topic Re: Network Access Control - inactivity timer and reauthentication in Network Access Control

Network Access Control - inactivity timer and reauthentication

jan.murin — Fri, 22 Jan 2021 10:48:43 GMT

Hello,

I am looking for a solution for a customer.

They need to use reauthentication for the industrial network.

All devices are authenticated by MAB as they don't support DOT1X and they are afraid of any network disruption during the reauthentication process.

As a solution which I am testing right now I want to implement reauthentication with a value of RADIUS-Request (this should minimize the downtime) and an inactivity timeout to delete inactive devices.

My question about inactivity timeout, I didn't configure the authentication timer inactivity server but I still send the timeout from the ISE server and it's working.

What is the purpose of the command, if it's work without it?

This is my interface config:

!
switchport access vlan X
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize vlan X
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10

And this is the authentication details (I have deleted MAC and IP address)

ession id=0AA348130000003311AF0D06
Interface: GigabitEthernet1/0/23
MAC Address:
IPv6 Address: Unknown
IPv4 Address:
User-Name:
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: 180s (server), Remaining: 165s
Timeout action: Reauthenticate
Restart timeout: N/A
Periodic Acct timeout: 300s (local), Remaining: 285s
Session Uptime: 15s
Common Session ID: 0AA348130000003311AF0D06
Acct Session ID: 0x000001B0
Handle: 0x43000022
Current Policy: POLICY_Gi1/0/23

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:
Idle timeout: 30 sec

Method status list:
Method State

mab Authc Success

As you can see, the Server Policies include the Idle timeout and the devices is deleted after 30 secs of inactivity.

Thanks

Re: Network Access Control - inactivity timer and reauthentication

Mike.Cifelli — Fri, 22 Jan 2021 13:39:54 GMT

My question about inactivity timeout, I didn't configure the authentication timer inactivity server but I still send the timeout from the ISE server and it's working.

What is the purpose of the command, if it's work without it?

As you can see, the Server Policies include the Idle timeout and the devices is deleted after 30 secs of inactivity.

-This is normal behavior. If you lean on server policy (AKA ISE) to dynamically push down policy it will apply what you wish to each session. If you did not push it down from ISE, you could statically/manually configure it on each respective interface.

The inactivity timer is an indirect mechanism the switch uses to infer that an endpoint has disconnected. IMO you are better off dynamically assigning it via the RADIUS Idle-Timeout Attribute [28]. This is actually recommended by Cisco since it provides control over which endpoints are subject to this timer and the length of the timer for each class of endpoints. HTH!

Re: Network Access Control - inactivity timer and reauthentication

jan.murin — Fri, 22 Jan 2021 13:47:43 GMT

Hi Mike,

Thanks for the reply.

I still didn't get it.

What is the purpose of the command "authentication timer inactivity server"?

From the command reference:

Specifies that the period of inactivity is defined by the Idle-Timeout value (RADIUS Attribute 28) on the authentication, authorization, and accounting (AAA) server.

Do I need to configure the command or not?

Thanks

Re: Network Access Control - inactivity timer and reauthentication

Mike.Cifelli — Fri, 22 Jan 2021 14:05:30 GMT

What is the purpose of the command "authentication timer inactivity server"?

-The inactivity timer allows the NAD (switch) to monitor activity from authenticated endpoints. Once the timer expires, the NAD removes the authenticated session. Essentially the timer provides the NAD with a mechanism to conclude that a device has been disconnected. The catch here is that the expired inactivity timer will not guarantee that an endpoint disconnected. It is best practice & Cisco recommends to enable IP device tracking with inactivity timers to ensure the expired timer does not disconnect a connected endpoint. IP device tracking allows the NAD to send ARP probes to endpoints in the IPDT (IP device tracking table). The kicker here is as long as the clients respond to the probes, then your inactivity timer will not trigger forcing a client to be removed from it's auth session. I hope this helps clarify a little better. See here for more information: ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community

Cisco ISE & NAC Resources - Cisco Community

HTH!

Re: Network Access Control - inactivity timer and reauthentication

jan.murin — Fri, 22 Jan 2021 14:32:08 GMT

Hi mike,

thanks for the answer and for the deployment guide.

However I still has a specific problem.

If I don't configure the switch interface command "authentication timer reauthenticate server", the authentication are not accepting the reauth timeout value from the server, so the reauth timer set on ISE is not working without the command.

However if I don't set the "authentication timer inactivity server", the authentication has the correct inactivitity timeout set.

So my question is, why should I configure that command if it looks like I don't need to.

It may be a bug.

Re: Network Access Control - inactivity timer and reauthentication

Marcelo Morais — Fri, 22 Jan 2021 21:17:28 GMT

Hi @jan.murin

first of all, the authentication timer inactivity command ends an inactive session after the specify interval to prevent reauthentication of inactive sessions.

Second, the default value of the authentication timer reauthentication command is 3600.

Third, if you use the authentication timer inactivity command, configure the authentication timer reauthentication interval to be longer than the inactivity interval.

In other words ...

(config)# interface GigabitEthernet0/0 
(config-if)# authentication timer reauthenticate 3600
(config-if)# authentication timer inactivity 1800

Hope this helps !!!

Re: Network Access Control - inactivity timer and reauthentication

BlackDiamond71 — Mon, 05 May 2025 15:48:25 GMT

Disregard, wrong page