(Optional) Configuring Re-authentication for Online 802.1X Authentication Users

Context

If the administrator modifies parameters such as access rights and authorization attributes of an online user on the authentication server, the user must be re-authenticated to ensure user validity.

If re-authentication is configured for online 802.1X authentication users, the device sends saved authentication parameters of an online user to the authentication server for re-authentication. The device saves user authentication information after users go online. If the user authentication information on the authentication server remains unchanged, the user keeps online. If the information has been modified, the user is disconnected and needs to be re-authenticated.

The device re-authenticates 802.1X authentication users in the following modes:

The device periodically re-authenticates users using a specified 802.1X access profile.

After this function is configured, many 802.1X authentication logs will be generated.
The device is manually configured to re-authenticate a user with a specified MAC address once.

If the device is connected to a server for re-authentication and the server replies with a re-authentication deny message that makes an online user go offline, it is recommended that you locate the cause of the re-authentication failure on the server or disable the re-authentication function on the device.

Procedure

Configuring periodic re-authentication
1. Run system-view
  The system view is displayed.
2. Run dot1x-access-profile name access-profile-name
  The 802.1X access profile view is displayed.
3. Run dot1x reauthenticate
  Re-authentication is configured for online 802.1X authentication users.
  
  By default, re-authentication is not configured for online 802.1X authentication users.
4. (Optional) Run dot1x timer reauthenticate-period reauthenticate-period-value
  The re-authentication interval is configured for online 802.1X authentication users.
  
  By default, the re-authentication interval is 3600 seconds for online 802.1X authentication users.
  
  It is recommended that the re-authentication interval be set to the default value. If multiple ACLs need to be delivered during user authorization, you are advised to disable the re-authentication function or set a longer re-authentication interval to improve the device's processing performance.
  
  In remote authentication and authorization, if the re-authentication interval is set to a shorter time, the CPU usage may be higher.
  
  To reduce the impact on the device performance when many users exist, the user re-authentication interval may be longer than the configured re-authentication interval.
Configuring single-time re-authentication
1. Run system-view
  The system view is displayed.
2. Run dot1x reauthenticate mac-address mac-address
  The device is manually configured to re-authenticate a user with a specified MAC address once.