For wired port authentication (802.1x) in AOS-CX, re-authentication is disabled by default, so if no new clients are accessing the network, then nothing shows happen to existing authenticated clients.
If you enable re-authentication per interface:
switch(config-if)# aaa authentication port-access dot1x authenticator reauth
then the default timer is 3600 seconds/1 hour.
RADIUS is not a stateful protocol, so unless the reauth timer for a particular port is expiring, the switch will have no idea if the RADIUS server is offline until it tries to authenticate a new user, or re-authenticate an existing user.
To handle scenarios where the RADIUS server goes offline for long periods of time (eg: a maintenance window), you can configure a cached re-authentications, which allows the re-authentication process to succeed even when the RADIUS server is not responding. The default for this is 30 seconds, but you'd probably want to set it to something much higher.
Cheers,
Ben
------------------------------
Ben Dale
------------------------------
Original Message:
Sent: Sep 14, 2021 04:53 PM
From: Noble Network
Subject: Wired authenticated via RADIUS - What happens if server is unreachable?
Hello,
Question regarding wired authentication via RADIUS.
If the RADIUS server is unreachable due to a network outage upstream does the switch know or become 'aware' once it comes back online? Is there an internal timer in which it retries? I ask because in testing I've noticed that re-authentications are happening shortly (maybe 1-2 minutes) after the network connectivity is restored, and I'm not sure if these are the dead/retry timers at play here.
What will happen if the RADIUS server is unreachable for several hours? Will it retry once it becomes available?
The main concern is in the event of a power outage, normally the router/gateway is the slowest device to boot back up, during which the RADIUS server is unreachable. Will the switch retry once it becomes available?
Thank you.
------------------------------
Noble Network
------------------------------