Guest

Preview Tool

Cisco Bug: CSCun02566 - 802.1x ENH authentication order for periodic reauth - dot1x priority

Last Modified

Nov 27, 2020

Products (1)

  • Cisco Catalyst 2960 Series Switches

Known Affected Releases

15.2(22.22)

Description (partial)

Symptom:
Currently on IOS 802.1x "authentication order" commands decides what is the order of the authentication methods which are tried.
That also apply to periodic reauthentication process.

That might create some confusion, example
authentication mab, dot1x
authentication priority dot1x, mab
authentication periodic

Customer uses that method to authenticate users immediately via mab and put them in quarantine vlan. But after 802.1x supplicant is UP it's triggering a new 802.1x session which puts  the user in full access vlan. The problem occurs when reauthentication occurs. The mab will be tried first and will succeed. The supplicant will never initiate 802.1x session because it's unaware of reauthentication. The switch will not try 802.1x because mab has already succeeded.

This enhancement request has been created to add a command which will change switch behavior. If previously 802.1x session has been established and reauthentication timer is expired the switch will send EAPOL identity request - even when the first method is mab.

New argument for command:
authentication periodic dot1x-priority
dot1x-priority keyword will force the switch to start 802.1x session when previous successful session was 802.1x - even when mab is configured as first preferred method. That will be used only for periodic reauthentication.

Conditions:
periodic reauthentication
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.