Configuration restrictions and guidelines

When you configure 802.1X reauthentication, follow these restrictions and guidelines:

• The server-assigned session timeout timer (Session-Timeout attribute) and termination action (Termination-Action attribute) together can affect periodic reauthentication. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display dot1x connection command (see Security Command Reference).

  • If the termination action is Default (logoff), periodic reauthentication on the device takes effect only when the periodic reauthentication timer is shorter than the session timeout timer.

  • If the termination action is Radius-request, the periodic reauthentication configuration on the device does not take effect. The device reauthenticates the online 802.1X users after the session timeout timer expires.

  Support for the assignment of Session-Timeout and Termination-Action attributes depends on the server model.

• You can set the periodic reauthentication timer either in system view or in interface view by using the dot1x timer reauth-period command. A change to the periodic reauthentication timer applies to online users only after the old timer expires.

  The device selects a periodic reauthentication timer for 802.1X reauthentication in the following order:

  1. Server-assigned reauthentication timer.

  2. Port-specific reauthentication timer.

  3. Global reauthentication timer.

  4. Default reauthentication timer.

• The VLANs assigned to an online user before and after reauthentication can be the same or different.