Configuring a client for
retain-unauth-clients
A series of steps must be undertaken to configure a client for enforce-cache reauthentication.
Procedure
-
(config)# aaa authentication port-access eap-radius cached-reauth
Enable cache-reauth as secondary authentication method -
(config)# aaa port-access authenticator <PORT-LIST>
Associate the specific port with port-access authenticator for 802.1x authentication
-
Configure server timeout < (no. of retransmit+1)*timeout default is [(3+1)*5] 20sec
(config)# show radius Dead RADIUS server are preceded by * Deadtime (minutes) : 0 Timeout (seconds) : 5 Retransmit Attempts : 3 Global Encryption Key : Dynamic Authorization UDP Port : 3799 Source IP Selection : Outgoing Interface Tracking : Disabled Tracking Period (seconds) : 300 CPPM Identity : Auth Acct DM/ Time | Server IP Addr Port Port CoA Window | Encryption Key OOBM --------------- ----- ----- --- ------ + --------------- ---- <Server IP> 1812 1813 No 300 | <encryption-key> No (config)# aaa port-access authenticator <PORT-LIST> server-timeout
-
(config)# aaa port-access authenticator <PORT-LIST> enforce-cache-reauth
Enable
enforce-cache-reauth
on the 802.1x authentication associated port. -
(config)# aaa port-access authenticator <PORT-LIST> cached-reauth-period
Set the
cache-reauth-period
for 802.1x associated port.- Time in seconds, <1-2147483647> , during which cached reauthentication is allowed on the port. The minimum reauthentication period should be greater than 30 seconds.
-
(config)# aaa port-access authenticator <PORT-LIST> reauth-period
Set the reauth-period for the 802.1x associated port.
- Enter a number, <0-999999999> .
-
(config)# aaa port-access authenticator <PORT-LIST> [auth-vid <VLAN-ID> | cached-reauth-period | clear-statistics | client-limit <1-32> | control | enforce-cache-reauth | initialize | logoff-period | max-requests <1-10> | quiet-period <1-65535> | reauth-period <0-999999999>| reauthenticate | server- timeout <1-300> | supplicant-timeout | tx-period | unauth-period <0-255> | unauth-vid <VLAN-ID>]
Specifies parameters and limits on the configured client authentication.
-
(config)# aaa port-access authenticator active
Initializes the authenticator.