topic Hi Anton. Have you checked if in Network Access Control

802.1x printers idle timeout

Anton Klementyev — Mon, 11 Mar 2019 05:15:24 GMT

ello, I am looking for solution or best practice how to deal with printers and MFUs in 802.1x environment.

I use MAB for them and put them in a separate vlan for security reasons, vlan number is provided from radius.

I also enabled the ip device tracking and inactivity timer to track connected printers and deauthentificate them in case the port will be up but the printer will be deattached (someone put a hub/small switch between a 802.1x port and a printer)

At this stage I cant understand the behavior of idle timeout because it is allways decreasing and then reauthentiication begins, even if I constantly ping the printer. Does it have to trigger only if there is no traffic from the device?

sw3560-test#sh authentication sessions int fa0/1
Interface: FastEthernet0/1
MAC Address: f4ce.4648.6626
IP Address: 192.168.251.2
User-Name: f4ce46486626
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 25
Session timeout: N/A
Idle timeout: 60s (local), Remaining: 26s
Common Session ID: C0A8A5920000001100564C94
Acct Session ID: 0x00000015
Handle: 0x46000011

Runnable methods list:
Method State
dot1x Failed over
mab Authc Success

the port config:

interface FastEthernet0/1
description MFU test
switchport mode access
switchport voice vlan 7
ip device tracking maximum 10
authentication event fail action authorize vlan 4094
authentication event server dead action authorize vlan 4094
authentication event no-response action authorize vlan 4094
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 60
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 5
spanning-tree portfast
spanning-tree bpduguard enable
end

Hi,for printers i don´t use

hdussa — Wed, 10 Dec 2014 09:57:27 GMT

Hi,

for printers i don´t use inactivity timer and no reauthentication.

Inactivity timers are good in an enviromet were a PC ist connected on IP-Phone port and authenticated via MAB.

Hope it helps!

I think it will be more

Anton Klementyev — Wed, 10 Dec 2014 11:47:08 GMT

I think it will be more secure to enable use them. I case if someone will put a switch between the printer and the port.

Anyway I would like to know hos the inactivity timer works and why it is always decreasing.

You can set the idle-timer

hdussa — Wed, 10 Dec 2014 12:33:58 GMT

You can set the idle-timer for your VLAN via RADIUS under: (see attachment)

Policy Elements/Authorization and Permissions/Network Access/Authorization Profiles
On the Switch you need to configure: authentication timer inactivity server.

But it makes no sence in a Printer-Vlan. If there is no trafiic in within your configured time, the session will be cleared. Then you need to restart the printer to start the authentication process.

You´ll need good shoes.

Thanks, I already set set the

Anton Klementyev — Thu, 11 Dec 2014 06:47:56 GMT

Thanks, I already set set the timer via the Network Policy Server, I dont understand only why it is decreasing even if I have the traffic.

I use ip device tracking feature to keep devices connected.

Hi Anton. Have you checked if

nspasov — Thu, 11 Dec 2014 06:51:44 GMT

Hi Anton. Have you checked if printing a page resets the inactivity timer? Perhaps a ping packet is not sufficient enough to reset the timer.

Here is also a link to the

nspasov — Thu, 11 Dec 2014 06:55:19 GMT

Here is also a link to the MAB deployment guide that has some more info about the inactivity and other related timers.

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html

no, I did ping -t to the

Anton Klementyev — Thu, 11 Dec 2014 11:06:45 GMT

no, I did ping -t to the printer address, same thing.

thnx, I saw this document,

Anton Klementyev — Thu, 11 Dec 2014 11:10:53 GMT

thnx, I saw this document, there is not much about inactivity timer.

Sorry, does anyone know the

Anton Klementyev — Mon, 15 Dec 2014 07:57:53 GMT

Sorry, does anyone know the answer?

Hi Anton. I haven't had the

nspasov — Mon, 15 Dec 2014 11:20:21 GMT

Hi Anton. I haven't had the chance to test this but my gut feeling is telling me that "ping/icmp" alone does not count as "printer traffic" on the wire, thus, not resetting the counter. I would recommend that:

1. You do some different tests and see if the counter is reset...such as:

- Print a page

- Use a TCP based ping

2. You can also contact Cisco TAC and obtain more information about the inactivity counter. For instance, what type of traffic actually resets the counter

3. It is also possible that the "dumb" hub/switch that sits between the dot1x port and the printer is not passing the relative information, thus preventing the inactivity timer from resetting.

Thank you for rating helpful posts!

Re: Sorry, does anyone know the

Tom Vanhout — Thu, 31 May 2018 12:55:23 GMT

I see this is a question from a long time ago, but it still seems relevant today as I was debugging a similar situation.
If i do a "sh authentication sessions interface X"
I would see the "Remaining" counter on "Idle timeout" decrease even if there is traffic.

It seems it does count correctly internal though, because when the timer hits zero it starts again with the actually remaining inactive time left. (also seen in the debug)

So f.e. if i have defined on the interface

authentication timer inactivity 120

and suppose you have traffic the first 90seconds.

Then you would see the timer go down from 120 until it reaches 0 (you won't see it reset during the 90 seconds of traffic as you would expect) and then it restart with remaining counter 90 (as you have been 30 seconds inactive by now, and it's deducted from the 120 you would normally start with)

I don't know if I explain it well enough, but basically, you only see the real inactive time remaining at the times the timer reaches 0 and is then reset to the real inactive time remaining.