topic Inactivity Timeout in Network Access Control

Inactivity Timeout

umahar — Wed, 10 May 2017 14:46:51 GMT

Is authentication timer inactivity server command used to download the below attribute ?

I tested this but wanted to confirm as well.

We have a scenario where non-dot1x endpoints connected behind IP Phones do not get their their sessions cleared when endpoints are disconnected. I am looking at the above option to clear the session after a certain time.

Re: Inactivity Timeout

Craig Hyps — Wed, 10 May 2017 18:21:40 GMT

Correct. This is a valid option.

Re: Inactivity Timeout

paul — Thu, 11 May 2017 14:14:17 GMT

Utkarsh,

That option should work, but you should be investigating why the phones are doing EAP proxy logoff correctly. Most likely the phone has a setting to do proxy logoff, but is not currently configured to do it. I have run into this many times with Avaya phones and worked with the customer to get the option enabled on the phones.

Re: Inactivity Timeout

umahar — Thu, 11 May 2017 14:20:26 GMT

Hi Paul,

EAP Proxy Logoff is working fine as expected for endpoints connected via dot1x behind the IP Phone.

The issue is with headless devices like printers if connected behind IP Phone or a machine authenticating via MAB.

In this case the session on switch is a MAB session.

I think the IP Phone will not send a Proxy EAPoL for a MAB session.

Re: Inactivity Timeout

paul — Thu, 11 May 2017 14:44:47 GMT

Ahh yes. I missed the non-8021x part. I am so used to running into this issue with EAP proxy logoff.

I haven’t tested phone settings to see if you can make it release a MAB session on the switch. I have used inactivity timers in the past. Make sure you have “authentication timer inactivity server” set on the switch interfaces to allow ISE to set this value.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Re: Inactivity Timeout

Craig Hyps — Thu, 11 May 2017 15:36:03 GMT

The preferred option is 2nd Port disconnect which will proactively notify switch when connected device disconnects: IP Telephony for 802.1X Design Guide - Cisco

Craig

Re: Inactivity Timeout

umahar — Thu, 11 May 2017 15:49:53 GMT

Craig,

Its a non-Cisco IP Phone using LLDP.

Do you think LLDP might have any port-disconnect mechanism and Cisco switch would understand it ?

Re: Inactivity Timeout

Craig Hyps — Thu, 11 May 2017 16:11:02 GMT

CDP Enhancement for 2nd Port Disconnect is a specific Cisco Phone feature.

Re: Inactivity Timeout

Craig Hyps — Thu, 11 May 2017 18:25:00 GMT

EAP Proxy Logoff is specific to 802.1X and again, is a Cisco IP Phone feature. 2nd Port Disconnect works with any auth options from connected device to Cisco Phone.