topic Hmm everything looks good. in Network Access Control

IP device tracking and idle timer problem

Mikael Gustafsson — Mon, 11 Mar 2019 04:49:16 GMT

Hi,

We are deploying 802.1X in our network and have encountered problem with a type of payment terminal.
The problem is that the terminal do not 'speak' to the network after the first initial DHCP request, the terminal waits for incoming packets from a counter to start the payment process. After the idle-time the MAC is flushed from the switch and the port is not authorized any more.

To solve this we set 'authentication control-direction in' on the port and use 'ip device tracking' to keep the client on the network, ip device tracking sends an arp request every 30 seconds to clients.

Our ISE is sending Radius:Idle-Timeout = 300 and the timer start to count down when the client is authenticated.

In Wireshark, I can see that the ARP request is going out and the ARP reply coming back in but this does not update the inactivity timer for the client. So after 5 minutes the port is gone, and there is no way to get the port up again from the network. Traffic from the client brings up the network.

This looks like a bug to me, anyone seen this, or a similar behaviour?

Running:

ISE 1.2p6
IOS 12.2(55)SE6

From Trustsec 1.99 Wired 802.1X Deployment Guide:

Tip Enable IP Device Tracking with inactivity timers to keep quiet endpoints connected. When IP Device Tracking is enabled, the switch periodically sends ARP probes to endpoints in the IP Device Tracking table (which is initially populated by DHCP requests or ARP from the end point). As long as the endpoint is connected and responds to these probes, the inactivity timer is not triggered and the endpoint is not inadvertently removed from the network.

From CLI output

SW03#sh auth sessions int fa0/4
            Interface: FastEthernet0/4
          MAC Address: xxxx.xxxx.5289
           IP Address: 10.10.10.64
            User-Name: XX-XX-XX-XX-52-89
               Status: Authz Success
               Domain: DATA
       Oper host mode: multi-auth
     Oper control dir: both
        Authorized By: Authentication Server
           Vlan Group: N/A
      Session timeout: N/A
         Idle timeout: 300s (server), Remaining: 2s
    Common Session ID: 0A17BD07000000A925152A7B
      Acct Session ID: 0x00000458
               Handle: 0x090000A9

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

SW03#
SW03#
SW03#
SW03#sh auth sessions int fa0/4
            Interface: FastEthernet0/4
          MAC Address: Unknown
           IP Address: Unknown
               Status: Running
               Domain: UNKNOWN
       Oper host mode: multi-auth
     Oper control dir: both
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A17BD07000000AA251A0019
      Acct Session ID: 0x00000462
               Handle: 0x800000AA

Runnable methods list:
       Method   State
       dot1x    Running
       mab      Not run

Can you share the port

nspasov — Tue, 24 Jun 2014 08:55:12 GMT

Can you share the port-configurations?

Here is the port config.Just

Mikael Gustafsson — Tue, 24 Jun 2014 09:38:08 GMT

Here is the port config.

Just to clarify, everything is working except that the terminal is losing the authentication. The terminal works again if traffic is initiated from the terminals menu, like with ping.

interface FastEthernet0/4
description Standard
switchport access vlan xxx
switchport mode access
switchport block unicast
switchport voice vlan xxx
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 5
switchport port-security violation restrict
priority-queue out
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan xxx
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level pps 100
storm-control multicast level pps 100
storm-control action trap
spanning-tree portfast
service-policy input users

Hmm everything looks good.

nspasov — Tue, 24 Jun 2014 17:04:37 GMT

Hmm everything looks good. Can you also post a screen shot of the authorization result ?

switchport port-security

Stephen McBride — Wed, 25 Jun 2014 22:32:11 GMT

switchport port-security aging time 5

Basically your port security is clashing with dot1x. I had this exact problem a while ago and removing the above command will fix it. Ultimately though you should review the need for port security configurations when using dot1x - kind of achieves the same purpose.

Possibly not related - but I

franklinb — Fri, 02 Oct 2015 01:58:57 GMT

Possibly not related - but I don't think you should mix 802.1X with port-security. I would remove the port-security lines completely

Re: IP device tracking and idle timer problem

acazarez — Sun, 15 Oct 2023 00:14:14 GMT

I see you are using IBSN 1.0,
I am using IBSN 2.0 and I prioritize the MAB over 802.1x and that fix my problem with sleepy printers