(Optional) Configuring Re-authentication for Users

Context

The device records entries for pre-connection users and users who fail authentication, and assigns corresponding network access rights to the users. For details, see (Optional) Configuring Authentication Event Authorization Information. To ensure that the users are successfully authenticated in a timely manner and obtain normal network access rights, you can configure the device to re-authenticate users who fail authentication based on user entries.

If a user fails re-authentication before the aging time expires, the device deletes the corresponding user entry and reclaims the assigned network access rights. If a user passes re-authentication, the device adds the user to entries of authenticated users and assigns corresponding network access rights to the user.

Procedure

Run system-view
The system view is displayed.
Run authentication-profile name authentication-profile-name
The authentication profile view is displayed.
Run authentication timer re-authen { pre-authen re-authen-time | authen-fail re-authen-time [ wlan-user ] }
The interval for re-authenticating pre-connection users or users who fail authentication is set.

By default, for wired users, the interval for re-authenticating pre-connection users or users who fail authentication is 60 seconds. For wireless users, the interval for re-authenticating users who fail authentication is 0 seconds. That is, the re-authentication function is disabled for users who fail authentication.

The device adds users with authen-fail or authen-server-down authorization or pre-connection users to entries of users who fail authentication or entries of pre-connection users. By default, the device re-authenticates users in the user entries. You can perform the preceding operations to change the re-authentication interval.

To reduce the impact on the device performance when many users exist, the user re-authentication interval may be longer than the configured re-authentication interval.
Run authentication event authen-server-up action re-authen
The device is enabled to re-authenticate users in survival state when the authentication server changes from Down or forcible Up to Up.

By default, the device does not re-authenticate users in survival state when the authentication server changes from Down or forcible Up to Up.

After the status of a RADIUS server is set to Down, you can run the radius-server dead-time dead-time command to set the interval at which the RADIUS server returns to the active state. When dead-time expires, the status of the RADIUS server will be set to forcible Up. When the server successfully transmits and receives packets, its status will be set to Up. The device will re-authenticate users when the server changes from Down or forcible Up to Up.
Run authentication event authen-server-down action close re-authen
Re-authentication is disabled when the authentication server is Down.

By default, the re-authentication function is enabled when the authentication server is Down.

In a re-authentication scenario, after the authentication event action authorize keep command is configured, online users retain the original network access rights when the authentication server is Down. If re-authentication is performed on these users, the client frequently initiates re-authentication and may remain silent after multiple times. As a result, these users cannot access the network. To prevent this problem, you are advised to disable re-authentication when the authentication server is Down.