NEAP Client Re-Authentication

The NEAP client re-authentication feature supports the re-authentication of NEAP clients at defined intervals.

Without re-authentication, client MACs that age out are removed from the client list and are no longer authenticated. If you enable re-authentication, the client MACs remain as long as the RADIUS server is reachable.

When you enable NEAP client re-authentication, an authenticated NEAP client is only removed from the authenticated client list if you remove the client account from the RADIUS server, or if you clear the NEAP authenticated client from the switch.

If you enable NEAP client re-authentication and the RADIUS server that the switch connects to becomes unavailable, the system clears all authenticated NEAP and removes those clients from the switch NEAP client list.

You cannot authenticate one NEAP client on more than one switch port simultaneously. If you connect NEAP clients to a switch port through a hub, those clients are authenticated on that switch port. If you disconnect a NEAP client from the hub and connect it directly to another switch port, the client is authenticated on the new port and its authentication is removed from the port to which the hub is connected.

Silent Devices

For silent devices, you can configure the re-authentication period to 0, which prevents EAP and NEAP sessions on the port from aging-out If you use this configuration, the session remains active even if the RADIUS server is unreachable.

Caution

Caution

Preventing re-authentication can introduce a security risk. As an alternative to using a zero value, configure the maximum re-authentication period on ports that connect to silent devices.