Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dot1x NAC reauthentication issue


i setup a test LAB with NAC Dot1x Framework, and i facing an issue where by the port keep on repeating triger reauthntication, althought the next reauthentication is not yet reach, i try configure re-authperiod to using local rather than radious server or event disable the reauthentication but the result is still the same

my lab is using a Cat3560 event upgrade with latest IOS ver c3560-advipservicesk9-mz.122-40.SE but is still the same

when show dot1x interface detail i notise the next re-auth is still alot of sec, but out of sudden the port juz reauthenticed, whereby the CAT detail show status reauthenticating,

CAT version 2.1.103.o with supplicant bundle.

i event try to modify the ctad.ini

SQTimer and all this make no difference


Cisco Employee

Re: Dot1x NAC reauthentication issue

Can you verify the source of your unexpected re-auth?

If it's the supplicant, you'll see an EAPOL-Start on the wire to initiate it (or maybe an EAPOL-Logoff, but unlikely).

If it's the switch, you'll see an EAPOL-Id-Request frame on the wire from the switch to the supplicant to initiate it.


New Member

Re: Dot1x NAC reauthentication issue

Hi jafrazie,

i didn't saw EAPOL-Start or EAPOL-Logoff Request from the debug dot1x packet

in debug dot1x all it show

.Sep 15 12:16:43: dot1x-ev:dot1x_exec_reauth_client: Reauthenticating Authenticator instance on GigabitEthernet0/41

.Sep 15 12:16:43: dot1x-sm:Posting REAUTHENTICATE on Client=31CC01C

.Sep 15 12:16:43: dot1x_auth Gi0/41: during state auth_authenticated, got event 18(reAuthenticate)

.Sep 15 12:16:43: @@@ dot1x_auth Gi0/41: auth_authenticated -> auth_restart

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_authenticated_exit called

.Sep 15 12:16:43: dot1x-sm:dot1x_auth_stop_reauth_timer called for 000b.db1b.9eac

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_restart_enter called

.Sep 15 12:16:43: dot1x-ev:Sending create new context event to EAP for 000b.db1b.9eac

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_authenticated_restart_action called

.Sep 15 12:16:43: dot1x-sm:Posting !EAP_RESTART on Client=31CC01C

.Sep 15 12:16:43: dot1x_auth Gi0/41: during state auth_restart, got event 6(no_eapRestart)

.Sep 15 12:16:43: @@@ dot1x_auth Gi0/41: auth_restart -> auth_connecting

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_connecting_enter called

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_restart_connecting_action called

.Sep 15 12:16:43: dot1x-packet:Received an EAP request packet from EAP for mac 000b.db1b.9eac

.Sep 15 12:16:43: dot1x-sm:Posting RX_REQ on Client=31CC01C

.Sep 15 12:16:43: dot1x_auth Gi0/41: during state auth_connecting, got event 11(eapReq_no_reAuthMax)

.Sep 15 12:16:43: @@@ dot1x_auth Gi0/41: auth_connecting -> auth_authenticating

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_authenticating_enter called

.Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_connecting_authenticating_action called

.Sep 15 12:16:43: dot1x-sm:Posting AUTH_START on Client=31CC01C

iz switch itself genarate the re-auth itself

what could cos this?

could it be something wrong with my config, i do try without NAC, just purely dot1x authentication with original winXP SP2 is still the same



Cisco Employee

Re: Dot1x NAC reauthentication issue

Your psec configuration is most likely tripping a re-auth on you every minute. OUY could set the aging criteria to inactivity, or ..

I would humbly recommend disabling psec in this scenario. 1X itself will limit the port to only a single MAC anway, and there's no such thing as aging for it really .. after all, that's why you might want re-auth for to begin with.

Hope this helps,

New Member

Re: Dot1x NAC reauthentication issue

hey jaffrazie,

thx alot, u r so great

New Member

Dot1x NAC reauthentication issue

Thank you, man. I solved my issue )))

CreatePlease to create content