(Optional) Configuring Re-authentication for 802.1X Authentication Users

Context

If the administrator modifies user information on the authentication server, parameters such as the user access permission and authorization attribute are changed. If a user has passed 802.1X authentication, you must re-authenticate the user to ensure user validity.

After the user goes online, the device saves user authentication information. After re-authentication is enabled for 802.1X authentication users, the device sends the saved authentication information of the online user to the authentication server for re-authentication. If the user's authentication information does not change on the authentication server, the user is kept online. If the authentication information has been changed, the user is forced to go offline, and then re-authenticated according to the changed authentication information.

You can configure re-authentication for 802.1X authentication users using either of the following methods:

Re-authenticate all online 802.1X authentication users on a specified interface periodically.
Re-authenticate an online 802.1X authentication user once with a specified MAC address.

If periodic 802.1X re-authentication is enabled, a large number of 802.1X authentication logs are generated.

Procedure

Configure periodic re-authentication for all online 802.1X authentication users on a specified interface.
1. Run system-view
  The system view is displayed.
2. Enable periodic re-authentication for all online 802.1X authentication users on the specified interface in the system or interface view.
  - In the system view:
  1. Run dot1x reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
    Periodic 802.1X re-authentication is enabled on the interface.
  - In the interface view:
  1. Run interface interface-type interface-number
    The interface view is displayed.
  2. Run dot1x reauthenticate
    Periodic 802.1X re-authentication is enabled on the interface.
  3. Run quit
    The system view is displayed.
  By default, periodic 802.1X re-authentication is disabled on an interface.
3. (Optional) Set the re-authentication interval for online 802.1X authentication users in the system or interface view.
  
  Generally, the default re-authentication interval is recommended. If many ACL rules need to be delivered during user authorization, to improve the device processing performance, you are advised to disable re-authentication or increase the re-authentication internal. When remote authentication and authorization are used and a short re-authentication interval is used, the CPU usage may become high.
  - In the system view:
  1. Run the dot1x timer reauthenticate-period reauthenticate-period-value command to set the re-authentication interval for online 802.1X authentication users.
  - In the interface view:
  1. Run the interface interface-type interface-number command to enter the interface view.
  2. Run the dot1x timer reauthenticate-period reauthenticate-period-value command to set the re-authentication interval for online 802.1X authentication users.
  3. Run the quit command to enter the system view.
  By default, the device re-authenticates online 802.1X authentication users at the interval of 3600 seconds.
Configure re-authentication for an online 802.1X authentication user with a specified MAC address.
1. Run system-view
  The system view is displayed.
2. Run dot1x reauthenticate mac-address mac-address
  Re-authentication is enabled for the online 802.1X authentication user with the specified MAC address.
  
  By default, re-authentication for the online 802.1X authentication user with a specified MAC address is disabled.