restarts all the dot1x ports drop out because they aren't authenticated until the server comes back on and the ports are shut down and turned back on. I am thinking it is the timer set on the port to reauthenticate the port.

In this case you should have intermediate PKI or high availability PKI is suggested

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card