topic Re: cisco authentication timer restart in Network Access Control

cisco authentication timer restart

Thomas Kohb — Mon, 13 Jun 2022 07:42:50 GMT

Hello, we have a problem with a fiber converter. If the device is changed behind the converter, the link on the switch port remains at the top. This results in a security breach. The port goes into error disable status because it sees a new MAC for the same AuthSessionID. Behavior per desgin. Can you restart 1 with the Commando authentication timer ... create a new SessionID? the command authentication timer reauthenticate server .... would be with the same AuthID at the ISE Server or get an new o802.1x, AAA, Identity Services Engine (ISE)nce?dot1x, ISE , Port Sec

Re: cisco authentication timer restart

MHM Cisco World — Mon, 13 Jun 2022 11:17:06 GMT

Try multi-auth is port connect to multi host (or host is change in port),
this make SW detect new host and auth it with AAA.

please try in one port if success apply it to all other port.

Re: cisco authentication timer restart

andrewswanson — Mon, 13 Jun 2022 21:28:10 GMT

Do your fiber converters support Link Fault Pass Through (LFP)? This function can shutdown the converter fiber link if the copper link goes down (I'm assuming the converter fiber link connects to your switch).

hth
Andy

Re: cisco authentication timer restart

Thomas Kohb — Tue, 14 Jun 2022 05:44:13 GMT

hey,

yes ... i will try it today 😃 ...

Re: cisco authentication timer restart

Thomas Kohb — Tue, 14 Jun 2022 05:45:02 GMT

Hey,

yes the converter support LFP ...but with this setting ... the first sean mac is the mac of the Converter -.- auth fail ^^

Re: cisco authentication timer restart

Arne Bier — Thu, 16 Jun 2022 21:32:33 GMT

@Thomas Kohb - that's an unfortunate situation, that the media converter presents its own MAC address. Is there no transparent mode (passthrough mode) so that the media converter operates at Layer 1 only?

Anyway - as MHM correctly pointed out, if your switch port must support more than one MAC address, then you will be forced to use a host mode like multi-auth, or multi-host - either of these will allow more than one MAC address - they differ slightly:

multi-host - only the first MAC is subject to AAA authentication, and then the port allows the others to piggy back

multi-auth - allows one voice MAC, and multiple DATA domain MACs - each DATA domain MAC must be AAA authenticated

single-host and multi-domain only support one MAC address in the DATA domain.

Re: cisco authentication timer restart

Marcelo Morais — Fri, 17 Jun 2022 15:39:59 GMT

Hi @Thomas Kohb ,

beyond what @MHM Cisco World and @Arne Bier said ...

When you asked about:

1st " ... Can you restart 1 with the command authentication timer ... create a new SessionID? ... ", no, the authentication timer restart attempts to authenticate an Unauthorized Port (no SessionID at this point).

2nd " ... the command authentication timer reauthenticate server .... would be with the same AuthID at the ISE Server or get an new ... ", the authentication timer reauthenticate server uses the same Session ID (it reauthenticate an Authorized Port).

Hope this helps !!!

Re: cisco authentication timer restart

Arne Bier — Sun, 19 Jun 2022 20:46:35 GMT

@Marcelo Morais - can you please explain more about the difference between AuthID and SessionID? What is the reason/purpose of either one of these and what is the relationship etc.

I think the explanation of these two might be very useful. Then there is also the Accounting ID - or is that just an alias for one of the above?

Re: cisco authentication timer restart

Thomas Kohb — Mon, 20 Jun 2022 06:51:45 GMT

Hey,

we replaced the Fibre Converter .. all fine...thx for time 😃

Re: cisco authentication timer restart

Marcelo Morais — Mon, 20 Jun 2022 16:21:26 GMT

Hi @Arne Bier ,

we have the:

. Accounting Session ID (Acct Session ID)

RADIUS Attribute 44 is a unique Accounting Identifier that makes it easy to match Start and Stop records in a log file. The Start and Stop records for a given session MUST have the same Acct-Session-ID. RADIUS Attribute 44 is automatically enabled when AAA Accounting is configured. Acct Session ID was sent ONLY as part of the Accounting Request and an Accounting Request packet MUST have an Acct Session ID. Acct Session ID numbers restart at 1 each time the Router is power-cycled or the software is reloaded. The Acct Session ID can take on values from 00000000 to FFFFFFFF. Acct Session ID is an attribute supported for the RADIUS CoA feature (CoA Requests).
Ex.: (debug)

...
00:03:13: RADIUS: Acct-Session-Id [44] 10 "00000002"
...

. Audit Session ID (referred to as a Common Session ID)

Audit Session ID is a Cisco VSA (Vendor-Specific Attribute). Authentication Manager uses a Single Session ID (referred to as a Common Session ID or Audit Session ID) for a Client no matter which authentication method is used. This ID is used for ALL reporting purposes, such as the show commands and MIBs. The Common Session ID includes <NAS IP Addr><Session Count><Session Start Time Stamp>, for ex.: AC14FE01 00000FB5 2A8CF418.
Audit Session ID is an attribute supported for the RADIUS CoA feature (CoA Requests).

Ex.:

...
 cisco-av-pair=audit-session-id=0A3E946C00000073559C0123
...

# show authentication sessions
Interface MAC Address    Method Domain Status        Session ID
Fa4/0/4   0000.0000.0001 mab    DATA   Authz Success 160000050000000B288508E5

Example for both:

#show authentication sessions interface FastEthernet0/10
...
Common Session ID: 0A70081A0000012D2A8CD1BF
Acct Session ID: 0x00000671
...

Regards