802.1x, NAC

koksm · ‎06-07-2006

Does anyone know how to set the Dot1x re-auth timer using a Cisco VSA?

We have 802.1x + NAC running, and when the policy check fails the user is placed in a quarantine VLAN. We do this using a shared RAC (merged with group settings).

But, we want to lower the dot1x re-auth timer using this RAC instead of on the switch itself. Does anyone know the VSA radius config for this?

Thanks!

darpotter · ‎06-07-2006

AFAIK the only attribute that'll work is the IETF Session-Timeout.

Although depending on what else happens (eg audit), ACS may choose to override your value with a shorter one.

Darran

jafrazie · ‎06-07-2006

Right, it's not a VSA, but a standard RADIUS Attribute. [27] and [29] are the attributes in question, and [27] is the session-timeout attribute as Darran points out. It can be configured in ACS via per-group or per-user authorization rules. Be sure to have the following port config on your switch to support this:

Switch(config-if)#dot1x timeout reauth-period server

Switch(config-if)#dot1x reauthentication

Hope this helps,

koksm · ‎06-15-2006

We did use att 27 and 29, but the switch never showed the adjusted timers.

I think was we need is the dot1x timeout reauth-period server setting...

Thnx!!

jafrazie · ‎06-15-2006

show dot1x int will show you the current session, and how long it is before the next re-auth. And you need to turn on "dot1x reauth" on the port to begin with (it's not enabled by default). Then, you need to cmd koksm referred to "dot1x timeout reauth-period server" to tell the port to only do re-auth from AAA via RADIUS Attributes [27] and [29] (as opposed to a local static timer).

koksm · ‎06-15-2006

We used the show dot1x interface to monitor the session. That is how we found out that it didn't work.

We also turned on dot1x reauth, but we forgot the timeout reauth-period server command.

Thanks again, this wil help!

darpotter · ‎06-16-2006

Hi Jason

I remember having discussions with someone about this. I thought there should be two timeouts.

1) for re-authentication (as is)

2) for forced FULL authentication from scratch

Some customers are happy to let fast session resume handle frequent rekey authentications... But want to enforce a full re-auth (perhaps back to a token server) at least once a day.

Is this possible by some other means?

Darran

jafrazie · ‎06-16-2006

Hey Darran:

Yes, this would be the value you may choose for RADIUS Attribute[29]. Hate to quote the RFC, but switches can do exactly what 3580 calls for in this regard:

***

3.19. Termination-Action

This attribute indicates what action should be taken when the service is completed. The value RADIUS-Request (1) indicates that re-authentication should occur on expiration of the Session-Time. The value Default (0) indicates that the session should terminate.

***

So, in combination with Attribute[27], here's a decoder ring:

1) [027] Session-Timeout by itself, it will act as if [029] Termination-Action = "Default", so it should terminate the session. (i.e. forced full re-auth from scratch)

2) [027] Session-Timeout + [029] Termination-Action = "Default", same as above. (i.e. forced full re-auth from scratch)

3) [027] Session-Timeout + [029] Termination-Action = "RADIUS-Request", so session should get re-auth'd.

(i.e. for re-auth as is)

Hope this helps,