dot1x, mab, authenitcation, access-session commands

authentication periodic

Enables periodic reauthentication of connected devices.

-The switch forces the endpoint to re-authenticate at regular intervals.
-Helps ensure that access permissions stay valid.
-The interval is usually controlled by the RADIUS server (or another timer setting).

Example use case:
If a device changes security posture (e.g., antivirus disabled), access can be revoked after reauthentication.

authentication timer reauthenticate server

Tells the switch to use the reauthentication interval provided by the RADIUS server instead of a locally configured timer.

Common when using Cisco ISE.
Ensures centralized control of session refresh timing.

access-session inherit disable interface-template-sticky

Prevents the port from inheriting sticky interface-template settings after authentication.

Why useful
Avoids persistent policy settings staying applied after the session ends.

access-session inherit disable autoconf

Stops automatic inheritance of autoconfiguration session settings.

Why useful
Gives tighter manual control over authentication behaviour on the interface.

access-session port-control auto

Sets the port to automatic authentication mode.

Meaning:

Port starts unauthorized
Device must authenticate
Access granted only after successful authentication

This is the standard mode for secure access ports.

Other possible modes (for reference):

Mode	Behaviour
auto	Authenticate before allowing access
force-authorized	Always allow access
force-unauthorized	Always block access

mab

Enables MAC Authentication Bypass for devices without supplicant

Used when a device does NOT support 802.1X, such as:

printers
IP phones
IoT devices
cameras

Instead of credentials, the switch sends the MAC address to the RADIUS server for authentication.

Typical workflow:

Switch tries 802.1X
If no response → fallback to MAB
MAC checked in RADIUS database

dot1x pae authenticator

Role	Device
Supplicant	Client device
Authenticator	Switch
Authentication server	RADIUS / ISE

Configures the switch port as an 802.1X authenticator.

This command enables the switch to perform authentication enforcement.

dot1x timeout tx-period 5

Sets the interval between EAP request transmissions to 5 seconds.

0 sec → request sent
5 sec → request sent again
10 sec → request sent again

This controls the gap between attempts.

dot1x timeout supp-timeout 5

Sets how long the switch waits for a supplicant response before retrying.

Example:

If client doesn’t respond in 5 seconds → retry

dot1x max-req 3

Maximum number of authentication request retries sent to the supplicant.

After 3 failures:

Switch may fall back to MAB (if enabled).

Retries up to 3 times If no response → tries MAB

dot1x max-reauth-req 3

Maximum number of retries during reauthentication attempts.

If exceeded:

Session may be terminated or fallback triggered depending on policy.

Putting timers together

Switch sends request
Waits 5 seconds (supp-timeout)

Retry after 5 seconds gap (tx-period)

Repeat up to 3 times (max-req)

tx-period – How often I ask – this will be continuous process when port comes up
supp-timeout – How long I wait – this is what triggers retries

Retries are controlled by max-req, and the spacing between retries is controlled by tx-period.

supp-timeout only controls how long the switch waits for a response after sending each request. supp-timeout simply marks the device as having no supplicant

dot1x timeout supp-timeout 3
dot1x timeout tx-period 10
dot1x max-req 3

t=0 send request
t=3 no reply → supp-timeout expires
t=10 next retry sent (tx-period controls this)
t=13 no reply → supp-timeout expires
t=20 next retry sent
t=23 no reply → supp-timeout expires
STOP (max-req reached)

coming soon