Meraki

Community

MS Access Policy Re-Authentication Interval Advice

Zimeroski
Comes here often
2 weeks ago
2 weeks ago

MS Access Policy Re-Authentication Interval Advice

Hello,

 

I am wondering if anyone out here has used the "re-authentication interval" option for access policies on MS switches. 

 

I have some VoIP devices that have been having issues, and it looks like they go into "critical auth" every once in a while. When they do this, I cannot get the client attached to the port the policy is on to come alive until I remove the policy and cycle the port then re-apply the policy.

 

The option sounds like it would help but I can't find much more info than what's in the standard documentation. So, I was wondering if anyone was using it and what the interval should be set to.

Labels:
0 Kudos
3 Replies 3
alemabrahao
Kind of a big deal
2 weeks ago
2 weeks ago

Re-authentication Interval
When the Re-authentication Interval (time in seconds) is specified, the switch will periodically attempt authentication for clients connected to switch ports with access policies. Apart from providing for a better security policy by periodically validating client authentication in a network, the re-authentication timer also enables the recovery of clients placed in the Failed Authentication VLAN because of incomplete provisioning of credentials.

Re-authentication will not occur if no re-authentication interval has been configured, or if a reauthentication-interval has been configured but the switch has lost connectivity to all of the RADIUS servers listed under the access policy.

 

MS Switch Access Policies (802.1X) - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
DarrenOC
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

The re-auth internal default on most platforms ie ISE and Clearpass is 30 minutes.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
In response to DarrenOC
ChrisC83
Meraki Employee
Meraki Employee
2 weeks ago
2 weeks ago

The fact that the clients went to "critical VLAN" indicate they may fail the authentication or fail to reach the Radius servers. It seems the clients were unable to recover when the Radius servers come back, may want to try to enable the Radius server monitoring function to see if this can help the switch bouncing the port and trigger the reauthentication for the clients again.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.