Force a client re-authentication directly via CLI (EXOS / EOS)

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi,

during a HP (2920) Switching / NAC project i learned that MAC or 802.1x re-authentication can be done directly via switch CLI:

aaa port-access mac-based <<em><code>port-list> reauthenticate

<code><code>aaa port-access authenticator <port-list> reauthenticate

This is a nice feature especially you do not have Netsight NAC with NAC Managers "Force Re-auth" button.

In the past everybody uses a hard port link down/up - but the above command is smarter especially you have multi-user on that regarding port.


Is there a similar command for re-authentication available on EXOS / EOS ??


Regards
Photo of M.Nees

M.Nees, Embassador

  • 9,958 Points 5k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 10,186 Points 10k badge 2x thumb
EOS:
set macauthentication portreauthenticate port-string
Use this command to force an immediate reauthentication of the currently active sessions on one
or more MAC authentication ports.

set dot1x
{[enable | disable] | [{init | reauth} [port-string] [indexindex-list]]}
init | reauth Reinitializes one or more access entities or reauthenticates one or moresupplicants.
Photo of OscarK

OscarK, ESE

  • 7,912 Points 5k badge 2x thumb
On EXOS, clear netlogin state <port|mac|agent>
Photo of M.Nees

M.Nees, Embassador

  • 9,958 Points 5k badge 2x thumb
Thanks Zdenek !!

Same for EXOS ??? (which is the edge switching platform of the next years ...)
Photo of M.Nees

M.Nees, Embassador

  • 9,958 Points 5k badge 2x thumb
Hi Oscar,

thanks for reply !!

Regards
Photo of André Herkenrath

André Herkenrath, Employee

  • 1,962 Points 1k badge 2x thumb
This also works with 15.3 Systems. We did some integration with NAC and Assessment, where we forced reauth this way via X-API and NAC.
Photo of M.Nees

M.Nees, Embassador

  • 9,924 Points 5k badge 2x thumb
Hi Andre,

as i tcpdump with current EXOS - Force reauth (from NAC Gateway) is done via dot1x snmp MIB (for both mac and 802.1x).

By the way other switches like H3C provide CoA (Change of Authorization) which is known from Wireless for re-auth. This is also a smart method.

Regards
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 10,166 Points 10k badge 2x thumb
CoA (RFC3576 / RFC 5176) is supported on both EOS and EXOS also :)
(Edited)
Photo of M.Nees

M.Nees, Embassador

  • 9,924 Points 5k badge 2x thumb
Hi Zdenek,

regarding CoA:

EXOS support that started on EXOS V22.1
configure radius dynamic-authorization ...

EOS support this feature only on S/K maybe N-Series - but not on (edge) SecureStacks.
set radius authorization dynamic ... 

Searching last V8.61 s-series manuals i found no entry for that feature :-((
is my search wrong or is there no manual entry for that feature ?
 
Regards
(Edited)
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 10,166 Points 10k badge 2x thumb
The RFC3576 works on EOS. It is enabled by default and I have no idea if you can disable it. So no need for documentation. I am sure you will find the RFC in the datasheet.

And you are right we do support the CoA in 22.x