Force a client re-authentication directly via CLI (EXOS / EOS)

  • 27 January 2017
  • 10 replies
  • 743 views

Userlevel 6
Hi,

during a HP (2920) Switching / NAC project i learned that MAC or 802.1x re-authentication can be done directly via switch CLI:

code:
aaa port-access mac-based <[i][code]port-list
[/i]> reauthenticate
[/code]
code:
[code][code]aaa port-access authenticator 
<[code]port-list[/code]> reauthenticate[/code]
[/code]
This is a nice feature especially you do not have Netsight NAC with NAC Managers "Force Re-auth" button.

In the past everybody uses a hard port link down/up - but the above command is smarter especially you have multi-user on that regarding port.

Is there a similar command for re-authentication available on EXOS / EOS ??

Regards

10 replies

Userlevel 7
EOS:
set macauthentication portreauthenticate port-string
Use this command to force an immediate reauthentication of the currently active sessions on one
or more MAC authentication ports.

set dot1x
{[enable | disable] | [{init | reauth} [port-string] [indexindex-list]]}
init | reauth Reinitializes one or more access entities or reauthenticates one or moresupplicants.
Userlevel 6
On EXOS, clear netlogin state
Userlevel 6
Thanks Zdenek !!

Same for EXOS ??? (which is the edge switching platform of the next years ...)
Userlevel 6
Hi Oscar,

thanks for reply !!

Regards
Userlevel 4
This also works with 15.3 Systems. We did some integration with NAC and Assessment, where we forced reauth this way via X-API and NAC.
Userlevel 6
This also works with 15.3 Systems. We did some integration with NAC and Assessment, where we forced reauth this way via X-API and NAC.

Hi Andre,

as i tcpdump with current EXOS - Force reauth (from NAC Gateway) is done via dot1x snmp MIB (for both mac and 802.1x).

By the way other switches like H3C provide CoA (Change of Authorization) which is known from Wireless for re-auth. This is also a smart method.

Regards
Userlevel 7
This also works with 15.3 Systems. We did some integration with NAC and Assessment, where we forced reauth this way via X-API and NAC.

CoA (RFC3576 / RFC 5176) is supported on both EOS and EXOS also 🙂
Userlevel 6
This also works with 15.3 Systems. We did some integration with NAC and Assessment, where we forced reauth this way via X-API and NAC.

Hi Zdenek,

regarding CoA:

EXOS support that started on EXOS V22.1
configure radius dynamic-authorization ...[/code]
EOS support this feature only on S/K maybe N-Series - but not on (edge) SecureStacks.
set radius authorization dynamic ...
[/code]
Searching last V8.61 s-series manuals i found no entry for that feature :-((
is my search wrong or is there no manual entry for that feature ?

Regards
Userlevel 7
This also works with 15.3 Systems. We did some integration with NAC and Assessment, where we forced reauth this way via X-API and NAC.

The RFC3576 works on EOS. It is enabled by default and I have no idea if you can disable it. So no need for documentation. I am sure you will find the RFC in the datasheet. And you are right we do support the CoA in 22.x
Userlevel 3

"Is Change of Authorization (CoA) supported on EOS switches?

  • Article Type:
  • Q & A
  • Article Number:
  • 000038365
  • Last Modified:
  • 3/13/2019"

"Environment

  • EOS
  • 7100-Series
  • K-Series
  • S-Series
  • Securestack
  • CoA
  • RFC5176

Answer

RFC5176 Dynamic Authorization Extension to RADIUS is supported on S/K/7100 platforms but not on Securestack switches. "

Source: https://extremeportal.force.com/ExtrArticleDetail?n=000038365

Reply