構成
Catalyst---HUB---PC
事象
Dot1x や MAB が有効なポートの配下へ HUBや他の Switch を接続した環境下において、
HUB の配下に属している PCを抜線しても、PC に対する認証セッションが残る問題
C3560X#show authe sess
Interface MAC Address Method Domain Status Fg Session ID
Gi0/48 0000.0000.0001 mab VOICE Auth 144700670000004ADD6FBC23
Gi0/48 0000.0000.0002 mab DATA Auth 144700670000004BDD6FC24C
Session count = 2
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
C3560X#
C3560X#show clock
*00:19:03.844 UTC Tue Feb 14 2006
C3560X#
C3560X#
C3560X#show authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
Gi0/48 0000.0000.0001 mab VOICE Auth 144700670000004ADD6FBC23
Gi0/48 0000.0000.0002 mab DATA Auth 144700670000004BDD6FC24C <<<残り続ける
Session count = 2
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
原因
inactivity timer の未設定が主な原因となります。
対策
Dot1x / MAB を設定しているポートにて、"authentication timer inactivity <seconds>" を設定します。
設定例:
C3560X(config-if)#authentication timer inactivity 30
対策後のログ
*Feb 14 02:19:03.954: AUTH-EVENT: [0000.0000.0002, Gi0/48] Handling external PRE event Inactivity Timeout for context 0xFD000035.
*Feb 14 02:19:03.954: AUTH-EVENT: [0000.0000.0002, Gi0/48] Queued 0xFD000035 for deletion
C3560X#show authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
Gi0/48 0000.0000.0001 mab VOICE Auth 1447006700000055DDEE100E
Session count = 1
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
