Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Catalyst 3560 dot1x reauthentication timers?

I have wired 802.1x deployed with XP SP3 & Vista SP1 clients on a 3560 running the latest 12.2(50)SE software. Radius is handled by a Windows 2003 Server & IAS and reauthentication is enabled using the server to provide the timeout (session-timeout set to 180 minutes). This all appears to work but reauthentication seems to be happening more frequently than the supplied timeout. The logs filtered for 1 port are attached.

The port configuration is:

interface FastEthernet0/2

switchport access vlan 10

switchport mode access

switchport voice vlan 15

switchport port-security maximum 3

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security aging time 3

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

srr-queue bandwidth share 1 70 25 5

srr-queue bandwidth shape 3 0 0 0

priority-queue out

authentication port-control auto

authentication periodic

authentication timer restart 30

authentication timer reauthenticate server

authentication violation protect

no snmp trap link-status

dot1x pae authenticator

spanning-tree portfast

service-policy input IPPHONE+PC-BASIC

ip dhcp snooping limit rate 100

The session-timeout is seen by the switch:

cat-3560-48-s1#sho authentication sessions interface fastEthernet 0/1

Interface: FastEthernet0/1

MAC Address: 000c.f18c.c8fd

IP Address:

User-Name: DOMAIN\user

Status: Authz Success

Domain: DATA

Oper host mode: single-host

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: N/A

Session timeout: 10800s (server), Remaining: 9415s

Timeout action: Reauthenticate

Idle timeout: N/A

Common Session ID: C0A864FE00000D7A2F7C13F4

Acct Session ID: 0x00000E7A

Handle: 0x89000D7A

Runnable methods list:

Method State

dot1x Authc Success

The times between reauthentications is also not consistent (23-minutes, 5.5-minutes, 23-minutes, 5.5-minutes, 37-minutes, 5.5-minutes, 30-seconds, 26.5-minutes, 5.5-minutes, 17.5-minutes)

I am not sure if the client is initiating the reauthentication but I don't remember seeing any settings in either XP or Vista for timers? I have also looked at the GPO settings and there is nothing about reauthentication timers (XP SP3 & Vista can get the Wired 802.1x settings from GPO).

Has anyone else seen this? Is it the client or is it the switch? Is it fixable?



CreatePlease to create content