If the administrator modifies parameters such as access rights and authorization attributes of an online user on the authentication server, the user must be re-authenticated to ensure user validity. If re-authentication is configured for online 802.1X-authenticated users, the access device sends user authentication parameters (saved after users go online) to the authentication server for re-authentication. If the user authentication information on the authentication server remains unchanged, the user keeps online. If the information has been modified, the user is disconnected and needs to be re-authenticated. Table 1 lists the re-authentication modes for 802.1X-authenticated users.
| Configuration Completed On | To | Configuration Command |
|---|---|---|
| Access device | Perform periodic re-authentication for 802.1X-authenticated users. | dot1x reauthenticate dot1x timer reauthenticate-period reauthenticate-period-value |
| Perform one-time re-authentication for a user with the specified MAC address. | dot1x reauthenticate mac-address mac-address | |
| RADIUS server | Deliver the standard RADIUS attributes Session-Timeout and Termination-Action. The Session-Timeout attribute specifies the online duration timer of a user. The value of Termination-Action is set to 1, indicating that the user is re-authenticated when the online duration timer expires. | N/A |
The access device records entries for users in pre-connection state (that is, users who have not been authenticated or have failed the authentication), and grants corresponding network access rights to the users. You can configure the access device to re-authenticate these users based on user entries, so that they can obtain normal network access rights in a timely manner.
If a user fails the re-authentication before the user entry aging time expires, the access device deletes the user entry and reclaims the granted network access rights. If a user is successfully re-authenticated before the user entry aging time expires, the access device adds a user-authenticated entry and grants corresponding network access rights to the user. Table 2 lists the methods of configuring re-authentication modes for users in abnormal authentication state.
| User State | Configuration Command |
|---|---|
| RADIUS server in Down state | authentication event authen-server-up action re-authen: Enables user re-authentication when the RADIUS server is Up. |
| Authentication failure | authentication timer re-authen authen-fail re-authen-time: Enables periodic re-authentication for users who fail to be authenticated. |
| Pre-connection | authentication timer re-authen pre-authen re-authen-time: Enables periodic re-authentication for users in pre-connection state. |