ISE 1.1 - switch ignores "Session-Timeout"

Przemyslaw Konitz — Mon, 11 Mar 2019 02:07:16 GMT

hi all,

I'm playing around with ISE guest service and have some difficulty with Time Profiles.

After guest logs in, Radius attributes are sent to the switch (3750G) one of them is Session-Timeout which should be similar to 1h (DefaultOneHour)

According to ISE logs and switch debugs, ISE did it well and this attribute was sent but it seems that the switch simply ignores it.

May 24 07:03:11.658: %SEC-6-IPACCESSLOGP: list ACL-DEFAULT denied udp 10.1.100.194(1029) -> 10.1.100.2(389), 1 packet

19:46:57: RADIUS: COA received from id 36 10.1.100.6:64700, CoA Request, len 183

19:46:57: RADIUS/DECODE: parse unknown cisco vsa "reauthenticate-type" - IGNORE

19:46:57: RADIUS/ENCODE(00000000):Orig. component type = Invalid

19:46:57: RADIUS(00000000): sending

19:46:57: RADIUS(00000000): Send CoA Ack Response to 10.1.100.6:64700 id 36, len 38

19:46:57: RADIUS: authenticator 0B 30 6E 9B DF 97 0D A0 - D9 8B A5 5A 11 39 3E 41

19:46:57: RADIUS: Message-Authenticato[80] 18

19:46:57: RADIUS: 11 42 82 E2 52 68 DF 28 CD 43 AE 88 0C 5D 91 10 [ BRh(C]]

19:46:57: RADIUS/ENCODE(00000026):Orig. component type = Dot1X

19:46:57: RADIUS(00000026): Config NAS IP: 0.0.0.0

19:46:57: RADIUS(00000026): Config NAS IPv6: ::

19:46:57: RADIUS/ENCODE(00000026): acct_session_id: 27

19:46:57: RADIUS(00000026): sending

19:46:57: RADIUS/ENCODE: Best Local IP-Address 10.1.100.1 for Radius-Server 10.1.100.6

19:46:57: RADIUS(00000026): Send Access-Request to 10.1.100.6:1812 id 1645/25, len 267

19:46:57: RADIUS: authenticator 6D 92 DC 77 87 47 DA 8E - 7D 6B DD DD 18 BE DC 33

19:46:57: RADIUS: User-Name [1] 14 "0016d329042f"

19:46:57: RADIUS: User-Password [2] 18 *

19:46:57: RADIUS: Service-Type [6] 6 Call Check [10]

19:46:57: RADIUS: Vendor, Cisco [26] 31

19:46:57: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"

19:46:57: RADIUS: Framed-IP-Address [8] 6 10.1.100.194

19:46:57: RADIUS: Framed-MTU [12] 6 1500

19:46:57: RADIUS: Called-Station-Id [30] 19 "00-24-F9-2D-83-87"

19:46:57: RADIUS: Calling-Station-Id [31] 19 "00-16-D3-29-04-2F"

19:46:57: RADIUS: Message-Authenticato[80] 18

19:46:57: RADIUS: AD EB 99 4A F2 B9 4E BB 2E B3 E2 04 BE 5B 0C 72 [ JN.[r]

19:46:57: RADIUS: EAP-Key-Name [102] 2 *

19:46:57: RADIUS: Vendor, Cisco [26] 49

19:46:57: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0A01280100000016043E0D23"

19:46:57: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

19:46:57: RADIUS: NAS-Port [5] 6 50107

19:46:57: RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0/7"

19:46:57: RADIUS: Called-Station-Id [30] 19 "00-24-F9-2D-83-87"

19:46:57: RADIUS: NAS-IP-Address [4] 6 10.1.100.1

19:46:57: RADIUS(00000026): Sending a IPv4 Radius Packet

19:46:57: RADIUS(00000026): Started 5 sec timeout

19:46:57: RADIUS: Received from id 1645/25 10.1.100.6:1812, Access-Accept, len 272

19:46:57: RADIUS: authenticator F1 5F 57 72 FD 80 95 20 - 46 47 B5 CE DF 63 6E 1A

19:46:57: RADIUS: User-Name [1] 19 "xxxxx@gmail.com"

19:46:57: RADIUS: State [24] 40

19:46:57: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 41 [ReauthSession:0A]

19:46:57: RADIUS: 30 31 32 38 30 31 30 30 30 30 30 30 31 36 30 34 [0128010000001604]

19:46:57: RADIUS: 33 45 30 44 32 33 [ 3E0D23]

19:46:57: RADIUS: Class [25] 49

19:46:57: RADIUS: 43 41 43 53 3A 30 41 30 31 32 38 30 31 30 30 30 [CACS:0A012801000]

19:46:57: RADIUS: 30 30 30 31 36 30 34 33 45 30 44 32 33 3A 69 73 [00016043E0D23:is]

19:46:57: RADIUS: 65 2F 31 32 34 30 33 36 37 39 31 2F 32 39 37 [ e/124036791/297]

19:46:57: RADIUS: Session-Timeout [27] 6 2940

19:46:57: RADIUS: Termination-Action [29] 6 0

19:46:57: RADIUS: Message-Authenticato[80] 18

19:46:57: RADIUS: 26 46 2C B6 75 95 AF 37 E6 3B B1 CB F2 70 E0 8D [ &F,u7;p]

19:46:57: RADIUS: Vendor, Cisco [26] 72

19:46:57: RADIUS: Cisco AVpair [1] 66 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-Contractors-ACL-4fbcd736"

19:46:57: RADIUS: Vendor, Cisco [26] 42

19:46:57: RADIUS: Cisco AVpair [1] 36 "profile-name=Microsoft-Workstation"

19:46:57: RADIUS(00000026): Received from id 1645/25

19:46:57: RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE

May 24 07:03:19.132: %MAB-5-SUCCESS: Authentication successful for client (0016.d329.042f) on Interface Gi1/0/7 AuditSessionID 0A01280100000016043E0D23

May 24 07:03:19.132: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0016.d329.042f) on Interface Gi1/0/7 AuditSessionID 0A01280100000016043E0D23

May 24 07:03:19.140: %EPM-6-POLICY_REQ: IP 10.1.100.194| MAC 0016.d329.042f| AuditSessionID 0A01280100000016043E0D23| AUTHTYPE DOT1X| EVENT APPLY

May 24 07:03:19.165: %EPM-6-AAA: POLICY xACSACLx-IP-Contractors-ACL-4fbcd736| EVENT DOWNLOAD-REQUEST

19:46:57: RADIUS/ENCODE(00000000):Orig. component type = Invalid

19:46:57: RADIUS(00000000): Config NAS IP: 0.0.0.0

19:46:57: RADIUS(00000000): sending

19:46:57: RADIUS/ENCODE: Best Local IP-Address 10.1.100.1 for Radius-Server 10.1.100.6

19:46:57: RADIUS(00000000): Send Access-Request to 10.1.100.6:1812 id 1645/26, len 144

19:46:57: RADIUS: authenticator 1A 52 18 C5 25 A7 5C DC - 29 C9 5C 7C C5 B3 FC 58

19:46:57: RADIUS: NAS-IP-Address [4] 6 10.1.100.1

19:46:57: RADIUS: User-Name [1] 38 "#ACSACL#-IP-Contractors-ACL-4fbcd736"

19:46:57: RADIUS: Vendor, Cisco [26] 32

19:46:57: RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission"

19:46:57: RADIUS: Vendor, Cisco [26] 30

19:46:57: RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"

19:46:57: RADIUS: Message-Authenticato[80] 18

19:46:57: RADIUS: 2B 6B 13 37 0D 25 11 E9 6A 56 35 D8 91 9F EF F0 [ +k7?jV5]

19:46:57: RADIUS(00000000): Sending a IPv4 Radius Packet

19:46:57: RADIUS(00000000): Started 5 sec timeout

May 24 07:03:19.191: %SEC-6-IPACCESSLOGP: list ACL-DEFAULT denied tcp 10.1.100.194(2125) -> 10.1.100.6(8443), 1 packet

19:46:57: RADIUS: Received from id 1645/26 10.1.100.6:1812, Access-Accept, len 359

19:46:57: RADIUS: authenticator 31 B0 73 93 CA 0E 5C 7C - 11 29 AA 57 6C A1 53 D8

19:46:57: RADIUS: User-Name [1] 38 "#ACSACL#-IP-Contractors-ACL-4fbcd736"

19:46:57: RADIUS: State [24] 40

19:46:57: RADIUS: 52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 30 61 [ReauthSession:0a]

19:46:57: RADIUS: 30 31 36 34 30 36 30 30 30 30 30 30 35 44 34 46 [0164060000005D4F]

19:46:57: RADIUS: 42 44 44 44 33 37 [ BDDD37]

19:46:57: RADIUS: Class [25] 49

19:46:57: RADIUS: 43 41 43 53 3A 30 61 30 31 36 34 30 36 30 30 30 [CACS:0a016406000]

19:46:57: RADIUS: 30 30 30 35 44 34 46 42 44 44 44 33 37 3A 69 73 [0005D4FBDDD37:is]

19:46:57: RADIUS: 65 2F 31 32 34 30 33 36 37 39 31 2F 32 39 38 [ e/124036791/298]

19:46:57: RADIUS: Termination-Action [29] 6 1

19:46:57: RADIUS: Message-Authenticato[80] 18

19:46:57: RADIUS: 80 EF 5B 80 76 F1 C9 37 0B 25 34 37 10 57 CC 44 [ [v7?47WD]

19:46:57: RADIUS: Vendor, Cisco [26] 47

19:46:57: RADIUS: Cisco AVpair [1] 41 "ip:inacl#1=permit udp any any eq domain"

19:46:57: RADIUS: Vendor, Cisco

SW3750-1# [26] 48

19:46:57: RADIUS: Cisco AVpair [1] 42 "ip:inacl#2=permit ip any host 10.1.100.6"

19:46:57: RADIUS: Vendor, Cisco [26] 57

19:46:57: RADIUS: Cisco AVpair [1] 51 "ip:inacl#3=deny ip any 10.0.0.0 0.255.255.255 log"

19:46:57: RADIUS: Vendor, Cisco [26] 36

19:46:57: RADIUS: Cisco AVpair [1] 30 "ip:inacl#4=permit ip any any"

19:46:57: RADIUS(00000000): Received from id 1645/26

May 24 07:03:19.216: %EPM-6-AAA: POLICY xACSACLx-IP-Contractors-AC

SW3750-1#

SW3750-1#L-4fbcd736| EVENT DOWNLOAD-SUCCESS

May 24 07:03:20.147: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0016.d329.042f) on Interface Gi1/0/7 AuditSessionID 0A01280100000016043E0D23

19:46:58: RADIUS/ENCODE(00000026):Orig. component type = Dot1X

19:46:58: RADIUS(00000026

SW3750-1#

SW3750-1#): Config NAS IP: 0.0.0.0

19:46:58: RADIUS(00000026): Config NAS IPv6: ::

19:46:58: RADIUS/ENCODE: Best Local IP-Address 10.1.100.1 for Radius-Server 10.1.100.6

19:46:58: RADIUS(00000026): Sending a IPv4 Radius Packet

19:46:58: RADIUS(00000026): Started 5 sec timeout

19:46:58: RADIUS: Received from id 1646/35 10.1.100.6:1813, Accounting-response, len 38

SW3750-1#
SW3750-1#sh authe sess int g 1/0/7

Interface: GigabitEthernet1/0/7

MAC Address: 0016.d329.042f

IP Address: 10.1.100.194

User-Name: xxxxx@gmail.com

Status: Authz Success

Domain: DATA

Security Policy: Should Secure

Security Status: Unsecure

Oper host mode: multi-auth

Oper control dir: both

Authorized By: Authentication Server

Vlan Group: N/A

ACS ACL: xACSACLx-IP-Contractors-ACL-4fbcd736

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0A01280100000016043E0D23

Acct Session ID: 0x0000001B

Handle: 0x2F000017

Runnable methods list:

Method State

mab Authc Success

dot1x Not run

SW3750-1#

Has anyone encountered similar thing?

I tried 12.2(58) and now Im testing

Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 15.0(1)SE2, RELEASE SOFTWARE (fc3)

but in both cases it is similar.

regards

Przemek

ISE 1.1 - switch ignores "Session-Timeout"

Sebastian Pasternacki — Mon, 28 May 2012 15:01:39 GMT

Hi,

Have you tried IOS 12.2.55SE3 which is recommended (tested) according to TrustSec 2.0 Design and Implementation Guide?

What's your port configuration? Have you included the "reauth" commands?

int gX/Y

...

authentication periodic

authentication timer reauthenticate server

Cheers,

Seba

Re: ISE 1.1 - switch ignores "Session-Timeout"

Przemyslaw Konitz — Tue, 29 May 2012 06:44:29 GMT

Hi Sebastian,

thx a lot those 2 commands solved the issue, my mistake. Now I can see remaining time for the session

SW3750-1#sh auth sess int g1/0/7

Interface: GigabitEthernet1/0/7

MAC Address: 0016.d329.042f

IP Address: 10.1.100.194

User-Name: jan@gmail.com

Status: Authz Success

Domain: DATA

Security Policy: Should Secure

Security Status: Unsecure

Oper host mode: multi-auth

Oper control dir: both

Authorized By: Authentication Server

Vlan Group: N/A

ACS ACL: xACSACLx-IP-Contractors-ACL-4fbcd736

Session timeout: 28800s (server), Remaining: 28780s

Timeout action: Terminate

Idle timeout: N/A

Common Session ID: 0A012801000000221DE0F555

Acct Session ID: 0x0000002B

Handle: 0x99000023

Runnable methods list:

Method State

mab Authc Success

dot1x Not run

regards

Przemek

topic ISE 1.1 - switch ignores "Session-Timeout" in Network Access Control

ISE 1.1 - switch ignores "Session-Timeout"

ISE 1.1 - switch ignores "Session-Timeout"

Re: ISE 1.1 - switch ignores "Session-Timeout"