topic For #2 - The session should in Network Access Control

wired dot1X session termination

yong khang NG — Mon, 11 Mar 2019 04:42:37 GMT

Hi all,

Question about wired dot1X session termination.

After a client successfully done on the wired dot1x authentication, my authZ rule is follow by the VLAN assignement whereby DHCP server will provision a client IP to the PC.

But when the client doing these 2 action:
01. after get connected, disable the IEEE 802.1x option on the PC Ethernet port setting
02. after get connected, disable, then enable the PC Ethernet port setting (bouncing)

I found out these 2 actions will still get the user in authorized state, because it is not link down or port-bounce action. Session still persist at client PC.

My question :
Anything i can configure either on the switch or ISE will automatic trigger an action like send an EAPOL-Logoff message, causing the switch port to change to the unauthorized state?

Thanks

Component in use:

client OS: window 7
PEAP-MsCHAP V2
authentication mode : iser or computer authetnication
no check on single sign on
no check remember credential for connection each time logged on
no check fallback to unauthorized network access

ISE 1.1.3 with patch 4

Switchport configuration
interface G0/1
switchporGt mode access
switchport access vlan 61
authentication port-control auto
dot1x pae authenticator
authentication host-mode multi-auth
authentication order dot1x
authentication priority dot1x mab
no shutdown
end

For #2 - The session should

nspasov — Fri, 30 May 2014 08:31:23 GMT

For #2 - The session should terminate and restart if the Ehternet adapter on the PC bounces. Are you saying that even though the user disables/enables the adapter, the session remains active in ISE/NAD?

For #1 - I am not really sure as I have never played with this before. My guess would be "No" because once ISE sends the "Access Accept" back to the NAD (your switch in this scenario), the NAD won't know if you are disabling 802.1x. The EAPoL conversation already took place so there is no more 802.1x type traffic coming in and out of the NAD/Client on that port.

I suppose you can set a re-autn and inactivity timer on both the NAD and ISE but keep in mind that it is not recommended for those timers to be set at low values (minimum 1 hour). Otherwise you could overwhelm your ISE servers depending on how large your environment is.

You will need to add the following commands on the switchport:

authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server

Then in ISE you will need to set the re-auth and the idle timers under the "Authorization Profile"

Another thing to keep in mind is that you should control what your users can and cannot do on their workstations via GPO (Group Policy). In normal circumstances a regular user should not have the privileges to disable 802.1x or their Ethernet adapter 🙂

Hope this helps!

Thank you for rating helpful posts!

HiThanks for the

yong khang NG — Fri, 30 May 2014 08:47:10 GMT

Thanks for the suggestion

All suggestion i will give a try.

thanks

No problem. Give it a try and

nspasov — Fri, 30 May 2014 20:09:37 GMT

No problem. Give it a try and let us know.