10-08-2024 10:46 AM - edited 10-08-2024 10:48 AM
We have dot1x configured on some ports on our C9300s. Lately we have been seeing when we restart the CA server for patching, as it restarts all the dot1x ports drop out because they aren't authenticated until the server comes back on and the ports are shut down and turned back on. I am thinking it is the timer set on the port to reauthenticate the port.
Per this information the default timeout for 802.1X and MAB is 90 seconds which is about how long the connection remains connected. So what I am thinking is I should add this line to my config
dot1x timeout reauth-period 7200
The reauthentication is not dictated through our RADIUS so it runs on the switch default. Is this the correct control to allow it to run for about 2 hours without reauthentication? Should I lower it to 30 minutes or an hour for a secure connection? What is the correct command because the documentation is confusing to me
Full Port Configuration
switchport vlan access 25
switchport mode access
switchport block unicast
authentication periodic
access-session host-mode single-host
access-session closed
access-session port-control auto
dot1x pae authenticator
dot1x timeout auth-period 60
storm-control broadcast level bps 62m
storm-control unicast level bps 1g
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
service-policy type control subscriber DOT1x
ip verify source tracking
10-08-2024 10:51 AM
even action server dead authorize vlan x <<- this command help you to make new authc client authz to specific VLAN when the server is dead
MHM
10-08-2024 11:56 AM
We have dot1x configured on some ports on our C9300s. Lately we have been seeing when we restart the CA server for patching, as it restarts all the dot1x ports drop out because they aren't authenticated until the server comes back on and the ports are shut down and turned back on. I am thinking it is the timer set on the port to reauthenticate the port.
In this case you should have intermediate PKI or high availability PKI is suggested
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide