topic Re: Devices re-authenticating when off network, causing rejections in Network Access Control

Devices re-authenticating when off network, causing rejections

dlock — Fri, 15 Mar 2019 12:38:56 GMT

We have a client with an ISE deployment in place to authenticate with dot1x on client computers. When the device is offline for an extended period of time, the dot1x reauth timer keeps attempting to reauth the session. Since there's nothing on the other end, it constantly fails which then rejects the device eventually, and when the devices are attached to the network the following day, they are unable to connect.... and it seems like releasing the rejected doesn't reauthenticate the device.

Below is the config on the ports. Not sure what would be needed to help troubleshoot from ISE.

interface GigabitEthernetx/y/z
switchport access vlan XY
switchport voice vlan XYZ
switchport mode access
authentication event fail action next-method
authentication event server dead action reinitialize vlan 30
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
spanning-tree portfast
ip device tracking maximum 0
srr-queue bandwidth share 1 30 35 5
priority-queue out

Re: Devices re-authenticating when off network, causing rejections

paul — Fri, 15 Mar 2019 13:11:15 GMT

Most likely the devices are behind non-Cisco phones that are not correctly configured for or don't support EAP proxy logoff. You can configure an inactivity timer to deal with that situation. Set it to something like 5 minutes.

Re: Devices re-authenticating when off network, causing rejections

dlock — Fri, 15 Mar 2019 13:15:15 GMT

That would be correct. The phones are a cheaper Mitel device. I'd have to check with the vendor to see if EAP proxy logoff is supported.

Where would I configure the inactivity timer for that?

Re: Devices re-authenticating when off network, causing rejections

paul — Fri, 15 Mar 2019 13:30:00 GMT

You should have these 3 lines:

authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server

This allows ISE to set reauthentication and inactivity values. Under your authorization profile you specify the desired reauthentication timer (one of the common options) and you specify the inactivity timer as an advanced option. It is in the RADIUS dictionary.

Re: Devices re-authenticating when off network, causing rejections

bern81 — Fri, 15 Mar 2019 14:29:37 GMT

Hi ,

Like Paul mentioned.

I just wanted to add for authentication timer reauthenticate on the ISE it is called:

raduis-session-timeout (radius attribute 27)

Inactivity timer is called : idle-timeout (radius attribute 28)

Please rate if helpful

Re: Devices re-authenticating when off network, causing rejections

paul — Fri, 15 Mar 2019 14:35:45 GMT

You don't need to use an advanced attribute for reauthentication. There is a built in common task called Reauthentication that maps to the RADIUS session timeout value.

Re: Devices re-authenticating when off network, causing rejections

dlock — Fri, 15 Mar 2019 15:49:04 GMT

OK. I think I've understood. Create a new Authorization Profile with Reauthentication checked underneath common tasks. Then tag it with a Idle-Timeout. Is the value field here also in seconds?

Re: Devices re-authenticating when off network, causing rejections

paul — Fri, 15 Mar 2019 19:29:54 GMT

Yes also in seconds. I usually set it 300.