https://community.cisco.com/t5/network-access-control/what-is-the-default-802-1x-session-timeout-on-a-cisco-switch/m-p/3841605#M24842 <P>I had a look and <FONT face="courier new,courier">show authentication session</FONT> and <FONT face="courier new,courier">show access-session</FONT> are the same command. There is no mention of the session timer in that output - this is weird - I would expect that one should be able to view this per session.</P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif">This is the closest I can find to an authentication timer display command</FONT></P> <PRE>#<STRONG>show authentication brief</STRONG> Interface MAC Address AuthC AuthZ Fg Uptime ----------------------------------------------------------------------------- Tw2/0/23 b0aa.771c.1ced m:CF d:NR AZ: SA- X 1030749s Tw2/0/35 0004.7d35.f248 m:OK AZ: SA-V: X 1030753s</PRE> <P>&nbsp;</P> <P>I was tracking one MAB authentication in ISE and I can see that the Accounting Session ID has not changed in many days.&nbsp; This means that no re-authentication has taken place.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I also have this enabled globally</P> <P><FONT face="courier new,courier"><STRONG>aaa accounting update newinfo periodic 2880</STRONG></FONT></P> <P>&nbsp;</P> <P>I don't know what the DHCP lease time is on that VLAN (I will have to ask the customer) but ISE is processing an Interim-Accounting request every 10 minutes - which leads me to believe that the DHCP renewal is triggering an Interim-Update (due to the "newinfo" argument in the aaa command above).&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>The port profile Interface contains this config</P> <P><FONT face="courier new,courier"> authentication periodic</FONT><BR /><FONT face="courier new,courier">authentication timer reauthenticate server</FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif">Since<STRONG> I don't return a Session-Timeout to the switch (Server Timeout=0), and since I told the switch to use&nbsp;<FONT face="courier new,courier">authentication timer reauthenticate server,</FONT>&nbsp;</STRONG>the switch has effectively deactivated the Session-Timeout - which is actually the behaviour I was hoping for - I think the command below validates that:</FONT></P> <P>&nbsp;</P> <PRE><STRONG>show dot1x interface twoGigabitEthernet 2/0/35 switch active R0</STRONG><BR /><BR />Dot1x Info for TwoGigabitEthernet2/0/35<BR />--------------------------------------------<BR />PAE = AUTHENTICATOR<BR />QuietPeriod = 60<BR /><FONT color="#FF0000">ServerTimeout = 0</FONT><BR />SuppTimeout = 30<BR />ReAuthMax = 3<BR />MaxReq = 2<BR />TxPeriod = 7<BR /><BR /><BR /></PRE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 19 Apr 2019 11:03:56 GMT Arne Bier 2019-04-19T11:03:56Z https://community.cisco.com/t5/network-access-control/what-is-the-default-802-1x-session-timeout-on-a-cisco-switch/m-p/3840705#M24829 <P>Hello 802.1X (switch) experts,</P> <P>&nbsp;</P> <P>I deal mostly with WLC deployments and Session-Timeout is configured globally on the WLAN profile and applies to all authenticated sessions (unless over-ridden by AAA Override).&nbsp; &nbsp;Is there a similar concept on Cisco switches when doing 802.1X?&nbsp; Or does the session stay up as long as the physical layer stays up (e.g. a printer remains plugged into the switch port and the switch keeps the session alive) ?&nbsp; I am not sending Session-Timeout or Idle-Timeout to any wired 802.1X authentications.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I am seeing a lot of session events in the ISE Live Logs.&nbsp; Wondering whether those are re-authentications</P> <P>&nbsp;</P> <P>Should one only generally return a AAA Session-Timeout to devices that might be connected to Wired Phones (e.g. non-Cisco IP Phones, since they don't alert the Cisco Switch when the laptop/PC disconnects from the phone - so session will stay up forever?)&nbsp; With a Cisco phone I believe this is proxy-signalled via CDP to the switch.</P> <P>&nbsp;</P> <P>thanks in advance</P> Fri, 21 Feb 2020 19:04:43 GMT https://community.cisco.com/t5/network-access-control/what-is-the-default-802-1x-session-timeout-on-a-cisco-switch/m-p/3840705#M24829 Arne Bier 2020-02-21T19:04:43Z https://community.cisco.com/t5/network-access-control/what-is-the-default-802-1x-session-timeout-on-a-cisco-switch/m-p/3840855#M24833 Default is 1hours<BR /><BR />Rack1(config-if)#authentication timer ?<BR /> inactivity Interval in seconds after which if there is no activity<BR />from the client then it will be unauthorized (default OFF)<BR />* reauthenticate Time in seconds after which an automatic<BR />re-authentication should be initiated (default 1 hour)*<BR /> restart Interval in seconds after which an attempt should be made<BR />to authenticate an unauthorized port (default 60 sec)<BR /> unauthorized Time in seconds after which an unauthorized session will<BR />get deleted<BR /> Thu, 18 Apr 2019 06:58:44 GMT https://community.cisco.com/t5/network-access-control/what-is-the-default-802-1x-session-timeout-on-a-cisco-switch/m-p/3840855#M24833 Mohammed al Baqari 2019-04-18T06:58:44Z https://community.cisco.com/t5/network-access-control/what-is-the-default-802-1x-session-timeout-on-a-cisco-switch/m-p/3841410#M24837 <P>Thanks! Is there a show command that shows the remaining session time? I didn’t see this in the show access-session command</P> Thu, 18 Apr 2019 23:15:00 GMT https://community.cisco.com/t5/network-access-control/what-is-the-default-802-1x-session-timeout-on-a-cisco-switch/m-p/3841410#M24837 Arne Bier 2019-04-18T23:15:00Z https://community.cisco.com/t5/network-access-control/what-is-the-default-802-1x-session-timeout-on-a-cisco-switch/m-p/3841411#M24840 I think you will see it in sh auth sess interface x/x detail<BR /> Thu, 18 Apr 2019 23:18:23 GMT https://community.cisco.com/t5/network-access-control/what-is-the-default-802-1x-session-timeout-on-a-cisco-switch/m-p/3841411#M24840 Mohammed al Baqari 2019-04-18T23:18:23Z https://community.cisco.com/t5/network-access-control/what-is-the-default-802-1x-session-timeout-on-a-cisco-switch/m-p/3841605#M24842 <P>I had a look and <FONT face="courier new,courier">show authentication session</FONT> and <FONT face="courier new,courier">show access-session</FONT> are the same command. There is no mention of the session timer in that output - this is weird - I would expect that one should be able to view this per session.</P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif">This is the closest I can find to an authentication timer display command</FONT></P> <PRE>#<STRONG>show authentication brief</STRONG> Interface MAC Address AuthC AuthZ Fg Uptime ----------------------------------------------------------------------------- Tw2/0/23 b0aa.771c.1ced m:CF d:NR AZ: SA- X 1030749s Tw2/0/35 0004.7d35.f248 m:OK AZ: SA-V: X 1030753s</PRE> <P>&nbsp;</P> <P>I was tracking one MAB authentication in ISE and I can see that the Accounting Session ID has not changed in many days.&nbsp; This means that no re-authentication has taken place.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I also have this enabled globally</P> <P><FONT face="courier new,courier"><STRONG>aaa accounting update newinfo periodic 2880</STRONG></FONT></P> <P>&nbsp;</P> <P>I don't know what the DHCP lease time is on that VLAN (I will have to ask the customer) but ISE is processing an Interim-Accounting request every 10 minutes - which leads me to believe that the DHCP renewal is triggering an Interim-Update (due to the "newinfo" argument in the aaa command above).&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>The port profile Interface contains this config</P> <P><FONT face="courier new,courier"> authentication periodic</FONT><BR /><FONT face="courier new,courier">authentication timer reauthenticate server</FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif">Since<STRONG> I don't return a Session-Timeout to the switch (Server Timeout=0), and since I told the switch to use&nbsp;<FONT face="courier new,courier">authentication timer reauthenticate server,</FONT>&nbsp;</STRONG>the switch has effectively deactivated the Session-Timeout - which is actually the behaviour I was hoping for - I think the command below validates that:</FONT></P> <P>&nbsp;</P> <PRE><STRONG>show dot1x interface twoGigabitEthernet 2/0/35 switch active R0</STRONG><BR /><BR />Dot1x Info for TwoGigabitEthernet2/0/35<BR />--------------------------------------------<BR />PAE = AUTHENTICATOR<BR />QuietPeriod = 60<BR /><FONT color="#FF0000">ServerTimeout = 0</FONT><BR />SuppTimeout = 30<BR />ReAuthMax = 3<BR />MaxReq = 2<BR />TxPeriod = 7<BR /><BR /><BR /></PRE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 19 Apr 2019 11:03:56 GMT https://community.cisco.com/t5/network-access-control/what-is-the-default-802-1x-session-timeout-on-a-cisco-switch/m-p/3841605#M24842 Arne Bier 2019-04-19T11:03:56Z