Enabling the periodic online user reauthentication feature
Periodic online user reauthentication tracks the connection status of online users, and updates the authorization attributes assigned by the server. The attributes include the ACL and VLAN. The reauthentication interval is user configurable.
The server-assigned session timeout timer (Session-Timeout attribute) and termination action (Termination-Action attribute) can affect the periodic online user reauthentication feature. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display dot1x connection command (see Security Command Reference).
If the termination action is Default (logoff), periodic online user reauthentication on the device takes effect only when the periodic reauthentication timer is shorter than the session timeout timer.
If the termination action is Radius-request, the periodic online user reauthentication configuration on the device does not take effect. The device reauthenticates the online 802.1X users after the session timeout timer expires.
Support for the assignment of Session-Timeout and Termination-Action attributes depends on the server model.
The VLANs assigned to an online user before and after reauthentication can be the same or different.
To enable the periodic online user reauthentication feature:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. (Optional.) Set the periodic reauthentication timer. | dot1x timer reauth-period reauth-period-value | The default is 3600 seconds. |
3. Enter Ethernet interface view. | interface interface-type interface-number | N/A |
4. Enable periodic online user reauthentication. | dot1x re-authenticate | By default, the feature is disabled. |
5. (Optional.) Enable the keep-online feature for 802.1X users. | dot1x re-authenticate server-unreachable keep-online | By default, this feature is disabled. The device logs off online 802.1X users if no authentication server is reachable for 802.1X reauthentication. |