topic Reauthenticacion ISE is not working in Network Access Control

Reauthenticacion ISE is not working

SupportAC — Mon, 11 Mar 2019 08:49:45 GMT

Hi,

We have realized that authenticated users remain indefinitely authenticated. There is no type of timeout that closes the session. We have configured the reauthenticacion for 30 minutos but the users remain permanent.
Why is not the timeout working?

Here you can see the reauthentication timer is configured to 30 minutes.

But we see idle timeout N/A (not 30), and users are always authenticated.

Re: Reauthenticacion ISE is not working

Rob Ingram — Fri, 21 Sep 2018 09:05:53 GMT

Hi,

Do you have these interface level commands configured?

authentication periodic
authentication timer reauthenticate server

The last command will instruct the switch the to use the timer sent from the RADIUS server, which you are already doing.

HTH

Re: Reauthenticacion ISE is not working

SupportAC — Mon, 24 Sep 2018 07:22:33 GMT

We have the ports like that.

authentication event fail action next-method

authentication host-mode multi-host

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

but the reauthentication is not working.

Re: Reauthenticacion ISE is not working

Rob Ingram — Mon, 24 Sep 2018 18:36:49 GMT

Please post your aaa and radius configuration.

Re: Reauthenticacion ISE is not working

SupportAC — Tue, 25 Sep 2018 09:48:15 GMT

This is the AAA config and switch ports:

aaa authentication login default group radius local

aaa authentication enable default enable

aaa authentication dot1x default group radius

aaa authorization console

aaa authorization exec default group radius local

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting update newinfo

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

aaa accounting connection default start-stop group radius

aaa accounting system default start-stop group radius

no aaa accounting system guarantee-first

aaa server radius dynamic-author

client 10.70.11.13 server-key 7 xxxxxxx

*****

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server deadtime 10

radius server RADIUS

address ipv4 10.70.11.13 auth-port 1812 acct-port 1813

key 7 xxxxxxxxxxx

radius server RADIUS_BCK

address ipv4 10.70.13.13 auth-port 1812 acct-port 1813

key 7 xxxxxxxxxxxxxx

interface GigabitEthernet1/0/6

switchport access vlan 60

switchport mode access

switchport nonegotiate

switchport block unicast

switchport port-security maximum 4

switchport port-security maximum 2 vlan access

switchport port-security violation restrict

switchport port-security aging time 10

switchport port-security aging type inactivity

switchport port-security

authentication control-direction in

authentication event fail action next-method

authentication host-mode multi-host

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

no snmp trap link-status

dot1x pae authenticator

dot1x timeout tx-period 10

dot1x max-req 10

no cdp enable

spanning-tree bpduguard enable

Re: Reauthenticacion ISE is not working

SupportAC — Tue, 25 Sep 2018 09:48:38 GMT

This is the AAA config and switch ports:

aaa authentication login default group radius local

aaa authentication enable default enable

aaa authentication dot1x default group radius

aaa authorization console

aaa authorization exec default group radius local

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting update newinfo

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

aaa accounting connection default start-stop group radius

aaa accounting system default start-stop group radius

no aaa accounting system guarantee-first

aaa server radius dynamic-author

client 10.70.11.13 server-key 7 xxxxxxx

*****

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server deadtime 10

radius server RADIUS

address ipv4 10.70.11.13 auth-port 1812 acct-port 1813

key 7 xxxxxxxxxxx

radius server RADIUS_BCK

address ipv4 10.70.13.13 auth-port 1812 acct-port 1813

key 7 xxxxxxxxxxxxxx

Re: Reauthenticacion ISE is not working

Aravind Ravichandran — Sat, 29 Sep 2018 07:33:39 GMT

Hi,

Don’t use port security with dot1x it won’t play well together.