Enabling the periodic online user re-authentication function
Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS. The re-authentication interval is user configurable.
Follow these guidelines when you enable the periodic online user re-authentication function:
The periodic online user re-authentication timer can also be set by the authentication server in the session-timeout attribute. The server-assigned timer overrides the timer setting on the access device, and enables periodic online user re-authentication, even if the function is not configured. Support for the server assignment of re-authentication timer and the re-authentication timer configuration on the server vary with servers.
The VLAN assignment status must be consistent before and after re-authentication. If the authentication server has assigned a VLAN before re-authentication, it must also assign a VLAN at re-authentication. If the authentication server has assigned no VLAN before re-authentication, it must not assign one at re-authentication. Violation of either rule can cause the user to be logged off. The VLANs assigned to an online user before and after re-authentication can be the same or different.
If no critical VLAN is configured, RADIUS server unreachable can cause an online user being re-authenticated to be logged off. If a critical VLAN is configured, the user remains online and in the original VLAN.
To enable the periodic online user re-authentication function:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Set the periodic re-authentication timer. | dot1x timer reauth-period reauth-period-value | Optional. The default is 3600 seconds. |
3. Enter Layer 2 Ethernet interface view. | interface interface-type interface-number | N/A |
4. Enable periodic online user re-authentication. | dot1x re-authenticate | By default, the function is disabled. |