RADIUS Reauthentication Pause with Passive PollingNEW!

Version 33.6.1 adds passive polling capability to RADIUS reauthentication pause, enabling automatic early resume when RADIUS service becomes available during scheduled maintenance windows.

Reauthentication Pause Overview

When RADIUS servers require scheduled maintenance, reauthentication pause allows you to temporarily suspend RADIUS reauthentication for successfully authenticated sessions. This prevents session disconnections during the maintenance window while maintaining security through the existing authentication state.

Key characteristics of reauthentication pause:

Works only with NetLogin policy mode (not legacy mode)
Applies to MAC and 802.1X authentication (web authentication not supported)
Affects only sessions in authenticated success state
New client authentication attempts may still occur if the RADIUS server hasn't been shut down yet
Pause is time-bounded with automatic resume after the configured period
Does not persist across reboots (temporary operational state)

Passive Polling Enhancement

Passive polling monitors RADIUS responses (Authentication Success or Authentication Failure) to detect when the service becomes available again during a pause period. Once a configurable threshold of consecutive responses is observed, reauthentication automatically resumes without requiring manual intervention.

Passive polling provides:

Automatic early resume based on RADIUS service availability detection
Configurable observation parameters to prevent false positives
Conservative resume behavior using non-sliding observation windows
Reduced manual intervention for maintenance window management

Configuring Passive Polling

Passive polling is configured separately from the pause operation itself. Configure passive polling parameters before initiating a pause, or adjust them during an active pause.

Enable or Disable Passive Polling:

configure netlogin radius reauthentication pause passive-poll [on | off]

Configure Passive Polling Parameters:

configure netlogin radius reauthentication pause passive-poll start-delay <minutes>
configure netlogin radius reauthentication pause passive-poll stop-period <minutes>
configure netlogin radius reauthentication pause passive-poll observe-period <minutes>
configure netlogin radius reauthentication pause passive-poll observe-threshold <count>

Parameters:

start-delay: Time after pause begins before passive polling starts monitoring (10-1440 minutes, default 1440)
stop-period: Time before scheduled resume when polling stops (10-1440 minutes, default 1440)
observe-period: Window for counting RADIUS responses (5-1440 minutes, default 5)
observe-threshold: Number of consecutive responses required to trigger early resume (5-512, default 512)

Important

Default values are configured to effectively disable passive polling even when turned on. You must explicitly configure appropriate values for start-delay, stop-period, and observe-threshold to enable functional passive polling.

Understanding Passive Polling Operation

Passive polling operates in phases during a reauthentication pause:

Phase 1: Delay Phase (Start Delay):

After a pause is issued, passive polling waits for the configured start-delay before beginning to monitor responses. During this time, RADIUS service is assumed unavailable. This delay allows time for the RADIUS server to be properly shut down after the pause is initiated.

Phase 2: Active Monitoring:

Passive polling monitors RADIUS responses and begins counting when the first response (Authentication Success or Authentication Failure) is received. This indicates the RADIUS service may be coming back online.

Phase 3: Observation Window:

Once a response is received, an observation window starts. If the configured observe-threshold number of consecutive responses is received within the observe-period, reauthentication automatically resumes early.

The observation period uses a non-sliding window:

If a RADIUS timeout occurs during observation, the count resets to zero and the observation window cancels
If the observe-threshold is not met within the observe-period, observation stops and restarts only upon receiving a new response
This conservative approach prevents false positives from sporadic responses

Phase 4: Stop Phase (Stop Period):

Before the scheduled resume time, passive polling stops monitoring for the configured stop-period duration. This prevents unnecessary monitoring when the scheduled resume is imminent.

Timing diagram:

Pause      Start Delay    Observation Period           Stop Period    Scheduled
Issued     (waiting)      (active monitoring)          (stopped)      Resume
  |------------|================~~~~~==================|------------|
  |            |                                       |            |
RADIUS assumed  Polling starts                    Polling stops   RADIUS assumed
unavailable     monitoring                                        available

Initiating a Reauthentication Pause

To pause RADIUS reauthentication:

configure netlogin radius reauthentication pause <duration>

Where duration is the pause duration in minutes (10-1440).

Example pausing for 2 hours (120 minutes):

configure netlogin radius reauthentication pause 120

During the pause:

Sessions in authenticated success state do not reauthenticate
Policy port authentication mode is operationally set to optional (configuration remains as-is)
Session timeouts are affected (sessions don't timeout during pause)
Idle timeouts continue to function normally (inactive sessions are still purged)
Passive polling monitors for service availability if configured

Manually Resuming Reauthentication

To manually end the pause and resume reauthentication:

configure netlogin radius reauthentication resume

Manual resume is useful when:

Maintenance completes earlier than expected
You need to verify RADIUS server functionality before the scheduled resume
Passive polling hasn't triggered early resume but the server is ready
You want to end the pause for any reason

When reauthentication resumes (either automatically via passive polling, manually, or at the scheduled time):

All paused sessions are triggered to reauthenticate
Reauthentication timers restart at the resume point
This may cause a burst of reauthentication requests to the RADIUS server
AAA retries handle any drops due to the burst

Viewing Pause and Polling Status

To view the current status of reauthentication pause and passive polling:

show netlogin

Sample output when pause is not in effect:

NetLogin Authentication Mode : web-based DISABLED; 802.1x ENABLED; MAC-based ENABLED
NetLogin Client Aging Time : 15 minutes
Authentication Protocol Order: mac-based, 802.1x, web-based, cep
Maximum Number Of Users : 9216 (Policy Enabled only)

------------------------------------------------
        Policy Enabled Configuration
------------------------------------------------
Keep Session On Reauth Service Unavailable    : Off
RADIUS Reauthentication Pause                 : Not in effect
RADIUS Reauthentication Pause Passive Polling : Off
            Start delay                       : 1440 mins
            Stop period                       : 1440 mins
            Observation period                : 5 mins
            Observation threshold             : 512
            State                             : count=0 state=INVALID

Sample output during active pause with passive polling:

------------------------------------------------
        Policy Enabled Configuration
------------------------------------------------
Keep Session On Reauth Service Unavailable    : Off
RADIUS Reauthentication Pause                 : In effect - Duration: 120 minutes, 
                                                 Time left: 3540 seconds
RADIUS Reauthentication Pause Passive Polling : On
            Start delay                       : 10 mins
            Stop period                       : 15 mins
            Observation period                : 5 mins
            Observation threshold             : 10
            State                             : count=3 state=OBSERVE (180 seconds left)

Passive polling state values:

INVALID: No pause is active
START: In start delay phase
ACTIVE: Monitoring for responses but none received yet
OBSERVE: Observation window is active, counting responses
STOP: In stop period phase

The count field shows the current number of consecutive responses received during the observation window.

Recommended Workflow for Scheduled Maintenance

Follow this workflow for RADIUS server scheduled maintenance with passive polling:

Configure passive polling parameters (if not already configured):

# Allow 10 minutes for server shutdown after pause
configure netlogin radius reauthentication pause passive-poll start-delay 10

# Stop monitoring 15 minutes before scheduled resume
configure netlogin radius reauthentication pause passive-poll stop-period 15

# Require 10 consecutive responses
configure netlogin radius reauthentication pause passive-poll observe-threshold 10

# Within a 5-minute window
configure netlogin radius reauthentication pause passive-poll observe-period 5

# Enable passive polling
configure netlogin radius reauthentication pause passive-poll on

Issue reauthentication pause with duration matching your maintenance window:

# For a 2-hour maintenance window
configure netlogin radius reauthentication pause 120

Bring down RADIUS server for maintenance. Do this shortly after issuing the pause to ensure most sessions are captured before server shutdown.
Perform server maintenance, including testing after maintenance is complete.
Bring up RADIUS server and verify it's operational.
Wait for passive polling to detect availability:
- Passive polling waits for start-delay, then begins monitoring
- When responses are detected, observation window begins
- After observe-threshold responses within observe-period, reauthentication automatically resumes
Alternatively, manually resume reauthentication if you don't want to wait for passive polling:
```
configure netlogin radius reauthentication resume
```
Verify session status after resume. Sessions that were in failed authentication state (for example, users in fallback VLAN) will age out and attempt authentication again based on aging timers.

Configuration Examples

Example 1: 2-Hour Maintenance with Aggressive Passive Polling

Scenario: Short maintenance window, want to resume as soon as possible after server is available.

# Configure aggressive passive polling
configure netlogin radius reauthentication pause passive-poll start-delay 10
configure netlogin radius reauthentication pause passive-poll stop-period 10
configure netlogin radius reauthentication pause passive-poll observe-threshold 5
configure netlogin radius reauthentication pause passive-poll observe-period 5
configure netlogin radius reauthentication pause passive-poll on

# Start 2-hour pause
configure netlogin radius reauthentication pause 120

Example 2: 4-Hour Maintenance with Conservative Passive Polling

Scenario: Longer maintenance window, want to be more certain server is stable before resuming.

# Configure conservative passive polling
configure netlogin radius reauthentication pause passive-poll start-delay 30
configure netlogin radius reauthentication pause passive-poll stop-period 30
configure netlogin radius reauthentication pause passive-poll observe-threshold 20
configure netlogin radius reauthentication pause passive-poll observe-period 10
configure netlogin radius reauthentication pause passive-poll on

# Start 4-hour pause
configure netlogin radius reauthentication pause 240

Example 3: Manual Resume Only (No Passive Polling)

Scenario: Want complete control over when to resume, prefer manual verification.

# Disable passive polling
configure netlogin radius reauthentication pause passive-poll off

# Start pause
configure netlogin radius reauthentication pause 180

# After maintenance is complete and verified, manually resume
configure netlogin radius reauthentication resume

Fallback VLANs and Admin Profile Rules

During a reauthentication pause, new clients attempting first authentication may fail if the RADIUS server is down. These clients can be directed to a fallback VLAN using policy admin profile rules.

Configuring a Blackhole VLAN for Failed Authentication:

# Create a VLAN with L2 forwarding disabled
create vlan blackhole_vlan tag 100
disable l2forwarding blackhole_vlan

# Create policy profile for the blackhole VLAN
configure policy profile 2 name "blackhole" pvid-status "enable" pvid 100

# Apply as admin profile rule
configure policy rule admin-profile port 1 mask 16 port-string 1 admin-pid 2

Configuring a DMZ VLAN for Limited Access:

Instead of completely blocking traffic, you can direct failed authentications to a DMZ VLAN with limited network access:

# Create DMZ VLAN with limited features
create vlan dmz_vlan tag 200
# Configure limited access on this VLAN (ACLs, routing, etc.)

# Create policy profile for DMZ
configure policy profile 3 name "dmz" pvid-status "enable" pvid 200

# Apply as admin profile rule
configure policy rule admin-profile port 1 mask 16 port-string 1 admin-pid 3

Timing Consideration for DMZ VLAN:

When reauthentication resumes, the authentication mode may reset to "required" if that was the configured mode before the pause. This clears FDB entries associated with the fallback VLAN. For blackhole VLANs this is not an issue, but for DMZ VLANs it causes a brief service interruption.

To minimize delay:

Set NetLogin aging time to minimum (1 minute):
```
configure netlogin aging-time 1
```
Wait for sessions in DMZ VLAN to age out before resuming reauthentication
Alternatively, manually clear sessions:
```
clear netlogin state mac-address <mac>
```

Stack Behavior

In stack configurations:

Only the primary switch performs the timing function for pause and passive polling
Pause state and time values are checkpointed to the backup
On failover, the new primary restarts the timer from time 0
Passive polling counter also restarts from 0 on failover
Users can manually resume if restarting from time 0 is too long

Best Practices

Test in lab: Test your passive polling configuration in a lab environment before using in production
Document parameters: Document your passive polling parameter choices and the reasoning behind them
Conservative thresholds: Start with conservative observe-threshold values (higher numbers) and adjust based on experience
Monitor during maintenance: Watch show netlogin output during maintenance to observe passive polling behavior
Plan for burst: Understand that resume causes a burst of reauthentication requests; ensure your RADIUS server can handle the load
Use appropriate pause duration: Set pause duration longer than expected maintenance to allow buffer time
Wait for DMZ sessions: If using DMZ VLANs, wait for failed sessions to age out before resuming
Have manual resume ready: Be prepared to manually resume if passive polling doesn't trigger as expected

Troubleshooting

Passive Polling Doesn't Resume Early:

Verify passive polling is enabled: show netlogin
Check start-delay hasn't prevented monitoring from starting yet
Verify observe-threshold isn't set too high for the number of authentication attempts occurring
Confirm RADIUS server is actually responding to authentication requests
Check if observation windows are completing successfully or resetting due to timeouts

Sessions Disconnect During Pause:

Verify pause was issued before RADIUS server was shut down
Check that session timeouts are longer than pause duration
Ensure idle timeout isn't causing disconnections (idle timeout still functions during pause)
Verify policy mode is enabled (pause only works in policy mode)

Unable to Resume Manually:

Verify pause is actually in effect: show netlogin
Check for NetLogin process issues
Review system logs for error messages

Burst Overwhelms RADIUS Server:

Ensure RADIUS server is fully operational before resuming
Consider staggering session expirations by adjusting session timeout values
Review RADIUS server capacity and AAA retry settings
If needed, manually clear and reauthenticate sessions in smaller batches

Related Configuration

The pause feature works in conjunction with other NetLogin settings:

Keep Session on Reauth Service Unavailable: Related but separate feature that keeps sessions when RADIUS service is unintentionally unavailable (not scheduled maintenance)
RADIUS Keep-Alive: Used by 802.1X to determine RADIUS reachability and delay reauthentication when service is unavailable
Session Timeout: Must be configured larger than the pause duration
Idle Timeout: Continues to function during pause to remove inactive sessions
NetLogin Aging Time: Affects how quickly failed sessions (in fallback VLANs) retry authentication after resume

See the "Failsafe Authentication Mode" section for configuration details on keep-session-on-reauth-svc-unavail and related settings.