Wireless Access

We have reauthentication enabled on our aaa authentication dot1x profile, and a timer reauth-period 28800.  That works fine, because we can see clients reauthing against clearpass on that interval, and we can also see that in the user-debug logs and in the "show user" output:

Role Derivation: ROLE_DERIVATION_DOT1X

Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 28800 (Reason: Dot1x Auth Profile Configured with Reauth Interval)

Reauth-interval from role: 0

But, we sometimes see dot1x clients fail back to the initial role, where they stay until they are rebooted, have their wifi connection restarted, or aaa user deleted.  We want to force them out of this role automatically after some time, so we enabled the reauthentication interval on the initial-role...  Problem is, that does not seem to do anything.  We set it to 45 seconds, but we still have clients in the initial-role for hours.  When I do a show user for clients in the initial role, the reauth timers are all 0's, but I do see the Reauth-interval from role is 45.  I do not see reauth activity every 45 seconds in the user-debugs though.

Role Derivation: ROLE_DERIVATION_INITIAL_ROLE

Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )

Reauth-interval from role: 45
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0

My question is, how can I force a client to either reconnect or reauthenticate after being stuck in the initial role for a minute or so?

(I do have a TAC case open, and a bug-id has been assigned.  We are waiting for a code fix, but that may be months away, so we're trying to help these stuck clients with a config solution in the meantime.)

What's the case and/or bug ID?

We have reauthentication enabled on our aaa authentication dot1x profile, and a timer reauth-period 28800.  That works fine, because we can see clients reauthing against clearpass on that interval, and we can also see that in the user-debug logs and in the "show user" output:

Role Derivation: ROLE_DERIVATION_DOT1X

Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 28800 (Reason: Dot1x Auth Profile Configured with Reauth Interval)

Reauth-interval from role: 0

But, we sometimes see dot1x clients fail back to the initial role, where they stay until they are rebooted, have their wifi connection restarted, or aaa user deleted.  We want to force them out of this role automatically after some time, so we enabled the reauthentication interval on the initial-role...  Problem is, that does not seem to do anything.  We set it to 45 seconds, but we still have clients in the initial-role for hours.  When I do a show user for clients in the initial role, the reauth timers are all 0's, but I do see the Reauth-interval from role is 45.  I do not see reauth activity every 45 seconds in the user-debugs though.

Role Derivation: ROLE_DERIVATION_INITIAL_ROLE

Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )

Reauth-interval from role: 45
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0

My question is, how can I force a client to either reconnect or reauthenticate after being stuck in the initial role for a minute or so?

(I do have a TAC case open, and a bug-id has been assigned.  We are waiting for a code fix, but that may be months away, so we're trying to help these stuck clients with a config solution in the meantime.)

5384236806

What's the case and/or bug ID?

We have reauthentication enabled on our aaa authentication dot1x profile, and a timer reauth-period 28800.  That works fine, because we can see clients reauthing against clearpass on that interval, and we can also see that in the user-debug logs and in the "show user" output:

Role Derivation: ROLE_DERIVATION_DOT1X

Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 28800 (Reason: Dot1x Auth Profile Configured with Reauth Interval)

Reauth-interval from role: 0

But, we sometimes see dot1x clients fail back to the initial role, where they stay until they are rebooted, have their wifi connection restarted, or aaa user deleted.  We want to force them out of this role automatically after some time, so we enabled the reauthentication interval on the initial-role...  Problem is, that does not seem to do anything.  We set it to 45 seconds, but we still have clients in the initial-role for hours.  When I do a show user for clients in the initial role, the reauth timers are all 0's, but I do see the Reauth-interval from role is 45.  I do not see reauth activity every 45 seconds in the user-debugs though.

Role Derivation: ROLE_DERIVATION_INITIAL_ROLE

Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )

Reauth-interval from role: 45
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0

My question is, how can I force a client to either reconnect or reauthenticate after being stuck in the initial role for a minute or so?

(I do have a TAC case open, and a bug-id has been assigned.  We are waiting for a code fix, but that may be months away, so we're trying to help these stuck clients with a config solution in the meantime.)

Set the reauth timeout to 10/20/30 minutes on the logon user role and see if you get any counters, other than session duration, with that.

5384236806

What's the case and/or bug ID?

We have reauthentication enabled on our aaa authentication dot1x profile, and a timer reauth-period 28800.  That works fine, because we can see clients reauthing against clearpass on that interval, and we can also see that in the user-debug logs and in the "show user" output:

Role Derivation: ROLE_DERIVATION_DOT1X

Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 28800 (Reason: Dot1x Auth Profile Configured with Reauth Interval)

Reauth-interval from role: 0

But, we sometimes see dot1x clients fail back to the initial role, where they stay until they are rebooted, have their wifi connection restarted, or aaa user deleted.  We want to force them out of this role automatically after some time, so we enabled the reauthentication interval on the initial-role...  Problem is, that does not seem to do anything.  We set it to 45 seconds, but we still have clients in the initial-role for hours.  When I do a show user for clients in the initial role, the reauth timers are all 0's, but I do see the Reauth-interval from role is 45.  I do not see reauth activity every 45 seconds in the user-debugs though.

Role Derivation: ROLE_DERIVATION_INITIAL_ROLE

Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )

Reauth-interval from role: 45
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0

My question is, how can I force a client to either reconnect or reauthenticate after being stuck in the initial role for a minute or so?

(I do have a TAC case open, and a bug-id has been assigned.  We are waiting for a code fix, but that may be months away, so we're trying to help these stuck clients with a config solution in the meantime.)

Are we thinking that 45 seconds is too low to work then, or how would a 10 minute interval benefit us?  When a client falls back from the default role to the initial role, it stays in the initial role indefinitely, and we don't see any reauth attempts in the trace-buff during that time.  Just trying to understand the benefit of a 10/20/30 minute logon role interval.  I'm probably overlooking something.

Set the reauth timeout to 10/20/30 minutes on the logon user role and see if you get any counters, other than session duration, with that.

5384236806

What's the case and/or bug ID?

We have reauthentication enabled on our aaa authentication dot1x profile, and a timer reauth-period 28800.  That works fine, because we can see clients reauthing against clearpass on that interval, and we can also see that in the user-debug logs and in the "show user" output:

Role Derivation: ROLE_DERIVATION_DOT1X

Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 28800 (Reason: Dot1x Auth Profile Configured with Reauth Interval)

Reauth-interval from role: 0

But, we sometimes see dot1x clients fail back to the initial role, where they stay until they are rebooted, have their wifi connection restarted, or aaa user deleted.  We want to force them out of this role automatically after some time, so we enabled the reauthentication interval on the initial-role...  Problem is, that does not seem to do anything.  We set it to 45 seconds, but we still have clients in the initial-role for hours.  When I do a show user for clients in the initial role, the reauth timers are all 0's, but I do see the Reauth-interval from role is 45.  I do not see reauth activity every 45 seconds in the user-debugs though.

Role Derivation: ROLE_DERIVATION_INITIAL_ROLE

Timers: L3 reauth 0, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )

Reauth-interval from role: 45
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0

My question is, how can I force a client to either reconnect or reauthenticate after being stuck in the initial role for a minute or so?

(I do have a TAC case open, and a bug-id has been assigned.  We are waiting for a code fix, but that may be months away, so we're trying to help these stuck clients with a config solution in the meantime.)